diff --git a/0003-Drop-support-for-efivar-SystemdOptions.patch b/0003-Drop-support-for-efivar-SystemdOptions.patch new file mode 100644 index 0000000..75cef1d --- /dev/null +++ b/0003-Drop-support-for-efivar-SystemdOptions.patch @@ -0,0 +1,80 @@ +From 72d766c5a17fc31902b367e949c4d90193f823b9 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 22 Mar 2024 12:07:34 +0100 +Subject: [PATCH] Drop support for efivar SystemdOptions + +Upstream deprecated it and plan to drop it in the future. + +Let's get ahead and drop it now as this feature might be used to gain access to +encrypted SLEM systems with unattended disk unlock and with secure boot +disabled. + +[fbui: fixes bsc#1220338] +--- + src/basic/efivars.c | 27 ++++++-------------------- + src/boot/bootctl-systemd-efi-options.c | 4 ++++ + 2 files changed, 10 insertions(+), 21 deletions(-) + +diff --git a/src/basic/efivars.c b/src/basic/efivars.c +index 9011ae29a3..01ab7e5092 100644 +--- a/src/basic/efivars.c ++++ b/src/basic/efivars.c +@@ -351,29 +351,14 @@ SecureBootMode efi_get_secure_boot_mode(void) { + } + + static int read_efi_options_variable(char **ret) { +- int r; + +- /* In SecureBoot mode this is probably not what you want. As your cmdline is cryptographically signed +- * like when using Type #2 EFI Unified Kernel Images (https://uapi-group.org/specifications/specs/boot_loader_specification) +- * The user's intention is then that the cmdline should not be modified. You want to make sure that +- * the system starts up as exactly specified in the signed artifact. +- * +- * (NB: For testing purposes, we still check the $SYSTEMD_EFI_OPTIONS env var before accessing this +- * cache, even when in SecureBoot mode.) */ +- if (is_efi_secure_boot()) { +- /* Let's be helpful with the returned error and check if the variable exists at all. If it +- * does, let's return a recognizable error (EPERM), and if not ENODATA. */ +- +- if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0) +- return errno == ENOENT ? -ENODATA : -errno; +- +- return -EPERM; +- } ++ /* For SUSE distros, support for SystemdOptions has already been dropped as it might be a security ++ * concern for systems with unattended disk unlock and with disabled secure boot. */ + +- r = efi_get_variable_string(EFI_SYSTEMD_VARIABLE(SystemdOptions), ret); +- if (r == -ENOENT) +- return -ENODATA; +- return r; ++ if (access(EFIVAR_PATH(EFI_SYSTEMD_VARIABLE(SystemdOptions)), F_OK) < 0) ++ return errno == ENOENT ? -ENODATA : -errno; ++ ++ return log_warning_errno(SYNTHETIC_ERRNO(EPERM), "Boot options passed via SystemdOptions EFI variable is no more supported, ignoring: %m"); + } + + int cache_efi_options_variable(void) { +diff --git a/src/boot/bootctl-systemd-efi-options.c b/src/boot/bootctl-systemd-efi-options.c +index 7f8308fc3d..216b99546f 100644 +--- a/src/boot/bootctl-systemd-efi-options.c ++++ b/src/boot/bootctl-systemd-efi-options.c +@@ -6,6 +6,7 @@ + #include "efi-loader.h" + + int verb_systemd_efi_options(int argc, char *argv[], void *userdata) { ++#if 0 + int r; + + /* This is obsolete and subject to removal */ +@@ -40,4 +41,7 @@ int verb_systemd_efi_options(int argc, char *argv[], void *userdata) { + } + + return 0; ++#else ++ return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for the SystemdOptions EFI variable has been dropped."); ++#endif + } +-- +2.35.3 + diff --git a/5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch b/5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch