Sync from SUSE:SLFO:Main rtkit revision e2d47f656752217cacb050db1f1de5a5

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

_service

@@ -0,0 +1,14 @@
+<services>
+  <service mode="disabled" name="tar_scm">
+    <param name="url">https://git.0pointer.net/clone/rtkit.git</param>
+    <param name="scm">git</param>
+    <param name="changesgenerate">enable</param>
+    <param name="filename">rtkit</param>
+    <param name="versionformat">0.11+git.%cd</param>
+  </service>
+  <service mode="disabled" name="recompress">
+    <param name="file">*.tar</param>
+    <param name="compression">xz</param>
+  </service>
+  <service mode="disabled" name="set_version"/>
+</services>

_servicedata

@@ -0,0 +1,4 @@
+<servicedata>
+<service name="tar_scm">
+                <param name="url">http://git.0pointer.net/clone/rtkit.git</param>
+              <param name="changesrevision">6c28e20c0be2f616a025059fda0ffac84e7f4f17</param></service></servicedata>

harden_rtkit-daemon.service.patch

@@ -0,0 +1,23 @@
+Index: rtkit-0.13/rtkit-daemon.service.in
+===================================================================
+--- rtkit-0.13.orig/rtkit-daemon.service.in
++++ rtkit-0.13/rtkit-daemon.service.in
+@@ -25,6 +25,18 @@ BusName=org.freedesktop.RealtimeKit1
+ NotifyAccess=main
+ CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID
+ PrivateNetwork=yes
++# added automatically, for details please see
++# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
++ProtectSystem=full
++ProtectHome=true
++PrivateDevices=true
++ProtectHostname=true
++ProtectClock=true
++ProtectKernelTunables=true
++ProtectKernelModules=true
++ProtectKernelLogs=true
++ProtectControlGroups=true
++# end of automatic additions 
+ 
+ [Install]
+ WantedBy=multi-user.target

rtkit-silent-debug-messages-by-default.patch

@@ -0,0 +1,71 @@
+From: Jean Delvare <jdelvare@suse.de>
+Subject: rtkit-daemon: Don't log debug messages by default
+References: bsc#1206745
+
+The rtkit-daemon service is a lot more verbose than other services
+when it doesn't have anything to do. Stop logging the debug messages
+by default to avoid flooding the system log.
+
+This addresses the following upstream issue:
+https://github.com/heftig/rtkit/issues/22
+---
+ rtkit-daemon.c |   13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- rtkit-0.13.orig/rtkit-daemon.c
++++ rtkit-0.13/rtkit-daemon.c
+@@ -154,6 +154,9 @@ static bool canary_demote_unknown = FALS
+ /* Log to stderr? */
+ static bool log_stderr = FALSE;
+ 
++/* Also log debugging messages? */
++static bool log_debug = FALSE;
++
+ /* Scheduling policy to use */
+ static int sched_policy = SCHED_RR;
+ 
+@@ -1876,6 +1879,7 @@ enum {
+         ARG_CANARY_DEMOTE_UNKNOWN,
+         ARG_CANARY_REFUSE_SEC,
+         ARG_STDERR,
++        ARG_DEBUG,
+         ARG_INTROSPECT
+ };
+ 
+@@ -1905,6 +1909,7 @@ static const struct option long_options[
+     { "canary-demote-unknown",       no_argument,       0, ARG_CANARY_DEMOTE_UNKNOWN },
+     { "canary-refuse-sec",           required_argument, 0, ARG_CANARY_REFUSE_SEC },
+     { "stderr",                      no_argument,       0, ARG_STDERR },
++    { "debug",                       no_argument,       0, ARG_DEBUG },
+     { "introspect",                  no_argument,       0, ARG_INTROSPECT },
+     { NULL, 0, 0, 0}
+ };
+@@ -1933,6 +1938,7 @@ static void show_help(const char *exe) {
+                "      --version                       Show version\n\n"
+                "OPTIONS:\n"
+                "      --stderr                        Log to STDERR in addition to syslog\n"
++               "      --debug                         Also log debugging mssages\n"
+                "      --user-name=USER                Run daemon as user (%s)\n\n"
+                "      --scheduling-policy=(RR|FIFO)   Choose scheduling policy (%s)\n"
+                "      --our-realtime-priority=[%i..%i] Realtime priority for the daemon (%u)\n"
+@@ -2222,6 +2228,10 @@ static int parse_command_line(int argc,
+                                 log_stderr = TRUE;
+                                 break;
+ 
++                        case ARG_DEBUG:
++                                log_debug = TRUE;
++                                break;
++
+                         case ARG_INTROSPECT:
+                                 fputs(introspect_xml, stdout);
+                                 *ret = 0;
+@@ -2251,6 +2261,9 @@ static int parse_command_line(int argc,
+                 return -1;
+         }
+ 
++	if (!log_debug)
++                setlogmask(LOG_UPTO(LOG_INFO));
++
+         assert(our_realtime_priority >= (unsigned) sched_get_priority_min(sched_policy));
+         assert(our_realtime_priority <= (unsigned) sched_get_priority_max(sched_policy));
+ 

