diff --git a/0001-bnc888612-logind-polkit-acpi.patch b/0001-bnc888612-logind-polkit-acpi.patch index ba3a1b5..a702140 100644 --- a/0001-bnc888612-logind-polkit-acpi.patch +++ b/0001-bnc888612-logind-polkit-acpi.patch @@ -5,7 +5,7 @@ Index: systemd-210/src/login/logind-action.c =================================================================== ---- systemd-210/src/login/logind-action.c +--- systemd-210.orig/src/login/logind-action.c +++ systemd-210/src/login/logind-action.c @@ -101,6 +101,11 @@ int manager_handle_action( @@ -21,7 +21,7 @@ Index: systemd-210/src/login/logind-action.c return 0; Index: systemd-210/src/login/logind-dbus.c =================================================================== ---- systemd-210/src/login/logind-dbus.c +--- systemd-210.orig/src/login/logind-dbus.c +++ systemd-210/src/login/logind-dbus.c @@ -1469,9 +1469,11 @@ static int method_do_shutdown_or_sleep( sd_bus_error *error) { @@ -43,7 +43,7 @@ Index: systemd-210/src/login/logind-dbus.c - if (multiple_sessions) { + fd = open ("/run/systemd/acpi-shutdown", O_NOFOLLOW|O_PATH|O_CLOEXEC); + if (fd >= 0) { -+ shutdown_through_acpi = ((fstat(fd,&buf) == 0) && (time(NULL) - buf.st_mtime <= 65)); ++ shutdown_through_acpi = ((fstat(fd,&buf) == 0) && (time(NULL) - buf.st_mtime <= 65) && !sleep_verb); + close(fd); + unlink ("/run/systemd/acpi-shutdown"); + } diff --git a/0001-infinit-timeout-for-kmod-loaded-modules.patch b/0001-infinit-timeout-for-kmod-loaded-modules.patch new file mode 100644 index 0000000..698d93e --- /dev/null +++ b/0001-infinit-timeout-for-kmod-loaded-modules.patch @@ -0,0 +1,135 @@ +--- + src/udev/udev-event.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + src/udev/udev.h | 1 + + src/udev/udevd.c | 23 +++++++++++++++++++++-- + 3 files changed, 64 insertions(+), 2 deletions(-) + +--- src/udev/udev-event.c ++++ src/udev/udev-event.c 2014-09-24 14:32:53.115639820 +0000 +@@ -959,6 +959,46 @@ void udev_event_execute_rules(struct ude + } + } + ++#ifdef HAVE_KMOD ++static inline void udev_check_and_set_kmod(enum udev_builtin_cmd builtin_cmd, struct udev_event *event) { ++ char filename[UTIL_PATH_SIZE]; ++ switch (builtin_cmd) { ++ case UDEV_BUILTIN_KMOD: ++ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)getpid()); ++ touch(filename); ++ default: ++ break; ++ } ++} ++ ++static inline void udev_check_and_unset_kmod(enum udev_builtin_cmd builtin_cmd, struct udev_event *event) { ++ char filename[UTIL_PATH_SIZE]; ++ switch (builtin_cmd) { ++ case UDEV_BUILTIN_KMOD: ++ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)getpid()); ++ unlink(filename); ++ default: ++ break; ++ } ++} ++ ++bool udev_check_for_kmod(pid_t pid) { ++ char filename[UTIL_PATH_SIZE]; ++ struct stat st; ++ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)pid); ++ if (stat(filename, &st) == 0) { ++ return true; ++ } ++ return false; ++} ++#else ++# define udev_set_kmod (a,b) ++# define udev_unset_kmod(a,b) ++bool udev_check_for_kmod(pid_t pid) { ++ return false; ++} ++#endif ++ + void udev_event_execute_run(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec, const sigset_t *sigmask) { + struct udev_list_entry *list_entry; + +@@ -970,7 +1010,9 @@ void udev_event_execute_run(struct udev_ + char command[UTIL_PATH_SIZE]; + + udev_event_apply_format(event, cmd, command, sizeof(command)); ++ udev_check_and_set_kmod(builtin_cmd, event); + udev_builtin_run(event->dev, builtin_cmd, command, false); ++ udev_check_and_unset_kmod(builtin_cmd, event); + } else { + char program[UTIL_PATH_SIZE]; + char **envp; +--- src/udev/udevd.c ++++ src/udev/udevd.c 2014-09-24 15:02:30.895592379 +0000 +@@ -76,6 +76,7 @@ static int children_max; + static int exec_delay; + static usec_t event_timeout_usec = 180 * USEC_PER_SEC; + static usec_t event_timeout_warn_usec = 180 * USEC_PER_SEC / 