Dr. Werner Fink 2014-07-01 12:43:04 +00:00 committed by Git OBS Bridge
parent 1e3eb528eb
commit 5d469dc93d
13 changed files with 452 additions and 0 deletions

View File

@ -0,0 +1,26 @@
Based on 1f97091d3cb0887c264176b47b0a86c269acf0b5 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 27 Jun 2014 18:34:37 +0200
Subject: [PATCH] main: uid_to_name() might fail due to OOM, protect against
that
---
src/core/main.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- src/core/main.c
+++ src/core/main.c 2014-07-01 12:25:17.906235000 +0000
@@ -1525,9 +1525,10 @@ int main(int argc, char *argv[]) {
log_info("Running in initial RAM disk.");
} else {
- _cleanup_free_ char *t = uid_to_name(getuid());
- log_debug(PACKAGE_STRING " running in user mode for user "UID_FMT"/%s. (" SYSTEMD_FEATURES ")",
- getuid(), t);
+ _cleanup_free_ char *t;
+
+ t = uid_to_name(getuid());
+ log_debug(PACKAGE_STRING " running in user mode for user "UID_FMT"/%s. (" SYSTEMD_FEATURES ")", getuid(), strna(t));
}
if (arg_running_as == SYSTEMD_SYSTEM && !skip_setup) {

View File

@ -0,0 +1,30 @@
Based on e150e82097211f09b911c7784a89ef9efed713ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Bartoszkiewicz?= <mbartoszkiewicz@gmail.com>
Date: Thu, 26 Jun 2014 22:11:35 +0200
Subject: [PATCH] journald: make MaxFileSec really default to 1month
journald.conf(5) states that the default for MaxFileSec is one month,
but the code didn't respect that.
---
src/journal/journald-server.c | 3 +++
1 file changed, 3 insertions(+)
--- src/journal/journald-server.c
+++ src/journal/journald-server.c 2014-07-01 12:28:25.506735287 +0000
@@ -68,6 +68,7 @@
#define DEFAULT_SYNC_INTERVAL_USEC (5*USEC_PER_MINUTE)
#define DEFAULT_RATE_LIMIT_INTERVAL (30*USEC_PER_SEC)
#define DEFAULT_RATE_LIMIT_BURST 1000
+#define DEFAULT_MAX_FILE_USEC USEC_PER_MONTH
#define RECHECK_AVAILABLE_SPACE_USEC (30*USEC_PER_SEC)
@@ -1496,6 +1497,8 @@ int server_init(Server *s) {
s->forward_to_syslog = true;
+ s->max_file_usec = DEFAULT_MAX_FILE_USEC;
+
s->max_level_store = LOG_DEBUG;
s->max_level_syslog = LOG_DEBUG;
s->max_level_kmsg = LOG_NOTICE;