rtkit.changes

@@ -0,0 +1,167 @@
+-------------------------------------------------------------------
+Fri Jun 23 11:30:20 UTC 2023 - Jean Delvare <jdelvare@suse.com>
+
+- rtkit-daemon: Don't log debug messages by default (bsc#1206745).
+  Added patch(es):
+  * rtkit-silent-debug-messages-by-default.patch
+
+-------------------------------------------------------------------
+Fri Dec 31 13:12:17 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
+
+- Change to using systemd-sysusers
+
+-------------------------------------------------------------------
+Tue Nov 16 10:49:44 UTC 2021 - Johannes Segitz <jsegitz@suse.com>
+
+- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
+  * harden_rtkit-daemon.service.patch
+
+-------------------------------------------------------------------
+Fri May 28 21:00:35 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Replace systemd-devel BuildRequires with pkgconfig(libsystemd):
+  allow OBS to shortcut through the systemd-mini flavors.
+
+-------------------------------------------------------------------
+Mon Mar  8 22:55:08 UTC 2021 - Dirk Müller <dmueller@suse.com>
+
+- update to 0.13:
+  * Link to libsystemd instead of shipping a copy of sd-daemon
+  * Move D-Bus policy to datadir
+  * Install the D-Bus interface description
+  * Other fixes accumulated over the years from various distributions
+  * Add meson build files (autotools stays available for now)
+  * Replace the use of as with xxd for including a file as a string, which avoids
+  * some pitfalls (#15 and portability problems). The tarball contains the
+  * resulting file, so xxd is not necessary when building using autotools
+  * Move rtkit-daemon.service from graphical.target to multi-user.target (#12)
+  * Make libsystemd an optional dependency (#13)
+
+-------------------------------------------------------------------
+Thu Nov 12 10:48:49 UTC 2020 - Fabian Vogt <fvogt@suse.com>
+
+- Use /var/lib/empty instead of /proc as home for the rtkit user
+- Use %license
+- Commit _servicedata to avoid updating on every commit
+
+-------------------------------------------------------------------
+Wed Jul 03 14:13:21 UTC 2019 - mliska@suse.cz
+
+- Update to version 0.11+git.20161005:
+  * Drop removed ControlGroup stanza
+  * systemd: update sd-daemon.[ch]
+  * build-sys: since clock_gettime() moved to libc use mq_open to check for librt
+  * Pass uid of caller to polkit
+  * systemd: update sd-daemon.[ch]
+  * git: update gitignore
+  * git: update .gitignore
+  * build-sys: modernize build system
+  * systemd: secure rtkit service a bit
+  * systemd: update unit file a bit
+- Drop rtkit-no-cpu-controlgroup.patch
+- Add -Wno-format-nonliteral -Wno-format-security to optflags in order
+  to prepare for -Werror of these warnings in openSUSE:Factory.
+
+-------------------------------------------------------------------
+Fri Dec  9 13:59:38 UTC 2016 - fbui@suse.com
+
+- Drop BR on libsystemd-daemon as rtkit uses a fancy way to reuse
+  systemd code :)
+
+-------------------------------------------------------------------
+Sun May  8 11:34:06 UTC 2016 - mpluskal@suse.com
+