3; ++static bool event_killkmod = false; + static sigset_t sigmask_orig; + static UDEV_LIST(event_list); + static UDEV_LIST(worker_list); +@@ -1017,6 +1018,12 @@ static void kernel_cmdline_options(struc + } + event_timeout_usec *= USEC_PER_SEC; + event_timeout_warn_usec = (event_timeout_usec / 3) ? : 1; ++ } else if (startswith(opt, "udev.killkmod=")) { ++ r = parse_boolean(opt + 14); ++ if (r < 0) ++ log_warning("Invalid udev.killkmod Ignoring: %s", opt + 14); ++ else ++ event_killkmod = r; + } + + free(s); +@@ -1065,7 +1072,7 @@ int main(int argc, char *argv[]) { + } + + for (;;) { +- int option, r; ++ int option; + + option = getopt_long(argc, argv, "c:de:DtN:hV", options, NULL); + if (option == -1) +@@ -1356,6 +1363,12 @@ int main(int argc, char *argv[]) { + udev_list_node_init(&event_list); + udev_list_node_init(&worker_list); + ++ r = mkdir_p("/run/udev/kmod", 0755); ++ if (r < 0 && errno != EEXIST) { ++ log_error("could not create /run/udev/kmod: %m"); ++ goto exit; ++ } ++ + for (;;) { + static usec_t last_usec; + struct epoll_event ev[8]; +@@ -1440,7 +1453,13 @@ int main(int argc, char *argv[]) { + + if (worker->state != WORKER_RUNNING) + continue; +- ++#ifdef HAVE_KMOD ++ if (udev_check_for_kmod(worker->pid)) { ++ log_debug("worker [%u] %s is using kmod", worker->pid, worker->event->devpath); ++ if (!event_killkmod) ++ continue; ++ } ++#endif + ts = now(CLOCK_MONOTONIC); + + if ((ts - worker->event_start_usec) > event_timeout_warn_usec) { +--- src/udev/udev.h ++++ src/udev/udev.h 2014-09-24 14:33:33.824008084 +0000 +@@ -88,6 +88,7 @@ int udev_event_spawn(struct udev_event * + char *result, size_t ressize); + void udev_event_execute_rules(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec, + struct udev_rules *rules, const sigset_t *sigset); ++bool udev_check_for_kmod(pid_t pid); + void udev_event_execute_run(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec, const sigset_t *sigset); + int udev_build_argv(struct udev *udev, char *cmd, int *argc, char *argv[]); + diff --git a/0001-login-pause-devices-before-acknowledging-VT-switches.patch b/0001-login-pause-devices-before-acknowledging-VT-switches.patch new file mode 100644 index 0000000..0a335de --- /dev/null +++ b/0001-login-pause-devices-before-acknowledging-VT-switches.patch @@ -0,0 +1,82 @@ +Based on 2ec3ff668ff03410e94cfef8e3ee9384a8222211 Mon Sep 17 00:00:00 2001 +From: David Herrmann +Date: Fri, 19 Sep 2014 13:26:39 +0200 +Subject: [PATCH] login: pause devices before acknowledging VT switches + +If a session controller does not need synchronous VT switches, we allow +them to pass VT control to logind, which acknowledges all VT switches +unconditionally. This works fine with all sessions using the dbus API, +but causes out-of-sync device use if we switch to legacy sessions that +are notified via VT signals. Those are processed before logind notices +the session-switch via sysfs. Therefore, leaving the old session still +active for a short amount of time. + +This, in fact, may cause the legacy session to prepare graphics devices +before the old session was deactivated, and thus, maybe causing the old +session to interfer with graphics device usage. + +Fix this by releasing devices immediately before acknowledging VT +switches. This way, sessions without VT handlers are required to support +async session switching (which they do in that case, anyway). +--- + src/login/logind-session.c | 21 +++++++++++++++++++++ + src/login/logind-session.h | 1 + + src/login/logind.c | 4 ++-- + 3 files changed, 24 insertions(+), 2 deletions(-) + +--- src/login/logind-session.c ++++ src/login/logind-session.c 2014-09-24 07:40:45.786639180 +0000 +@@ -1040,6 +1040,27 @@ void session_restore_vt(Session *s) { + s->vtfd = -1; + } + ++void session_leave_vt(Session *s) { ++ assert(s); ++ ++ /* This