View File

@ -0,0 +1,65 @@
Based on 0fdeb6e011dfdb17636c81e2d7e0d632186359ce Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 28 Jun 2014 00:06:30 -0400
Subject: [PATCH] units: remove RefuseManualStart from units which are always
around
In a normal running system, non-passive targets and units used during
early bootup are always started. So refusing "manual start" for them
doesn't make any difference, because a "start" command doesn't cause
any action.
In early boot however, the administrator might want to start on
of those targets or services by hand. We shouldn't interfere with that.
Note: in case of systemd-tmpfiles-setup.service, really running the
unit after system is up would break the system. So e.g. restarting
should not be allowed. The unit has "RefuseManualStop=yes", which
prevents restart too.
---
units/basic.target | 1 -
units/sysinit.target | 1 -
units/systemd-tmpfiles-setup.service.in | 1 -
units/user/basic.target | 1 -
4 files changed, 4 deletions(-)
diff --git units/basic.target units/basic.target
index d7c68f4..b890d48 100644
--- units/basic.target
+++ units/basic.target
@@ -11,4 +11,3 @@ Documentation=man:systemd.special(7)
Requires=sysinit.target
Wants=sockets.target timers.target paths.target slices.target
After=sysinit.target sockets.target timers.target paths.target slices.target
-RefuseManualStart=yes
diff --git units/sysinit.target units/sysinit.target
index 8f4fb8f..ec33503 100644
--- units/sysinit.target
+++ units/sysinit.target
@@ -11,4 +11,3 @@ Documentation=man:systemd.special(7)
Conflicts=emergency.service emergency.target
Wants=local-fs.target swap.target
After=local-fs.target swap.target emergency.service emergency.target
-RefuseManualStart=yes
--- units/systemd-tmpfiles-setup.service.in
+++ units/systemd-tmpfiles-setup.service.in 2014-07-01 12:17:48.154235348 +0000
@@ -18,7 +18,6 @@ ConditionDirectoryNotEmpty=|/lib/tmpfile
ConditionDirectoryNotEmpty=|/usr/local/lib/tmpfiles.d
ConditionDirectoryNotEmpty=|/etc/tmpfiles.d
ConditionDirectoryNotEmpty=|/run/tmpfiles.d
-RefuseManualStart=yes
RefuseManualStop=yes
[Service]
diff --git units/user/basic.target units/user/basic.target
index b74d13c..afc6e93 100644
--- units/user/basic.target
+++ units/user/basic.target
@@ -10,4 +10,3 @@ Description=Basic System
Documentation=man:systemd.special(7)
Wants=sockets.target timers.target paths.target
After=sockets.target timers.target paths.target
-RefuseManualStart=yes
--
1.7.9.2

View File

@ -0,0 +1,31 @@
From 306a55c86360a7ae7b2509771d5ea6ab0d166d85 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Sun, 29 Jun 2014 22:15:33 +0200
Subject: [PATCH] util: refuse considering UID 0xFFFF and 0xFFFFFFFF valid
---
src/shared/util.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git src/shared/util.c src/shared/util.c
index e7ff0f8..1709bb7 100644
--- src/shared/util.c
+++ src/shared/util.c
@@ -280,6 +280,14 @@ int parse_uid(const char *s, uid_t* ret_uid) {
if ((unsigned long) uid != ul)
return -ERANGE;
+ /* Some libc APIs use (uid_t) -1 as special placeholder */
+ if (uid == (uid_t) 0xFFFFFFFF)
+ return -EINVAL;
+
+ /* A long time ago UIDs where 16bit, hence explicitly avoid the 32bit -1 too */
+ if (uid == (uid_t) 0xFFFF)
+ return -EINVAL;
+
*ret_uid = uid;
return 0;
}
--
1.7.9.2