+- Add proper provides/obsoletes due to small change in versioning
+
+-------------------------------------------------------------------
+Mon Apr 18 19:58:57 UTC 2016 - mpluskal@suse.com
+
+- Update to version 0.11+git.20130926:
+  * Pass uid of caller to polkit
+  * build-sys: since clock_gettime() moved to libc use mq_open to 
+    check for librt
+  * systemd: update sd-daemon.[ch]
+- Drop upstreamed patches
+  * rtkit-bnc836939.patch
+  * rtkit-use-system-sd-daemon.patch
+- Add _service
+- Cleanup spec file with spec-cleaner
+- Drop support for pre systemd ditributions
+- Add rc symlink for service
+- Use more strict ldflags
+
+-------------------------------------------------------------------
+Thu Jan  1 21:49:33 UTC 2015 - meissner@suse.com
+
+- build with PIE
+
+-------------------------------------------------------------------
+Sun Nov 09 23:38:00 UTC 2014 - Led <ledest@gmail.com>
+
+- fix bashism in pre script
+
+-------------------------------------------------------------------
+Thu Feb 27 13:28:28 UTC 2014 - meissner@suse.com
+
+- rtkit-no-cpu-controlgroup.patch: do not specify the cpu: ControlGroup,
+  unsupported by systemd currently. bnc#847948
+
+-------------------------------------------------------------------
+Fri Sep 27 22:21:16 UTC 2013 - sreeves@suse.com
+
+- Add rtkit-bnc836939.patch
+  Fix bnc#836939 - use of insecure polkit DBUS API. CVE-2013-4326
+
+-------------------------------------------------------------------
+Wed Oct 17 14:13:55 UTC 2012 - fcrozat@suse.com
+
+- Don't buildrequires systemd, it is pulled by
+  pkgconfig(libsystemd-daemon), fixes conflict when bootstrapping
+  with systemd-mini packages.
+
+-------------------------------------------------------------------
+Sun Sep 23 13:48:55 UTC 2012 - crrodriguez@opensuse.org
+
+- rtkit-use-system-sd-daemon.patch Use system sddaemon libs. 
+
+-------------------------------------------------------------------
+Sun Sep 23 03:47:35 UTC 2012 - crrodriguez@opensuse.org
+
+- Update to version 0.11.x, not much has changed other
+  than systemd related updates/improvements. 
+
+-------------------------------------------------------------------
+Tue Dec 20 21:08:37 UTC 2011 - coolo@suse.com
+
+- add automake as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Thu Dec  8 13:52:01 UTC 2011 - coolo@suse.com
+
+- fix license to be in spdx.org format
+
+-------------------------------------------------------------------
+Fri Dec  2 04:21:25 UTC 2011 - crrodriguez@opensuse.org
+
+- Update to version 0.10.x 
+ * fix annoying warning 
+   Failed to make ourselves RT: Invalid argument [bnc#551777]
+ * activation is now done with systemd if possible
+
+-------------------------------------------------------------------
+Sun Oct 31 12:37:02 UTC 2010 - jengelh@medozas.de
+
+- Use %_smp_mflags
+
+-------------------------------------------------------------------
+Mon Jan 25 21:46:13 UTC 2010 - sreeves@novell.com
+
+- Update to version 0.5 
+  + By default don't demote unknown threads
+- bnc#572989 - change to /bin/false
+
+-------------------------------------------------------------------
+Fri Aug 14 17:56:43 CEST 2009 - sreeves@novell.com
+
+- Initial package
+