is called whenever we get a VT-switch signal from the kernel. ++ * We acknowledge all of them unconditionally. Note that session are ++ * free to overwrite those handlers and we only register them for ++ * sessions with controllers. Legacy sessions are not affected. ++ * However, if we switch from a non-legacy to a legacy session, we must ++ * make sure to pause all device before acknowledging the switch. We ++ * process the real switch only after we are notified via sysfs, so the ++ * legacy session might have already started using the devices. If we ++ * don't pause the devices before the switch, we might confuse the ++ * session we switch to. */ ++ ++ if (s->vtfd < 0) ++ return; ++ ++ session_device_pause_all(s); ++ ioctl(s->vtfd, VT_RELDISP, 1); ++} ++ + bool session_is_controller(Session *s, const char *sender) { + assert(s); + +--- src/login/logind-session.h ++++ src/login/logind-session.h 2014-09-24 07:41:50.290236363 +0000 +@@ -173,6 +173,7 @@ KillWho kill_who_from_string(const char + + int session_mute_vt(Session *s); + void session_restore_vt(Session *s); ++void session_leave_vt(Session *s); + + bool session_is_controller(Session *s, const char *sender); + int session_set_controller(Session *s, const char *sender, bool force); +--- src/login/logind.c ++++ src/login/logind.c 2014-09-24 00:00:00.000000000 +0000 +@@ -743,11 +743,11 @@ static int manager_vt_switch(sd_event_so + } + + if (active->vtfd >= 0) { +- ioctl(active->vtfd, VT_RELDISP, 1); ++ session_leave_vt(active); + } else { + LIST_FOREACH(sessions_by_seat, iter, m->seat0->sessions) { + if (iter->vtnr == active->vtnr && iter->vtfd >= 0) { +- ioctl(iter->vtfd, VT_RELDISP, 1); ++ session_leave_vt(iter); + break; + } + } diff --git a/0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch b/0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch new file mode 100644 index 0000000..ee7cea2 --- /dev/null +++ b/0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch @@ -0,0 +1,21 @@ +Based on c00524c9cc7fb498c7244350e25823b8352f078c Mon Sep 17 00:00:00 2001 +From: Tom Gundersen +Date: Fri, 19 Sep 2014 23:02:00 +0200 +Subject: [PATCH] nspawn: don't try to create veth link with too long ifname + +Reported by: James Lott +--- + src/nspawn/nspawn.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- src/nspawn/nspawn.c ++++ src/nspawn/nspawn.c 2014-09-23 15:33:06.766236272 +0000 +@@ -1383,7 +1383,7 @@ static int setup_veth(pid_t pid, char if + + /* Use two different interface name prefixes depending whether + * we are in bridge mode or not. */ +- snprintf(iface_name, IFNAMSIZ, "%s-%s", ++ snprintf(iface_name, IFNAMSIZ - 1, "%s-%s", + arg_network_bridge ? "vb" : "ve", arg_machine); + + r = sd_rtnl_open(&rtnl, 0); diff --git a/0001-socket-introduce-SELinuxContextFromNet-option.patch b/0001-socket-introduce-SELinuxContextFromNet-option.patch new file mode 100644 index 0000000..f437c7b --- /dev/null +++ b/0001-socket-introduce-SELinuxContextFromNet-option.patch @@ -0,0 +1,414 @@ +Based on 16115b0a7b7cdf08fb38084d857d572d8a9088dc Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 24 Jul 2014 10:40:28 +0200 +Subject: [PATCH] socket: introduce SELinuxContextFromNet option + +This makes possible to spawn service instances triggered by socket with +MLS/MCS SELinux labels which are created based on information provided by +connected peer. + +Implementation of label_get_child_mls_label derived from xinetd. + +Reviewed-by: Paul Moore +--- + man/systemd.socket.xml | 26 +++++++ + src/core/execute.c | 30 +++++++-- + src/core/execute.h | 1 + src/core/load-fragment-gperf.gperf.m4 | 3 + src/core/mount.c | 1 + src/core/service.c | 4 - + src/core/service.h | 3 + src/core/socket.c | 16 +++- + src/core/socket.h | 2 + src/core/swap.c | 1 + src/shared/label.c | 113 ++++++++++++++++++++++++++++++++++ + src/shared/label.h | 2 + 12 files changed, 191 insertions(+), 11 deletions(-) + +--- man/systemd.socket.xml ++++ man/systemd.socket.xml 2014-09-23 15:36:49.000000000 +0000 +@@ -570,6 +570,32 @@ + + + ++ SELinuxContextFromNet= ++ Takes a boolean ++ argument. When true systemd will attempt ++ to figure out the SELinux label used ++ for the instantiated service from the ++ information handed by the peer over the ++ network. Note that only the security ++ level is used from the information ++ provided by the peer. Other parts of ++ the resulting SELinux context originate ++ from either the target binary that is ++ effectively triggered by socket unit ++ are taken from the value of the ++ SELinuxContext= ++ option.This configuration option only ++ affects sockets with ++ Accept= mode set to ++ true. Also note that ++ this option is useful only when ++ MLS/MCS SELinux policy is ++ deployed. Defaults to ++ false. ++ ++ ++ ++ + PipeSize= + Takes an size in + bytes. Controls the pipe buffer size +--- src/core/execute.c ++++ src/core/execute.c 2014-09-24 09:22:08.882735864 +0000 +@@ -82,6 +82,7 @@ + #include "selinux-util.h" + #include "errno-list.h" + #include "apparmor-util.h" ++#include "label.h" + + #ifdef HAVE_SECCOMP + #include "seccomp-util.h" +@@ -1123,6 +1124,7 @@ int exec_spawn(ExecCommand *command, + bool apply_chroot, + bool apply_tty_stdin, + bool confirm_spawn, ++ bool selinux_context_net, + CGroupControllerMask cgroup_supported, + const char *cgroup_path, + const char *unit_id, +@@ -1594,11 +1596,29 @@ int exec_spawn(ExecCommand *command, + #endif + + #ifdef HAVE_SELINUX +- if (context->selinux_context && use_selinux()) { +- err = setexeccon(context->selinux_context); +- if (err < 0 && !context->selinux_context_ignore) { +- r = EXIT_SELINUX_CONTEXT; +- goto fail_child; ++ if (use_selinux()) { ++ if (context->selinux_context) { ++ err = setexeccon(context->selinux_context); ++ if (err < 0 && !context->selinux_context_ignore) { ++ r = EXIT_SELINUX_CONTEXT; ++ goto fail_child; ++ } ++ } ++ ++ if (selinux_context_net && socket_fd >= 0) { ++ _cleanup_free_ char *label = NULL; ++ ++ err = label_get_child_mls_label(socket_fd, command->path, &label); ++ if (err < 0) { ++ r = EXIT_SELINUX_CONTEXT; ++ goto fail_child; ++ } ++ ++ err = setexeccon(label); ++ if (err < 0) { ++ r = EXIT_SELINUX_CONTEXT; ++ goto fail_child; ++ } + } + } + #endif +--- src/core/execute.h ++++ src/core/execute.h 2014-09-23 15:46:26.000000000 +0000 +@@ -195,6 +195,7 @@ int exec_spawn(ExecCommand *command, + bool apply_chroot, + bool apply_tty_stdin, + bool confirm_spawn, ++ bool selinux_context_net, + CGroupControllerMask cgroup_mask, + const char *cgroup_path, + const char *unit_id, +--- src/core/load-fragment-gperf.gperf.m4 ++++ src/core/load-fragment-gperf.gperf.m4 2014-09-23 00:00:00.000000000 +0000 +@@ -242,6 +242,9 @@ Socket.SmackLabelIPOut, config_ + `Socket.SmackLabel, config_parse_warn_compat, 0, 0 + Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0 + Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0') ++m4_ifdef(`HAVE_SELINUX', ++`Socket.SELinuxContextFromNet, config_parse_bool, 0, offsetof(Socket, selinux_context_from_net)', ++`Socket.SELinuxContextFromNet, config_parse_warn_compat, 0, 0') + EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl + CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl + KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl +--- src/core/mount.c ++++ src/core/mount.c 2014-09-24 09:16:26.234235379 +0000 +@@ -785,6 +785,7 @@ static int mount_spawn(Mount *m, ExecCom + true, + true, + UNIT(m)->manager->confirm_spawn, ++ false, + UNIT(m)->manager->cgroup_supported, + UNIT(m)->cgroup_path, + UNIT(m)->id, +--- src/core/service.c ++++ src/core/service.c 2014-09-23 15:49:24.000000000 +0000 +@@ -1856,6 +1856,7 @@ static