new file mode 100644 index 0000000..d52ffb3 --- /dev/null +++ b/5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch @@ -0,0 +1,432 @@ +From 6e10bdf37ad6b318de9a37416a3a80656d407006 Mon Sep 17 00:00:00 2001 +From: Lukas Nykryn +Date: Fri, 8 Dec 2023 12:33:06 +0100 +Subject: [PATCH 5004/5004] udev: allow/denylist for reading sysfs attributes + when composing a NIC name + +Users can currently pick specific versions of NIC naming, but that +does not guarantee that NIC names won't change after the kernel adds +a new sysfs attribute. + +This patch allows for an allow/deny list of sysfs attributes +that could be used when composing the name. + +These lists can be supplied as an hwdb entry in the form of +/etc/udev/hwdb.d/50-net-naming-allowlist.hwdb +net:naming:drvirtio_net + ID_NET_NAME_ALLOW=0 + ID_NET_NAME_ALLOW_ACPI_INDEX=1 + ID_NET_NAME_ALLOW_ADDR_ASSIGN_TYPE=1 + ID_NET_NAME_ALLOW_ADDRESS=1 + ID_NET_NAME_ALLOW_ARI_ENABLED=1 + ID_NET_NAME_ALLOW_DEV_PORT=1 + ID_NET_NAME_ALLOW_FUNCTION_ID=1 + ID_NET_NAME_ALLOW_IFLINK=1 + ID_NET_NAME_ALLOW_INDEX=1 + ID_NET_NAME_ALLOW_LABEL=1 + ID_NET_NAME_ALLOW_PHYS_PORT_NAME=1 + ID_NET_NAME_ALLOW_TYPE=1 + +(cherry picked from commit 3b2e7dc5a285edbbb1bf6aed2d88b889d801613f) + +[fbui: adjust context] +[fbui: fixes bsc#1234015] +--- + man/systemd.net-naming-scheme.xml | 69 ++++++++++++++++++++++++++ + rules.d/75-net-description.rules | 2 + + src/shared/netif-naming-scheme.c | 81 +++++++++++++++++++++++++++++++ + src/shared/netif-naming-scheme.h | 7 +++ + src/udev/udev-builtin-net_id.c | 38 +++++++-------- + 5 files changed, 178 insertions(+), 19 deletions(-) + +diff --git a/man/systemd.net-naming-scheme.xml b/man/systemd.net-naming-scheme.xml +index 3d997535d4..a8e23b1862 100644 +--- a/man/systemd.net-naming-scheme.xml ++++ b/man/systemd.net-naming-scheme.xml +@@ -485,6 +485,45 @@ + particular version of systemd). + + ++ ++ Limiting the use of specific sysfs attributes ++ ++ When creating names for network cards, some naming schemes use data from sysfs populated ++ by the kernel. This means that although a specific naming scheme in udev is picked, ++ the network card's name can still change when a new kernel version adds a new sysfs attribute. ++ For example if kernel starts setting the phys_port_name, udev will append the ++ "nphys_port_name" suffix to the device name. ++ ++ ++ ++ ID_NET_NAME_ALLOW=BOOL ++ ++ This evironment value sets a fallback policy for reading a sysfs attribute. ++ If set to 0 udev will not read any sysfs attribute by default, unless it is ++ explicitly allowlisted, see below. If set to 1 udev can use any sysfs attribute ++ unless it is explicitly forbidden. The default value is 1. ++ ++ ++ ++ ++ ++ ID_NET_NAME_ALLOW_sysfsattr=BOOL ++ ++ This evironment value explicitly states if udev shall use the specified ++ sysfsattr, when composing the device name. ++ ++ ++ ++ ++ ++ With these options, users can set an allowlist or denylist for sysfs attributes. To create ++ an allowlist, the user needs to set ID_NET_NAME_ALLOW=0 for the device and then list ++ the allowed attributes with the ++ ID_NET_NAME_ALLOW_sysfsattr=1 ++ options. In case of a denylist, the user needs to provide the list of denied attributes with ++ the ID_NET_NAME_ALLOW_sysfsattr=0 options. ++ ++ + + Examples + +@@ -571,6 +610,36 @@ ID_NET_NAME_PATH=enp0s29u1u2 + ID_NET_NAME_MAC=enx026d3c00000a + ID_NET_NAME_PATH=encf5f0 + ++ ++ ++ Set an allowlist for reading