rtkit.spec

@@ -0,0 +1,109 @@
+#
+# spec file for package rtkit
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           rtkit
+Version:        0.13
+Release:        0
+Summary:        Realtime Policy and Watchdog Daemon
+# The daemon itself is GPL v3 or later, the reference implementation for
+# the client BSD-3-Clause
+License:        BSD-3-Clause AND GPL-3.0-or-later
+Group:          System/Base
+URL:            https://github.com/heftig/rtkit
+Source:         https://github.com/heftig/rtkit/releases/download/v%{version}/rtkit-%{version}.tar.xz
+Source1:        rtkit.sysusers
+Patch0:         harden_rtkit-daemon.service.patch
+Patch1:         rtkit-silent-debug-messages-by-default.patch
+BuildRequires:  automake
+BuildRequires:  libcap-devel
+BuildRequires:  pkg-config
+BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
+BuildRequires:  vim
+BuildRequires:  xz
+BuildRequires:  pkgconfig(dbus-1) >= 1.2
+BuildRequires:  pkgconfig(libsystemd)
+BuildRequires:  pkgconfig(polkit-agent-1)
+BuildRequires:  pkgconfig(polkit-gobject-1)
+Requires:       polkit
+Requires(pre):  dbus-1
+%sysusers_requires
+
+%description
+RealtimeKit is a D-Bus system service that changes the scheduling policy of
+user processes/threads to SCHED_RR (i.e. realtime scheduling mode) on
+request. It is intended to be used as a secure mechanism to allow real-time
+scheduling to be used by normal user processes.
+
+%prep
+%setup -q
+%patch0 -p1
+%patch1 -p1
+
+%build
+%sysusers_generate_pre %{SOURCE1} rtkit rtkit.conf
+autoreconf -fiv
+export CFLAGS="%{optflags} -fPIE -Wno-format-nonliteral -Wno-format-security"
+export LDFLAGS="-Wl,-z,relro,-z,now -pie"
+%configure \
+  --disable-silent-rules \
+  --with-systemdsystemunitdir=%{_unitdir} \
+  --libexecdir=%{_libexecdir}/rtkit
+
+make %{?_smp_mflags}
+./rtkit-daemon --introspect > org.freedesktop.RealtimeKit1.xml
+
+%install
+make %{?_smp_mflags} DESTDIR=%{buildroot} install
+ln -sv %{_sbindir}/service %{buildroot}%{_sbindir}/rcrtkit-daemon
+install -D -m 0644 org.freedesktop.RealtimeKit1.xml %{buildroot}/%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml
+install -Dm0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/rtkit.conf
+
+%preun
+%service_del_preun rtkit-daemon.service
+
+%pre -f rtkit.pre
+%service_add_pre rtkit-daemon.service
+
+%post
+dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig >/dev/null 2>&1 || :
+%service_add_post rtkit-daemon.service
+
+%postun
+%service_del_postun rtkit-daemon.service
+
+%files
+%defattr(0644,root,root,0755)
+%license GPL LICENSE
+%doc README rtkit.c rtkit.h
+%attr(0755,root,root) %{_sbindir}/rtkitctl
+%dir %{_libexecdir}/rtkit
+%dir %{_libexecdir}/rtkit/installed-tests
+%dir %{_libexecdir}/rtkit/installed-tests/rtkit
+%attr(0755,root,root) %{_libexecdir}/rtkit/rtkit-daemon
+%{_libexecdir}/rtkit/installed-tests/rtkit/rtkit-test
+%{_datadir}/dbus-1/system-services/org.freedesktop.RealtimeKit1.service
+%{_datadir}/dbus-1/interfaces/org.freedesktop.RealtimeKit1.xml
+%{_datadir}/polkit-1/actions/org.freedesktop.RealtimeKit1.policy
+%{_datadir}/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf
+%{_mandir}/man8/rtkitctl.8%{ext_man}
+%{_sbindir}/rcrtkit-daemon
+%{_unitdir}/rtkit-daemon.service
+%{_sysusersdir}/rtkit.conf
+
+%changelog

rtkit.sysusers

@@ -0,0 +1,2 @@
+#Type Name  ID GECOS         Home directory Shell
+u     rtkit -  'RealtimeKit' /var/lib/empty -