int service_spawn( + apply_chroot, + apply_tty_stdin, + UNIT(s)->manager->confirm_spawn, ++ s->socket_fd_selinux_context_net, + UNIT(s)->manager->cgroup_supported, + path, + UNIT(s)->id, +@@ -3787,7 +3788,7 @@ static void service_bus_name_owner_chang + } + } + +-int service_set_socket_fd(Service *s, int fd, Socket *sock) { ++int service_set_socket_fd(Service *s, int fd, Socket *sock, bool selinux_context_net) { + _cleanup_free_ char *peer = NULL; + int r; + +@@ -3825,6 +3826,7 @@ int service_set_socket_fd(Service *s, in + } + + s->socket_fd = fd; ++ s->socket_fd_selinux_context_net = selinux_context_net; + + unit_ref_set(&s->accept_socket, UNIT(sock)); + +--- src/core/service.h ++++ src/core/service.h 2014-09-23 15:51:13.000000000 +0000 +@@ -159,6 +159,7 @@ struct Service { + pid_t main_pid, control_pid; + int socket_fd; + ++ bool socket_fd_selinux_context_net; + bool permissions_start_only; + bool root_directory_start_only; + bool remain_after_exit; +@@ -204,7 +205,7 @@ extern const UnitVTable service_vtable; + + struct Socket; + +-int service_set_socket_fd(Service *s, int fd, struct Socket *socket); ++int service_set_socket_fd(Service *s, int fd, struct Socket *socket, bool selinux_context_net); + + const char* service_state_to_string(ServiceState i) _const_; + ServiceState service_state_from_string(const char *s) _pure_; +--- src/core/socket.c ++++ src/core/socket.c 2014-09-24 09:13:29.698735735 +0000 +@@ -453,7 +453,8 @@ static void socket_dump(Unit *u, FILE *f + "%sBroadcast: %s\n" + "%sPassCredentials: %s\n" + "%sPassSecurity: %s\n" +- "%sTCPCongestion: %s\n", ++ "%sTCPCongestion: %s\n" ++ "%sSELinuxContextFromNet: %s\n", + prefix, socket_state_to_string(s->state), + prefix, socket_result_to_string(s->result), + prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only), +@@ -466,7 +467,8 @@ static void socket_dump(Unit *u, FILE *f + prefix, yes_no(s->broadcast), + prefix, yes_no(s->pass_cred), + prefix, yes_no(s->pass_sec), +- prefix, strna(s->tcp_congestion)); ++ prefix, strna(s->tcp_congestion), ++ prefix, yes_no(s->selinux_context_from_net)); + + if (s->control_pid > 0) + fprintf(f, +@@ -1000,7 +1002,12 @@ static int socket_open_fds(Socket *s) { + + if (p->type == SOCKET_SOCKET) { + +- if (!know_label) { ++ if (!know_label && s->selinux_context_from_net) { ++ r = label_get_our_label(&label); ++ if (r < 0) ++ return r; ++ know_label = true; ++ } else if (!know_label) { + + if ((r = socket_instantiate_service(s)) < 0) + return r; +@@ -1247,6 +1254,7 @@ static int socket_spawn(Socket *s, ExecC + true, + true, + UNIT(s)->manager->confirm_spawn, ++ s->selinux_context_from_net, + UNIT(s)->manager->cgroup_supported, + UNIT(s)->cgroup_path, + UNIT(s)->id, +@@ -1568,7 +1576,7 @@ static void socket_enter_running(Socket + + unit_choose_id(UNIT(service), name); + +- r = service_set_socket_fd(service, cfd, s); ++ r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net); + if (r < 0) + goto fail; + +--- src/core/socket.h ++++ src/core/socket.h 2014-09-23 15:55:17.000000000 +0000 +@@ -154,6 +154,8 @@ struct Socket { + char *smack; + char *smack_ip_in; + char *smack_ip_out; ++ ++ bool selinux_context_from_net; + }; + + /* Called from the service code when collecting fds */ +--- src/core/swap.c ++++ src/core/swap.c 2014-09-24 09:17:18.438735618 +0000 +@@ -642,6 +642,7 @@ static int swap_spawn(Swap *s, ExecComma + true, + true, + UNIT(s)->manager->confirm_spawn, ++ false, + UNIT(s)->manager->cgroup_supported, + UNIT(s)->cgroup_path, + UNIT(s)->id, +--- src/shared/label.c ++++ src/shared/label.c 2014-09-23 00:00:00.000000000 +0000 +@@ -31,6 +31,7 @@ + #ifdef HAVE_SELINUX + #include + #include ++#include + #endif + + #include "label.h" +@@ -41,6 +42,12 @@ + #include "smack-util.h" + + #ifdef HAVE_SELINUX ++DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon); ++DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free); ++ ++#define _cleanup_security_context_free_ _cleanup_(freeconp) ++#define _cleanup_context_free_ _cleanup_(context_freep) ++ + static struct selabel_handle *label_hnd = NULL; + #endif + +@@ -243,6 +250,112 @@ fail: + return r; + } + ++int label_get_our_label(char **label) { ++ int r = -EOPNOTSUPP; ++ char *l = NULL; ++ ++#ifdef HAVE_SELINUX ++ r = getcon(&l); ++ if (r < 0) ++ return r; ++ ++ *label = l; ++#endif ++ ++ return r; ++} ++ ++int label_get_child_mls_label(int socket_fd, const char *exe, char **label) { ++ int r = -EOPNOTSUPP; ++ ++#ifdef HAVE_SELINUX ++ ++ _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL; ++ _cleanup_context_free_ context_t pcon = NULL, bcon = NULL; ++ security_class_t sclass; ++ ++ const char *range = NULL; ++ ++ assert(socket_fd >= 0); ++ assert(exe); ++ assert(label); ++ ++ r = getcon(&mycon); ++ if (r < 0) { ++ r = -EINVAL; ++ goto out; ++ } ++ ++ r = getpeercon(socket_fd, &peercon); ++ if (r < 0) { ++ r = -EINVAL; ++ goto out; ++ } ++ ++ r = getexeccon(&fcon); ++ if (r < 0) { ++ r = -EINVAL; ++ goto out; ++ } ++ ++ if (!fcon) { ++ /* If there is no context set for next exec let's use context ++ of target executable */ ++ r = getfilecon(exe, &fcon); ++ if (r < 0) { ++ r = -errno; ++ goto out; ++ } ++ } ++ ++ bcon = context_new(mycon); ++ if (!bcon) { ++ r = -ENOMEM; ++ goto out; ++ } ++ ++ pcon = context_new(peercon); ++ if (!pcon) { ++ r = -ENOMEM; ++ goto out; ++ } ++ ++ range = context_range_get(pcon); ++ if (!range) { ++ r = -errno; ++ goto out; ++ } ++ ++ r = context_range_set(bcon, range); ++ if (r) { ++ r = -errno; ++ goto out; ++ } ++ ++ freecon(mycon); ++ mycon = context_str(bcon); ++ if (!mycon) { ++ r = -errno; ++ goto out; ++ } ++ ++ sclass = string_to_security_class("process"); ++ r = security_compute_create(mycon, fcon, sclass, &ret); ++ if (r < 0) { ++ r = -EINVAL; ++ goto out; ++ } ++ ++ *label = ret; ++ r = 0; ++ ++out: ++ if (r < 0 && security_getenforce() == 1) ++ return r; ++#endif ++ return r; ++} ++ + int label_context_set(const char *path, mode_t mode) { + int r = 0; + +--- src/shared/label.h ++++ src/shared/label.h 2014-09-23 00:00:00.000000000 +0000 +@@ -40,6 +40,8 @@ void label_context_clear(void); + void label_free(const char *label); + + int label_get_create_label_from_exe(const char *exe, char **label); ++int label_get_our_label(char **label); ++int label_get_child_mls_label(int socket_fd, const char *exec, char **label); + + int label_mkdir(const char *path, mode_t mode); + diff --git a/0002-util-avoid-non-portable-__WORDSIZE.patch b/0002-util-avoid-non-portable-__WORDSIZE.patch new file mode 100644 index 0000000..7c82d91 --- /dev/null +++ b/0002-util-avoid-non-portable-__WORDSIZE.patch @@ -0,0 +1,25 @@ +Based on 8507eb20b64010b26f23822cbf442bb0bf96511c Mon Sep 17 00:00:00 2001 +From: Emil Renner Berthing +Date: Fri, 19 Sep 2014 20:26:53 +0200 +Subject: [PATCH] util: avoid non-portable __WORDSIZE + +Lets not unnecessarily rely on __WORDSIZE, which is not clearly specified +by any spec. Use explicit size comparisons if we're not interested in the +WORDSIZE, anyway. + +(David: adjust commit message to explain why we do this) +--- + src/shared/util.