View File

@ -0,0 +1,94 @@
From 28650077f36466d9c5ee27ef2006fae3171a2430 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 30 Jun 2014 16:22:12 +0200
Subject: [PATCH] nspawn: block open_by_handle_at() and others via seccomp
Let's protect ourselves against the recently reported docker security
issue. Our man page makes clear that we do not make any security
promises anyway, but well, this one is easy to mitigate, so let's do it.
While we are at it block a couple of more syscalls that are no good in
containers, too.
---
src/nspawn/nspawn.c | 47 +++++++++++++++++++++++++++++++++++------------
1 file changed, 35 insertions(+), 12 deletions(-)
diff --git src/nspawn/nspawn.c src/nspawn/nspawn.c
index fd61d07..656c1bf 100644
--- src/nspawn/nspawn.c
+++ src/nspawn/nspawn.c
@@ -1864,22 +1864,25 @@ static int setup_macvlan(pid_t pid) {
return 0;
}
-static int audit_still_doesnt_work_in_containers(void) {
+static int setup_seccomp(void) {
#ifdef HAVE_SECCOMP
+ static const int blacklist[] = {
+ SCMP_SYS(kexec_load),
+ SCMP_SYS(open_by_handle_at),
+ SCMP_SYS(init_module),
+ SCMP_SYS(finit_module),
+ SCMP_SYS(delete_module),
+ SCMP_SYS(iopl),
+ SCMP_SYS(ioperm),
+ SCMP_SYS(swapon),
+ SCMP_SYS(swapoff),
+ };
+
scmp_filter_ctx seccomp;
+ unsigned i;
int r;
- /*
- Audit is broken in containers, much of the userspace audit
- hookup will fail if running inside a container. We don't
- care and just turn off creation of audit sockets.
-
- This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
- with EAFNOSUPPORT which audit userspace uses as indication
- that audit is disabled in the kernel.
- */
-
seccomp = seccomp_init(SCMP_ACT_ALLOW);
if (!seccomp)
return log_oom();
@@ -1890,6 +1893,26 @@ static int audit_still_doesnt_work_in_containers(void) {
goto finish;
}
+ for (i = 0; i < ELEMENTSOF(blacklist); i++) {
+ r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), blacklist[i], 0);
+ if (r == -EFAULT)
+ continue; /* unknown syscall */
+ if (r < 0) {
+ log_error("Failed to block syscall: %s", strerror(-r));
+ goto finish;
+ }
+ }
+
+ /*
+ Audit is broken in containers, much of the userspace audit
+ hookup will fail if running inside a container. We don't
+ care and just turn off creation of audit sockets.
+
+ This will make socket(AF_NETLINK, *, NETLINK_AUDIT) fail
+ with EAFNOSUPPORT which audit userspace uses as indication
+ that audit is disabled in the kernel.
+ */
+
r = seccomp_rule_add(
seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT),
@@ -3050,7 +3073,7 @@ int main(int argc, char *argv[]) {
dev_setup(arg_directory);
- if (audit_still_doesnt_work_in_containers() < 0)
+ if (setup_seccomp() < 0)
goto child_fail;
if (setup_dev_console(arg_directory, console) < 0)
--
1.7.9.2

View File

@ -0,0 +1,26 @@
Based on 6fc27667950fe153033f0f49cb5b57e8954c3e54 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 30 Jun 2014 19:06:18 +0200
Subject: [PATCH] tmpfiles: don't do automatic cleanup in $XDG_RUNTIME_DIR
Now that logind will clean up all IPC resources of a user we should
really consider $XDG_RUNTIME_DIR as just another kind of IPC with the
same life-cycle logic as the other IPC resources. This should be safe
now to do since every user gets his own $XDG_RUNTIME_DIR tmpfs instance
with a fixed size limit, so that flooding of it will more effectively be
averted.
---
tmpfiles.d/systemd.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- tmpfiles.d/systemd.conf
+++ tmpfiles.d/systemd.conf 2014-07-01 12:31:01.858735866 +0000
@@ -7,7 +7,7 @@
# See tmpfiles.d(5) for details
-d /run/user 0755 root root ~10d
+d /run/user 0755 root root -
F! /run/utmp 0664 root utmp -
f /var/log/wtmp 0664 root utmp -

View File

@ -0,0 +1,26 @@
From 8ebf02d6f382ce1ac7e0d44a713b8795a07b08cd Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 30 Jun 2014 21:44:05 +0200
Subject: [PATCH] units: skip mounting /tmp if it is a symlink
We shouldn't get confused if people have symlinked /tmp somewhere, so
let's simply skip the mount then.
---
units/tmp.mount | 1 +
1 file changed, 1 insertion(+)
diff --git units/tmp.mount units/tmp.mount
index 99a3ba3..00a0d28 100644
--- units/tmp.mount
+++ units/tmp.mount
@@ -9,6 +9,7 @@
Description=Temporary Directory
Documentation=man:hier(7)
Documentation=http://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
+ConditionPathIsSymbolicLink=!/tmp
DefaultDependencies=no
Conflicts=umount.target
Before=local-fs.target umount.target
--
1.7.9.2