sysfs attributes for network card naming ++ ++ /etc/udev/hwdb.d/50-net-naming-allowlist.hwdb ++net:naming:drvirtio_net:* ++ ID_NET_NAME_ALLOW=0 ++ ID_NET_NAME_ALLOW_ACPI_INDEX=1 ++ ID_NET_NAME_ALLOW_ADDR_ASSIGN_TYPE=1 ++ ID_NET_NAME_ALLOW_ADDRESS=1 ++ ID_NET_NAME_ALLOW_ARI_ENABLED=1 ++ ID_NET_NAME_ALLOW_DEV_PORT=1 ++ ID_NET_NAME_ALLOW_FUNCTION_ID=1 ++ ID_NET_NAME_ALLOW_IFLINK=1 ++ ID_NET_NAME_ALLOW_INDEX=1 ++ ID_NET_NAME_ALLOW_LABEL=1 ++ ID_NET_NAME_ALLOW_PHYS_PORT_NAME=1 ++ ID_NET_NAME_ALLOW_TYPE=1 ++ ++ ++ ++ Set a denylist so that specified sysfs attribute are ignored ++ ++ /etc/udev/hwdb.d/50-net-naming-denylist.hwdb ++net:naming:drvirtio_net:* ++ ID_NET_NAME_ALLOW=1 ++ ID_NET_NAME_ALLOW_DEV_PORT=0 ++ ID_NET_NAME_ALLOW_PHYS_PORT_NAME=0 ++ ++ + + + +diff --git a/rules.d/75-net-description.rules b/rules.d/75-net-description.rules +index 7e62f8b26b..5ba70a6545 100644 +--- a/rules.d/75-net-description.rules ++++ b/rules.d/75-net-description.rules +@@ -3,6 +3,8 @@ + ACTION=="remove", GOTO="net_end" + SUBSYSTEM!="net", GOTO="net_end" + ++IMPORT{builtin}="hwdb 'net:naming:dr$env{ID_NET_DRIVER}:'" ++ + IMPORT{builtin}="net_id" + + SUBSYSTEMS=="usb", IMPORT{builtin}="usb_id", IMPORT{builtin}="hwdb --subsystem=usb" +diff --git a/src/shared/netif-naming-scheme.c b/src/shared/netif-naming-scheme.c +index b6a97527d8..77c0bcd57a 100644 +--- a/src/shared/netif-naming-scheme.c ++++ b/src/shared/netif-naming-scheme.c +@@ -1,6 +1,9 @@ + /* SPDX-License-Identifier: LGPL-2.1-or-later */ + ++#include "sd-device.h" ++ + #include "alloc-util.h" ++#include "device-private.h" + #include "netif-naming-scheme.h" + #include "proc-cmdline.h" + #include "string-util.h" +@@ -106,3 +109,81 @@ static const char* const alternative_names_policy_table[_NAMEPOLICY_MAX] = { + }; + + DEFINE_STRING_TABLE_LOOKUP(alternative_names_policy, NamePolicy); ++ ++static int naming_sysattr_allowed_by_default(sd_device *dev) { ++ int r; ++ ++ assert(dev); ++ ++ r = device_get_property_bool(dev, "ID_NET_NAME_ALLOW"); ++ if (r == -ENOENT) ++ return true; ++ ++ return r; ++} ++ ++static int naming_sysattr_allowed(sd_device *dev, const char *sysattr) { ++ char *sysattr_property; ++ int r; ++ ++ assert(dev); ++ assert(sysattr); ++ ++ sysattr_property = strjoina("ID_NET_NAME_ALLOW_", sysattr); ++ ascii_strupper(sysattr_property); ++ ++ r = device_get_property_bool(dev, sysattr_property); ++ if (r == -ENOENT) ++ /* If ID_NET_NAME_ALLOW is not set or set to 1 default is to allow */ ++ return naming_sysattr_allowed_by_default(dev); ++ ++ return r; ++} ++ ++int device_get_sysattr_int_filtered(sd_device *device, const char *sysattr, int *ret_value) { ++ int r; ++ ++ r = naming_sysattr_allowed(device, sysattr); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return -ENOENT; ++ ++ return device_get_sysattr_int(device, sysattr, ret_value); ++} ++ ++int device_get_sysattr_unsigned_filtered(sd_device *device, const char *sysattr, unsigned *ret_value) { ++ int r; ++ ++ r = naming_sysattr_allowed(device, sysattr); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return -ENOENT; ++ ++ return device_get_sysattr_unsigned(device, sysattr, ret_value); ++} ++ ++int device_get_sysattr_bool_filtered(sd_device *device, const char *sysattr) { ++ int r; ++ ++ r = naming_sysattr_allowed(device, sysattr); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return -ENOENT; ++ ++ return device_get_sysattr_bool(device, sysattr); ++} ++ ++int device_get_sysattr_value_filtered(sd_device *device, const char *sysattr, const char **ret_value) { ++ int r; ++ ++ r = naming_sysattr_allowed(device, sysattr); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ return -ENOENT; ++ ++ return sd_device_get_sysattr_value(device, sysattr, ret_value); ++} +diff --git a/src/shared/netif-naming-scheme.h b/src/shared/netif-naming-scheme.h +index 707c0d26f3..03dc854786 100644 +--- a/src/shared/netif-naming-scheme.h ++++ b/src/shared/netif-naming-scheme.h +@@ -3,6 +3,8 @@ + + #include + ++#include "sd-device.h" ++ + #include "macro.h" + + /* So here's the deal: net_id is supposed to be an exercise in providing stable names for network devices. However, we +@@ -90,3 +92,8 @@ NamePolicy name_policy_from_string(const char *p) _pure_; + + const char *alternative_names_policy_to_string(NamePolicy p) _const_; + NamePolicy alternative_names_policy_from_string(const char *p) _pure_; ++ ++int device_get_sysattr_int_filtered(sd_device *device, const char *sysattr, int *ret_value); ++int device_get_sysattr_unsigned_filtered(sd_device *device, const char *sysattr, unsigned *ret_value); ++int device_get_sysattr_bool_filtered(sd_device *device, const char *sysattr); ++int device_get_sysattr_value_filtered(sd_device *device, const char *sysattr, const char **ret_value); +diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c +index 7eaaf9530e..1997053eb9 100644 +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -145,7 +145,7 @@ static int get_dev_port(sd_device *dev, bool fallback_to_dev_id, unsigned *ret) + + /* Get kernel provided port index for the case when multiple ports on a single PCI function. */ + +- r = device_get_sysattr_unsigned(dev, "dev_port", &v); ++ r = device_get_sysattr_unsigned_filtered(dev, "dev_port", &v); + if (r < 0) + return r; + if (r > 0) { +@@ -161,7 +161,7 @@ static int get_dev_port(sd_device *dev, bool fallback_to_dev_id, unsigned *ret) + if (fallback_to_dev_id) { + unsigned iftype; + +- r = device_get_sysattr_unsigned(dev, "type", &iftype); ++ r = device_get_sysattr_unsigned_filtered(dev, "type", &iftype); + if (r < 0) + return r; + +@@ -169,7 +169,7 @@ static int get_dev_port(sd_device *dev, bool fallback_to_dev_id, unsigned *ret) + } + + if (fallback_to_dev_id) +- return device_get_sysattr_unsigned(dev, "dev_id", ret); ++ return device_get_sysattr_unsigned_filtered(dev, "dev_id", ret); + + /* Otherwise, return the original index 0. */ + *ret = 0; +@@ -186,7 +186,7 @@ static int get_port_specifier(sd_device *dev, bool fallback_to_dev_id, char **re + assert(ret); + + /* First, try to use the kernel provided front panel port name for multiple port PCI device. */ +- r = sd_device_get_sysattr_value(dev, "phys_port_name", &phys_port_name); ++ r = device_get_sysattr_value_filtered(dev, "phys_port_name", &phys_port_name); + if (r >= 0 && !isempty(phys_port_name)) { + if (naming_scheme_has(NAMING_SR_IOV_R)) { + int vf_id = -1; +@@ -248,10 +248,10 @@ static int pci_get_onboard_index(sd_device *dev, unsigned *ret) { + assert(ret); + + /* ACPI _DSM — device specific method for naming a PCI or PCI Express device */ +- r = device_get_sysattr_unsigned(dev, "acpi_index", &idx); ++ r = device_get_sysattr_unsigned_filtered(dev, "acpi_index", &idx); + if (r < 0) + /* SMBIOS type 41 — Onboard Devices Extended Information */ +- r = device_get_sysattr_unsigned(dev, "index", &idx); ++ r = device_get_sysattr_unsigned_filtered(dev, "index", &idx); + if (r < 0) + return r; + +@@ -291,7 +291,7 @@ static int dev_pci_onboard(sd_device *dev, const LinkInfo *info, NetNames *names + idx, strna(port), + special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), empty_to_na(names->pci_onboard)); + +- if (sd_device_get_sysattr_value(names->pcidev, "label", &names->pci_onboard_label) >= 0) ++ if (device_get_sysattr_value_filtered(names->pcidev, "label", &names->pci_onboard_label) >= 0) + log_device_debug(dev, "Onboard label from PCI device: %s", names->pci_onboard_label); + else + names->pci_onboard_label = NULL; +@@ -328,7 +328,7 @@ static int is_pci_multifunction(sd_device *dev) { + static bool is_pci_ari_enabled(sd_device *dev) { + const char *a; + +- if (sd_device_get_sysattr_value(dev, "ari_enabled", &a) < 0) ++ if (device_get_sysattr_value_filtered(dev, "ari_enabled", &a) < 0) + return false; + + return streq(a, "1"); +@@ -337,7 +337,7 @@ static bool is_pci_ari_enabled(sd_device *dev) { + static bool is_pci_bridge(sd_device *dev) { + const char *v, *p; + +- if (sd_device_get_sysattr_value(dev, "modalias", &v) < 0) ++ if (device_get_sysattr_value_filtered(dev, "modalias", &v) < 0) + return false; + + if (!startswith(v, "pci:")) +@@ -377,7 +377,7 @@ static int parse_hotplug_slot_from_function_id(sd_device *dev, int slots_dirfd, + if (!naming_scheme_has(NAMING_SLOT_FUNCTION_ID)) + return 0; + +- if (sd_device_get_sysattr_value(dev, "function_id", &attr) < 0) ++ if (device_get_sysattr_value_filtered(dev, "function_id", &attr) < 0) + return 0; + + r = safe_atou64(attr, &function_id); +@@ -438,7 +438,7 @@ static int pci_get_hotplug_slot_from_address( + if (!path) + return -ENOMEM; + +- if (sd_device_get_sysattr_value(pci, path, &address) < 0) ++ if (device_get_sysattr_value_filtered(pci, path, &address) < 0) + continue; + + /* match slot address with device by stripping the function */ +@@ -787,7 +787,7 @@ static int names_devicetree(sd_device *dev, const char *prefix, bool test) { + if (!alias_index) + continue; + +- if (sd_device_get_sysattr_value(aliases_dev, alias, &alias_path) < 0) ++ if (device_get_sysattr_value_filtered(aliases_dev, alias, &alias_path) < 0) + continue; + + if (!path_equal(ofnode_path, alias_path)) +@@ -806,7 +806,7 @@ static int names_devicetree(sd_device *dev, const char *prefix, bool test) { + } + + /* ...but make sure we don't have an alias conflict */ +- if (i == 0 && sd_device_get_sysattr_value(aliases_dev, conflict, NULL) >= 0) ++ if (i == 0 && device_get_sysattr_value_filtered(aliases_dev, conflict, NULL) >= 0) + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EEXIST), + "Ethernet alias conflict: ethernet and ethernet0 both exist"); + +@@ -1077,7 +1077,7 @@ static int names_mac(sd_device *dev, const char *prefix, bool test) { + assert(dev); + assert(prefix); + +- r = device_get_sysattr_unsigned(dev, "type", &iftype); ++ r = device_get_sysattr_unsigned_filtered(dev, "type", &iftype); + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to read 'type' attribute: %m"); + +@@ -1089,7 +1089,7 @@ static int names_mac(sd_device *dev, const char *prefix, bool test) { + "Not generating MAC name for infiniband device."); + + /* check for NET_ADDR_PERM, skip random MAC addresses */ +- r = device_get_sysattr_unsigned(dev, "addr_assign_type", &assign_type); ++ r = device_get_sysattr_unsigned_filtered(dev, "addr_assign_type", &assign_type); + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to read/parse addr_assign_type: %m"); + +@@ -1097,7 +1097,7 @@ static int names_mac(sd_device *dev, const char *prefix, bool test) { + return log_device_debug_errno(dev, SYNTHETIC_ERRNO(EINVAL), + "addr_assign_type=%u, MAC address is not permanent.", assign_type); + +- r = sd_device_get_sysattr_value(dev, "address", &s); ++ r = device_get_sysattr_value_filtered(dev, "address", &s); + if (r < 0) + return log_device_debug_errno(dev, r, "Failed to read 'address' attribute: %m"); + +@@ -1147,7 +1147,7 @@ static int names_netdevsim(sd_device *dev, const char *prefix, bool test) { + if (r < 0) + return r; + +- r = sd_device_get_sysattr_value(dev, "phys_port_name", &phys_port_name); ++ r = device_get_sysattr_value_filtered(dev, "phys_port_name", &phys_port_name); + if (r < 0) + return r; + if (isempty(phys_port_name)) +@@ -1227,7 +1227,7 @@ static int get_ifname_prefix(sd_device *dev, const char **ret) { + assert(dev); + assert(ret); + +- r = device_get_sysattr_unsigned(dev, "type", &iftype); ++ r = device_get_sysattr_unsigned_filtered(dev, "type", &iftype); + if (r < 0) + return r; + +@@ -1274,7 +1274,7 @@ static int get_link_info(sd_device *dev, LinkInfo *info) { + if (r < 0) + return r; + +- r = device_get_sysattr_int(dev, "iflink", &info->iflink); ++ r = device_get_sysattr_int_filtered(dev, "iflink", &info->iflink); + if (r < 0) + return r; + +-- +2.43.0 + diff --git a/systemd-v254.20+suse.53.ga3aa27ac66.tar.xz b/systemd-v254.20+suse.53.ga3aa27ac66.tar.xz deleted file mode 100644 index 58b4181..0000000 --- a/systemd-v254.20+suse.53.ga3aa27ac66.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:61c61924b1845843012ed1649a440de439f6fc48dd87ff42363877fcc40458da -size 10544548 diff --git a/systemd-v254.22+suse.74.g8752ef2f25.tar.xz b/systemd-v254.22+suse.74.g8752ef2f25.tar.xz new file mode 100644 index 0000000..54e318b --- /dev/null +++ b/systemd-v254.22+suse.74.g8752ef2f25.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d562d80ec5fcf97e1f4fcf632ff291d3faf41f29f5afe25c98fadc32df5110b +size 10555076 diff --git a/systemd.changes b/systemd.changes index 14fc874..a1aa1be 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,72 @@ +------------------------------------------------------------------- +Mon Dec 23 09:00:16 UTC 2024 - Franck Bui + +- Import commit 8752ef2f258c62470bef3bb24ca1ef3a969ac474 (merge of v254.22) + + This merge includes the following fix: + + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/e107182cb3dd1702b291d0455bdabcb7db28e537...8752ef2f258c62470bef3bb24ca1ef3a969ac474 + +------------------------------------------------------------------- +Mon Dec 16 09:45:24 UTC 2024 - Franck Bui + +- Add 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch (bsc#1234015) + + Temporarily add this patch. It will be integrated in the git repository if no + issues are reported in the coming months. + +------------------------------------------------------------------- +Mon Dec 16 09:19:48 UTC 2024 - Franck Bui + +- Import commit 807fe764111b5a74cc8618b8e4ec437a0dec91ff + + 807fe76411 udev: add new builtin net_driver + 3a48b5f21d udev-builtin-net_id: split-out pci_get_onboard_index() from dev_pci_onboard() + 5359c1d6d4 udev-builtin-net_id: split-out get_pci_slot_specifiers() + 1cd915ac7b udev-builtin-net_id: introduce get_port_specifier() helper function + 72a4218155 udev-builtin-net_id: split out get_dev_port() and make its failure critical + f6c721b4da udev-builtin-net_id: split-out pci_get_hotplug_slot() and pci_get_hotplug_slot_from_address() + 