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- src/shared/util.h ++++ src/shared/util.h 2014-09-24 06:58:11.378235669 +0000 +@@ -166,7 +166,7 @@ int safe_atolli(const char *s, long long + + int safe_atod(const char *s, double *ret_d); + +-#if __WORDSIZE == 32 ++#if LONG_MAX == INT_MAX + static inline int safe_atolu(const char *s, unsigned long *ret_u) { + assert_cc(sizeof(unsigned long) == sizeof(unsigned)); + return safe_atou(s, (unsigned*) ret_u); diff --git a/systemd-mini.changes b/systemd-mini.changes index d2bbba4..2520720 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Sep 24 08:36:42 UTC 2014 - werner@suse.de + +- Update patch 0001-bnc888612-logind-polkit-acpi.patch + +------------------------------------------------------------------- +Wed Sep 24 07:47:54 UTC 2014 - werner@suse.de + +- Add upstream patches + 0001-login-pause-devices-before-acknowledging-VT-switches.patch + May help that history of the shell is saved + 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch + 0001-socket-introduce-SELinuxContextFromNet-option.patch (bsc#897801) + 0002-util-avoid-non-portable-__WORDSIZE.patch + ------------------------------------------------------------------- Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de diff --git a/systemd-mini.spec b/systemd-mini.spec index 01e9792..e785ee2 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -888,6 +888,14 @@ Patch428: 0005-shared-label.h-add-missing-stdio.h-include.patch Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch # PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612) Patch430: 0001-bnc888612-logind-polkit-acpi.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 -- May help that history of the shell is saved +Patch431: 0001-login-pause-devices-before-acknowledging-VT-switches.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 +Patch432: 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 (bsc#897801) +Patch433: 0001-socket-introduce-SELinuxContextFromNet-option.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 +Patch434: 0002-util-avoid-non-portable-__WORDSIZE.patch # UDEV PATCHES # ============ @@ -1658,6 +1666,10 @@ cp %{SOURCE7} m4/ %patch428 -p0 %patch429 -p0 %patch430 -p1 +%patch431 -p0 +%patch432 -p0 +%patch433 -p0 +%patch434 -p0 # udev patches %patch1001 -p1 diff --git a/systemd.changes b/systemd.changes index d2bbba4..e56b6b3 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Wed Sep 24 15:05:49 UTC 2014 - werner@suse.de + +- Add patch 0001-infinit-timeout-for-kmod-loaded-modules.patch to + be able to avoid killing a running kmod/modprobe (bnc#889297) + +------------------------------------------------------------------- +Wed Sep 24 08:36:42 UTC 2014 - werner@suse.de + +- Update patch 0001-bnc888612-logind-polkit-acpi.patch + +------------------------------------------------------------------- +Wed Sep 24 07:47:54 UTC 2014 - werner@suse.de + +- Add upstream patches + 0001-login-pause-devices-before-acknowledging-VT-switches.patch + May help that history of the shell is saved + 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch + 0001-socket-introduce-SELinuxContextFromNet-option.patch (bsc#897801) + 0002-util-avoid-non-portable-__WORDSIZE.patch + ------------------------------------------------------------------- Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de diff --git a/systemd.spec b/systemd.spec index 7f58d45..462c3db 100644 --- a/systemd.spec +++ b/systemd.spec @@ -883,6 +883,14 @@ Patch428: 0005-shared-label.h-add-missing-stdio.h-include.patch Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch # PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612) Patch430: 0001-bnc888612-logind-polkit-acpi.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 -- May help that history of the shell is saved +Patch431: 0001-login-pause-devices-before-acknowledging-VT-switches.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 +Patch432: 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 (bsc#897801) +Patch433: 0001-socket-introduce-SELinuxContextFromNet-option.patch +# PATCH-FIX-UPSTREAM added at 2014/09/24 +Patch434: 0002-util-avoid-non-portable-__WORDSIZE.patch # UDEV PATCHES # ============ @@ -1653,6 +1661,10 @@ cp %{SOURCE7} m4/ %patch428 -p0 %patch429 -p0 %patch430 -p1 +%patch431 -p0 +%patch432 -p0 +%patch433 -p0 +%patch434 -p0 # udev patches %patch1001 -p1