View File

@ -0,0 +1,45 @@
From cd31d1884f1ecf38e11bc6268f446d75dfafbc25 Mon Sep 17 00:00:00 2001
From: Gerd Hoffmann <kraxel@redhat.com>
Date: Mon, 24 Mar 2014 12:07:41 +0100
Subject: [PATCH] rules: update qemu hid rules
Update comment to be a bit more specific.
Change match to blacklist the serial number of the broken devices
instead of whitelisting the serial number of the fixed devices.
This allows to do something useful with the serial number in the
future.
---
rules/42-usb-hid-pm.rules | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git rules/42-usb-hid-pm.rules rules/42-usb-hid-pm.rules
index 3fd6e8a..c675b5b 100644
--- rules/42-usb-hid-pm.rules
+++ rules/42-usb-hid-pm.rules
@@ -2,14 +2,15 @@
#
# Enable autosuspend for qemu emulated usb hid devices
-# Note that there are buggy qemu versions which advertise remote
-# wakeup support but don't actually implement it correctly. This
-# is the reason why we need a match for the serial number here.
-# The serial number "42" is used to tag the implementations where
+# Note that there are buggy qemu versions (0.13 & older) which
+# advertise remote wakeup support but don't actually implement
+# it correctly. This is the reason why we need a match for the
+# serial number here. Old, broken versions have serial "1".
+# It has been changed to "42" after fixing the bug to indicate
# remote wakeup is working.
-ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Mouse", ATTR{serial}=="42", TEST=="power/control", ATTR{power/control}="auto"
-ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Tablet", ATTR{serial}=="42", TEST=="power/control", ATTR{power/control}="auto"
-ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Keyboard", ATTR{serial}=="42", TEST=="power/control", ATTR{power/control}="auto"
+ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Mouse", ATTR{serial}!="1", TEST=="power/control", ATTR{power/control}="auto"
+ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Tablet", ATTR{serial}!="1", TEST=="power/control", ATTR{power/control}="auto"
+ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Keyboard", ATTR{serial}!="1", TEST=="power/control", ATTR{power/control}="auto"
# Catch-all for Avocent HID devices. Keyed off interface in order to only
# trigger on HID class devices.
--
1.7.9.2

View File

@ -0,0 +1,29 @@
Based on 52fb538361053f8c4abce0e40cd0bae3d28ceb16 Mon Sep 17 00:00:00 2001
From: Tom Hirst <tom.hirst@ipe-systems.co.uk>
Date: Wed, 25 Jun 2014 11:57:11 +0000
Subject: [PATCH] rules: don't enable usb pm for Avocent devices
The Avocent KVM over IP devices doesn't work correctly with USB power
management enabled.
---
rules/42-usb-hid-pm.rules | 4 ----
1 file changed, 4 deletions(-)
diff --git rules/42-usb-hid-pm.rules rules/42-usb-hid-pm.rules
index c675b5b..4c300da 100644
--- rules/42-usb-hid-pm.rules
+++ rules/42-usb-hid-pm.rules
@@ -12,10 +12,6 @@ ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Mouse", ATTR{serial}!=
ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Tablet", ATTR{serial}!="1", TEST=="power/control", ATTR{power/control}="auto"
ACTION=="add", SUBSYSTEM=="usb", ATTR{product}=="QEMU USB Keyboard", ATTR{serial}!="1", TEST=="power/control", ATTR{power/control}="auto"
-# Catch-all for Avocent HID devices. Keyed off interface in order to only
-# trigger on HID class devices.
-ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="0624", ATTR{bInterfaceClass}=="03", TEST=="../power/control", ATTR{../power/control}="auto"
-
# Dell DRAC 4
ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}=="413c", ATTR{idProduct}=="2500", TEST=="power/control", ATTR{power/control}="auto"
--
1.7.9.2

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Tue Jul 1 12:19:27 UTC 2014 - werner@suse.de
- Add upstream patches
0001-main-uid_to_name-might-fail-due-to-OOM-protect-again.patch
0002-journald-make-MaxFileSec-really-default-to-1month.patch
0003-units-remove-RefuseManualStart-from-units-which-are-.patch
0004-util-refuse-considering-UID-0xFFFF-and-0xFFFFFFFF-va.patch
0005-nspawn-block-open_by_handle_at-and-others-via-seccom.patch
0006-tmpfiles-don-t-do-automatic-cleanup-in-XDG_RUNTIME_D.patch
0007-units-skip-mounting-tmp-if-it-is-a-symlink.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jul 1 09:58:04 UTC 2014 - werner@suse.de Tue Jul 1 09:58:04 UTC 2014 - werner@suse.de
@ -9,6 +21,8 @@ Tue Jul 1 08:56:48 UTC 2014 - werner@suse.de
- Add upstream patches - Add upstream patches
1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch 1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch
1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch
1044-rules-update-qemu-hid-rules.patch
1045-rules-don-t-enable-usb-pm-for-Avocent-devices.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jun 27 12:46:12 UTC 2014 - werner@suse.de Fri Jun 27 12:46:12 UTC 2014 - werner@suse.de