9e16c3cf27 udev-builtin-net_id: return earlier when hotplug slot is not found + 4851355767 udev-builtin-net_id: skip non-directory entry earlier + a571e5f1dd udev-builtin-net_id: make names_xen() self-contained + 9acc241d5f udev-builtin-net_id: use sd_device_get_sysnum() to get index of netdevsim + ca8a431b55 udev-builtin-net_id: make names_netdevsim() self-contained + a66251d666 udev-builtin-net_id: make names_platform() self-contained + 1e834d7157 udev-builtin-net_id: make names_vio() self-contained + 8b236dcd7a udev-builtin-net_id: make names_ccw() self-contained + 7d70e2fa7d udev-builtin-net_id: make dev_devicetree_onboard() self-contained + 46158a6e91 udev-builtin-net_id: make names_mac() self-contained + 7789e7f886 udev-builtin-net_id: split out get_ifname_prefix() + 9b0062a667 udev-builtin-net_id: swap arguments for streq() and friends + 181a775b40 udev-builtin-net_id: drop unused value from NetNameType + + Refactoring to prepare for backporting the filtering mechanism of specific + sysfs attributes during predictable NIC name generation. + +------------------------------------------------------------------- +Tue Dec 3 13:56:36 UTC 2024 - Franck Bui + +- Add 0003-Drop-support-for-efivar-SystemdOptions.patch (bsc#1220338) + + Upstream deprecated it and plan to drop it in the future. + + Let's get ahead and drop it now as this feature is unlikely to be used on SUSE + distros and it might be used to gain access to encrypted SLEM systems with + unattended disk unlock and with secure boot disabled. + +------------------------------------------------------------------- +Tue Dec 3 09:52:45 UTC 2024 - Franck Bui + +- Import commit e107182cb3dd1702b291d0455bdabcb7db28e537 (merge of v254.21) + + This merge includes the following fix: + + a467a411f pid1: make clear that $WATCHDOG_USEC is set for the shutdown binary, noone else (bsc#1232227) + + For a complete list of changes, visit: + https://github.com/openSUSE/systemd/compare/a3aa27ac6649cb096b3c87c8ac61a6950bfa3567...e107182cb3dd1702b291d0455bdabcb7db28e537 + ------------------------------------------------------------------- Wed Nov 27 08:43:39 UTC 2024 - Franck Bui diff --git a/systemd.spec b/systemd.spec index 9fb347d..6ef873b 100644 --- a/systemd.spec +++ b/systemd.spec @@ -18,14 +18,14 @@ %global flavor @BUILD_FLAVOR@%{nil} -%define archive_version +suse.53.ga3aa27ac66 +%define archive_version +suse.74.g8752ef2f25 %if 0%{?version_override} %define systemd_major %version_override %define systemd_minor %{nil} %else %define systemd_major 254 -%define systemd_minor 20 +%define systemd_minor 22 %endif %define systemd_version %{systemd_major}%{?systemd_minor:.%{systemd_minor}} @@ -209,6 +209,7 @@ Source212: files.portable # get rid of one of them ! # Patch1: 0001-udev-restore-some-legacy-symlinks-to-maintain-backwa.patch +Patch2: 0003-Drop-support-for-efivar-SystemdOptions.patch Patch3: 0009-pid1-handle-console-specificities-weirdness-for-s390.patch %if %{with sysvcompat} Patch4: 0002-rc-local-fix-ordering-startup-for-etc-init.d-boot.lo.patch @@ -225,6 +226,7 @@ Patch5001: 5001-Revert-udev-update-devlink-with-the-newer-device-nod.patch Patch5002: 5002-Revert-udev-revert-workarounds-for-issues-caused-by-.patch %endif Patch5003: 5003-99-systemd.rules-rework-SYSTEMD_READY-logic-for-devi.patch +Patch5004: 5004-udev-allow-denylist-for-reading-sysfs-attributes-whe.patch %description Systemd is a system and service manager, compatible with SysV and LSB