diff --git a/0001-core-close-socket-fds-asynchronously.patch b/0001-core-close-socket-fds-asynchronously.patch new file mode 100644 index 0000000..70eebd3 --- /dev/null +++ b/0001-core-close-socket-fds-asynchronously.patch @@ -0,0 +1,74 @@ +Based on 574634bcacb01efe15ca2742effd461a5b7afb5f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 13 May 2014 23:22:13 +0200 +Subject: [PATCH] core: close socket fds asynchronously + +http://lists.freedesktop.org/archives/systemd-devel/2014-April/018928.html +--- + src/core/async.c | 22 ++++++++++++++++++++++ + src/core/service.c | 5 +++-- + 2 files changed, 25 insertions(+), 2 deletions(-) + +--- src/core/service.c ++++ src/core/service.c 2014-05-16 11:41:50.150735247 +0000 +@@ -25,6 +25,7 @@ + #include + #include + ++#include "async.h" + #include "manager.h" + #include "unit.h" + #include "service.h" +@@ -240,7 +241,7 @@ static void service_close_socket_fd(Serv + if (s->socket_fd < 0) + return; + +- close_nointr_nofail(s->socket_fd); ++ asynchronous_close(s->socket_fd); + s->socket_fd = -1; + } + +@@ -2767,7 +2768,7 @@ static int service_deserialize_item(Unit + else { + + if (s->socket_fd >= 0) +- close_nointr_nofail(s->socket_fd); ++ asynchronous_close(s->socket_fd); + s->socket_fd = fdset_remove(fds, fd); + } + } else if (streq(key, "main-exec-status-pid")) { +--- src/core/async.c ++++ src/core/async.c 2014-05-07 09:40:35.000000000 +0000 +@@ -24,6 +24,7 @@ + + #include "async.h" + #include "log.h" ++#include "util.h" + + int asynchronous_job(void* (*func)(void *p), void *arg) { + pthread_attr_t a; +@@ -70,3 +71,24 @@ int asynchronous_sync(void) { + + return asynchronous_job(sync_thread, NULL); + } ++ ++static void *close_thread(void *p) { ++ close_nointr_nofail(PTR_TO_INT(p)); ++ return NULL; ++} ++ ++int asynchronous_close(int fd) { ++ int r; ++ ++ /* This is supposed to behave similar to safe_close(), but ++ * actually invoke close() asynchronously, so that it will ++ * never block. Ideally the kernel would have an API for this, ++ * but it doesn't, so we work around it, and hide this as a ++ * far away as we can. */ ++ ++ r = asynchronous_job(close_thread, INT_TO_PTR(fd)); ++ if (r < 0) ++ close_nointr_nofail(fd); ++ ++ return -1; ++} diff --git a/0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch b/0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch new file mode 100644 index 0000000..0438c3e --- /dev/null +++ b/0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch @@ -0,0 +1,39 @@ +From ead349509e325aad720bb0349521a9e56e2ac7c0 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 13 May 2014 16:40:53 +0200 +Subject: [PATCH] replace more dup() by F_DUPFD_CLOEXEC + +--- + src/login/inhibit.c | 2 +- + src/shared/install.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git src/login/inhibit.c src/login/inhibit.c +index 48c2ec4..ae3afdf 100644 +--- src/login/inhibit.c ++++ src/login/inhibit.c +@@ -64,7 +64,7 @@ static int inhibit(sd_bus *bus, sd_bus_error *error) { + if (r < 0) + return r; + +- r = dup(fd); ++ r = fcntl(fd, F_DUPFD_CLOEXEC, 3); + if (r < 0) + return -errno; + +diff --git src/shared/install.c src/shared/install.c +index acfba25..9ce9403 100644 +--- src/shared/install.c ++++ src/shared/install.c +@@ -332,7 +332,7 @@ static int remove_marked_symlinks( + int q, cfd; + deleted = false; + +- cfd = dup(fd); ++ cfd = fcntl(fd, F_DUPFD_CLOEXEC, 3); + if (cfd < 0) { + r = -errno; + break; +-- +1.7.9.2 + diff --git a/0002-logind-bring-polkit-policy-for-hibernate-in-line-wit.patch b/0002-logind-bring-polkit-policy-for-hibernate-in-line-wit.patch new file mode 100644 index 0000000..73ffb86 --- /dev/null +++ b/0002-logind-bring-polkit-policy-for-hibernate-in-line-wit.patch @@ -0,0 +1,28 @@ +From 301f9684e6465df5d0590f6c571fe3229ded966d Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 15 May 2014 18:30:07 +0200 +Subject: [PATCH] logind: bring polkit policy for hibernate in line with + suspend/poweroff/reboot + +THere's no reason why hibernate should be better protected then +suspendor poweroff, so sync the policies. +--- + src/login/org.freedesktop.login1.policy.