View File

@ -609,6 +609,19 @@ Patch297: 0001-core-use-correct-format-string-for-UIDs.patch
Patch298: 0002-core-transaction-fix-cycle-break-attempts-outside-tr.patch Patch298: 0002-core-transaction-fix-cycle-break-attempts-outside-tr.patch
# PATCH-FIX-UPSTREAM added at 2014/06/26 # PATCH-FIX-UPSTREAM added at 2014/06/26
Patch299: 0003-fsck-consider-a-fsck-implementation-linked-to-bin-tr.patch Patch299: 0003-fsck-consider-a-fsck-implementation-linked-to-bin-tr.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch300: 0001-main-uid_to_name-might-fail-due-to-OOM-protect-again.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch301: 0002-journald-make-MaxFileSec-really-default-to-1month.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch302: 0003-units-remove-RefuseManualStart-from-units-which-are-.patch
Patch303: 0004-util-refuse-considering-UID-0xFFFF-and-0xFFFFFFFF-va.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch304: 0005-nspawn-block-open_by_handle_at-and-others-via-seccom.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch305: 0006-tmpfiles-don-t-do-automatic-cleanup-in-XDG_RUNTIME_D.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch306: 0007-units-skip-mounting-tmp-if-it-is-a-symlink.patch
# UDEV PATCHES # UDEV PATCHES
# ============ # ============
@ -702,6 +715,10 @@ Patch1041: 1041-libudev-fix-udev_queue_get_queue_is_empty-logic.patch
Patch1042: 1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch Patch1042: 1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch
# PATCH-FIX-UPSTREAM 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch # PATCH-FIX-UPSTREAM 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch
Patch1043: 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch Patch1043: 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch
# PATCH-FIX-UPSTREAM 1044-rules-update-qemu-hid-rules.patch
Patch1044: 1044-rules-update-qemu-hid-rules.patch
# PATCH-FIX-UPSTREAM 1045-rules-don-t-enable-usb-pm-for-Avocent-devices.patch
Patch1045: 1045-rules-don-t-enable-usb-pm-for-Avocent-devices.patch
%description %description
Systemd is a system and service manager, compatible with SysV and LSB Systemd is a system and service manager, compatible with SysV and LSB
@ -1159,6 +1176,13 @@ cp %{SOURCE7} m4/
%patch297 -p0 %patch297 -p0
%patch298 -p0 %patch298 -p0
%patch299 -p0 %patch299 -p0
%patch300 -p0
%patch301 -p0
%patch302 -p0
%patch303 -p0
%patch304 -p0
%patch305 -p0
%patch306 -p0
# udev patches # udev patches
%patch1001 -p1 %patch1001 -p1
@ -1211,6 +1235,8 @@ cp %{SOURCE7} m4/
%patch1042 -p0 %patch1042 -p0
%patch1043 -p0 %patch1043 -p0
%endif %endif
%patch1044 -p0
%patch1045 -p0
# ensure generate files are removed # ensure generate files are removed
rm -f units/emergency.service rm -f units/emergency.service

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Tue Jul 1 12:19:27 UTC 2014 - werner@suse.de
- Add upstream patches
0001-main-uid_to_name-might-fail-due-to-OOM-protect-again.patch
0002-journald-make-MaxFileSec-really-default-to-1month.patch
0003-units-remove-RefuseManualStart-from-units-which-are-.patch
0004-util-refuse-considering-UID-0xFFFF-and-0xFFFFFFFF-va.patch
0005-nspawn-block-open_by_handle_at-and-others-via-seccom.patch
0006-tmpfiles-don-t-do-automatic-cleanup-in-XDG_RUNTIME_D.patch
0007-units-skip-mounting-tmp-if-it-is-a-symlink.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Tue Jul 1 09:58:04 UTC 2014 - werner@suse.de Tue Jul 1 09:58:04 UTC 2014 - werner@suse.de
@ -9,6 +21,8 @@ Tue Jul 1 08:56:48 UTC 2014 - werner@suse.de
- Add upstream patches - Add upstream patches
1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch 1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch
1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch
1044-rules-update-qemu-hid-rules.patch
1045-rules-don-t-enable-usb-pm-for-Avocent-devices.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Jun 27 12:46:12 UTC 2014 - werner@suse.de Fri Jun 27 12:46:12 UTC 2014 - werner@suse.de

View File

@ -604,6 +604,19 @@ Patch297: 0001-core-use-correct-format-string-for-UIDs.patch
Patch298: 0002-core-transaction-fix-cycle-break-attempts-outside-tr.patch Patch298: 0002-core-transaction-fix-cycle-break-attempts-outside-tr.patch
# PATCH-FIX-UPSTREAM added at 2014/06/26 # PATCH-FIX-UPSTREAM added at 2014/06/26
Patch299: 0003-fsck-consider-a-fsck-implementation-linked-to-bin-tr.patch Patch299: 0003-fsck-consider-a-fsck-implementation-linked-to-bin-tr.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch300: 0001-main-uid_to_name-might-fail-due-to-OOM-protect-again.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch301: 0002-journald-make-MaxFileSec-really-default-to-1month.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch302: 0003-units-remove-RefuseManualStart-from-units-which-are-.patch
Patch303: 0004-util-refuse-considering-UID-0xFFFF-and-0xFFFFFFFF-va.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch304: 0005-nspawn-block-open_by_handle_at-and-others-via-seccom.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch305: 0006-tmpfiles-don-t-do-automatic-cleanup-in-XDG_RUNTIME_D.patch
# PATCH-FIX-UPSTREAM added at 2014/07/01
Patch306: 0007-units-skip-mounting-tmp-if-it-is-a-symlink.patch
# UDEV PATCHES # UDEV PATCHES
# ============ # ============
@ -697,6 +710,10 @@ Patch1041: 1041-libudev-fix-udev_queue_get_queue_is_empty-logic.patch
Patch1042: 1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch Patch1042: 1042-libudev-queue-provide-file-descriptor-to-watch-busy-.patch
# PATCH-FIX-UPSTREAM 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch # PATCH-FIX-UPSTREAM 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch
Patch1043: 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch Patch1043: 1043-libudev-queue-watch-entire-directory-to-allow-the-re.patch
# PATCH-FIX-UPSTREAM 1044-rules-update-qemu-hid-rules.patch
Patch1044: 1044-rules-update-qemu-hid-rules.patch
# PATCH-FIX-UPSTREAM 1045-rules-don-t-enable-usb-pm-for-Avocent-devices.patch
Patch1045: 1045-rules-don-t-enable-usb-pm-for-Avocent-devices.patch
%description %description
Systemd is a system and service manager, compatible with SysV and LSB Systemd is a system and service manager, compatible with SysV and LSB
@ -1154,6 +1171,13 @@ cp %{SOURCE7} m4/
%patch297 -p0 %patch297 -p0
%patch298 -p0 %patch298 -p0
%patch299 -p0 %patch299 -p0
%patch300 -p0
%patch301 -p0
%patch302 -p0
%patch303 -p0
%patch304 -p0
%patch305 -p0
%patch306 -p0
# udev patches # udev patches
%patch1001 -p1 %patch1001 -p1
@ -1206,6 +1230,8 @@ cp %{SOURCE7} m4/
%patch1042 -p0 %patch1042 -p0
%patch1043 -p0 %patch1043 -p0
%endif %endif
%patch1044 -p0
%patch1045 -p0
# ensure generate files are removed # ensure generate files are removed
rm -f units/emergency.service rm -f units/emergency.service