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git src/login/org.freedesktop.login1.policy.in src/login/org.freedesktop.login1.policy.in +index b96d32d..b8e90f1 100644 +--- src/login/org.freedesktop.login1.policy.in ++++ src/login/org.freedesktop.login1.policy.in +@@ -254,7 +254,7 @@ + + auth_admin_keep + auth_admin_keep +- auth_admin_keep ++ yes + + org.freedesktop.login1.hibernate + +-- +1.7.9.2 + diff --git a/0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch b/0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch new file mode 100644 index 0000000..06a4521 --- /dev/null +++ b/0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch @@ -0,0 +1,26 @@ +From 85c08dc013f9f99b58bc9b79284af0b35304237b Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 13 May 2014 16:35:34 +0200 +Subject: [PATCH] pam_systemd: use F_DUPFD_CLOEXEC when dupping session fds + +http://lists.freedesktop.org/archives/systemd-devel/2014-May/019034.html +--- + src/login/pam-module.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git src/login/pam-module.c src/login/pam-module.c +index 9873dd5..1259457 100644 +--- src/login/pam-module.c ++++ src/login/pam-module.c +@@ -475,7 +475,7 @@ _public_ PAM_EXTERN int pam_sm_open_session( + } + + if (session_fd >= 0) { +- session_fd = dup(session_fd); ++ session_fd = fcntl(session_fd, F_DUPFD_CLOEXEC, 3); + if (session_fd < 0) { + pam_syslog(handle, LOG_ERR, "Failed to dup session fd: %m"); + return PAM_SESSION_ERR; +-- +1.7.9.2 + diff --git a/0003-core-make-sure-to-serialize-jobs-for-all-units.patch b/0003-core-make-sure-to-serialize-jobs-for-all-units.patch new file mode 100644 index 0000000..30c4615 --- /dev/null +++ b/0003-core-make-sure-to-serialize-jobs-for-all-units.patch @@ -0,0 +1,118 @@ +From 9bdb98c59451ed090f8d35d470a54710f389ce71 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Fri, 16 May 2014 01:15:03 +0200 +Subject: [PATCH] core: make sure to serialize jobs for all units + +Previously we wouldn't serialize jobs for units that themselves have +nothing to serialize. + +http://lists.freedesktop.org/archives/systemd-devel/2014-May/019051.html +--- + src/core/manager.c | 3 --- + src/core/unit.c | 43 +++++++++++++++++++++---------------------- + 2 files changed, 21 insertions(+), 25 deletions(-) + +diff --git src/core/manager.c src/core/manager.c +index 1e3e127..d0af674 100644 +--- src/core/manager.c ++++ src/core/manager.c +@@ -2131,9 +2131,6 @@ int manager_serialize(Manager *m, FILE *f, FDSet *fds, bool switching_root) { + if (u->id != t) + continue; + +- if (!unit_can_serialize(u)) +- continue; +- + /* Start marker */ + fputs(u->id, f); + fputc('\n', f); +diff --git src/core/unit.c src/core/unit.c +index c4ed923..41651ba 100644 +--- src/core/unit.c ++++ src/core/unit.c +@@ -2288,25 +2288,25 @@ bool unit_can_serialize(Unit *u) { + } + + int unit_serialize(Unit *u, FILE *f, FDSet *fds, bool serialize_jobs) { +- ExecRuntime *rt; + int r; + + assert(u); + assert(f); + assert(fds); + +- if (!unit_can_serialize(u)) +- return 0; +- +- r = UNIT_VTABLE(u)->serialize(u, f, fds); +- if (r < 0) +- return r; ++ if (unit_can_serialize(u)) { ++ ExecRuntime *rt; + +- rt = unit_get_exec_runtime(u); +- if (rt) { +- r = exec_runtime_serialize(rt, u, f, fds); ++ r = UNIT_VTABLE(u)->serialize(u, f, fds); + if (r < 0) + return r; ++ ++ rt = unit_get_exec_runtime(u); ++ if (rt) { ++ r = exec_runtime_serialize(rt, u, f, fds); ++ if (r < 0) ++ return r; ++ } + } + + dual_timestamp_serialize(f, "inactive-exit-timestamp", &u->inactive_exit_timestamp); +@@ -2368,17 +2368,14 @@ void unit_serialize_item(Unit *u, FILE *f, const char *key, const char *value) { + } + + int unit_deserialize(Unit *u, FILE *f, FDSet *fds) { +- size_t offset; + ExecRuntime **rt = NULL; ++ size_t offset; + int r; + + assert(u); + assert(f); + assert(fds); + +- if (!unit_can_serialize(u)) +- return 0; +- + offset = UNIT_VTABLE(u)->exec_runtime_offset; + if (offset > 0) + rt = (ExecRuntime**) ((uint8_t*) u + offset); +@@ -2503,17 +2500,19 @@ int unit_deserialize(Unit *u, FILE *f, FDSet *fds) { + continue; + } + +- if (rt) { +- r = exec_runtime_deserialize_item(rt, u, l, v, fds); ++ if (unit_can_serialize(u)) { ++ if (rt) { ++ r = exec_runtime_deserialize_item(rt, u, l, v, fds); ++ if (r < 0) ++ return r; ++ if (r > 0) ++ continue; ++ } ++ ++ r = UNIT_VTABLE(u)->deserialize_item(u, l, v, fds); + if (r < 0) + return r; +- if (r > 0) +- continue; + } +- +- r = UNIT_VTABLE(u)->deserialize_item(u, l, v, fds); +- if (r < 0) +- return r; + } + } + +-- +1.7.9.2 + diff --git a/baselibs.conf b/baselibs.conf index c06fbf4..2738ae8 100644 --- a/baselibs.conf +++ b/baselibs.conf @@ -1,6 +1,10 @@ systemd supplements "packageand(systemd:pam-)" -/lib/systemd/system/ + post "%{_sbindir}/pam-config -a --systemd || :" +# postun "if [ "$1" == "0" ]; then" +# postun "%{_sbindir}/pam-config -d --systemd || :" +# postun "fi" libudev0 libgudev-1_0-0 libudev1 diff --git a/systemd-mini.changes b/systemd-mini.changes index 620b4e9..6eea7ee 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Fri May 16 12:00:12 UTC 2014 - werner@suse.de + +- Make baselibs.conf aware to use the appropiate %post and %postun + scriptlets which includes pam-config (bnc#877674) + +------------------------------------------------------------------- +Fri May 16 11:47:06 UTC 2014 - werner@suse.de + +- Add upstram patches + 0001-core-close-socket-fds-asynchronously.patch + 0002-logind-bring-polkit-policy-for-hibernate-in-line-wit.patch + 0003-core-make-sure-to-serialize-jobs-for-all-units.patch + +------------------------------------------------------------------- +Wed May 14 07:37:08 UTC 2014 - werner@suse.de + +- Add upstram patches + 0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch + 0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch + to avoid that in pam session unwanted file descriptors are inherited + ------------------------------------------------------------------- Tue May 13 08:28:05 UTC 2014 - werner@suse.de diff --git a/systemd-mini.spec b/systemd-mini.spec index 954150b..af3e53e 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -429,6 +429,16 @@ Patch217: 0004-backlight-warn-if-kernel-exposes-backlight-device-wi.patch Patch218: 0005-backlight-handle-saved-brightness-exceeding-max-brig.patch # PATCH-FIX-SUSE Do not poison kmsg ring buffer with systemd/udev messages (bnc#877021) Patch219: log-target-null-instead-kmsg.patch +# PATCH-FIX-UPSTREAM added at 2014/05/14 +Patch220: 0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch +# PATCH-FIX-UPSTREAM added at 2014/05/14 +Patch221: 0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch +# PATCH-FIX-UPSTREAM added at 2014/05/16 +Patch222: 0001-core-close-socket-fds-asynchronously.patch +# PATCH-FIX-UPSTREAM added at 2014/05/16 +Patch223: 0002-logind-bring-polkit-policy-for-hibernate-in-line-wit.patch +# PATCH-FIX-UPSTREAM added at 2014/05/16 +Patch224: 0003-core-make-sure-to-serialize-jobs-for-all-units.patch # UDEV PATCHES # ============ @@ -833,6 +843,11 @@ cp %{SOURCE7} m4/ %patch217 -p0 %patch218 -p0 %patch219 -p1 +%patch220 -p0 +%patch221 -p0 +%patch222 -p0 +%patch223 -p0 +%patch224 -p0 # udev patches %patch1001 -p1 diff --git a/systemd.changes b/systemd.changes index 620b4e9..6eea7ee 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,25 @@ +------------------------------------------------------------------- +Fri May 16 12:00:12 UTC 2014 - werner@suse.de + +- Make baselibs.conf aware to use the appropiate %post and %postun + scriptlets which includes pam-config (bnc#877674) + +------------------------------------------------------------------- +Fri May 16 11:47:06 UTC 2014 - werner@suse.de + +- Add upstram patches + 0001-core-close-socket-fds-asynchronously.patch + 0002-logind-bring-polkit-policy-for-hibernate-in-line-wit.patch + 0003-core-make-sure-to-serialize-jobs-for-all-units.patch + +------------------------------------------------------------------- +Wed May 14 07:37:08 UTC 2014 - werner@suse.de + +- Add upstram patches + 0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch + 0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch + to avoid that in pam session unwanted file descriptors are inherited + ------------------------------------------------------------------- Tue May 13 08:28:05 UTC 2014 - werner@suse.de diff --git a/systemd.spec b/systemd.spec index dc84387..27df9a9 100644 --- a/systemd.spec +++ b/systemd.spec @@ -424,6 +424,16 @@ Patch217: 0004-backlight-warn-if-kernel-exposes-backlight-device-wi.patch Patch218: 0005-backlight-handle-saved-brightness-exceeding-max-brig.patch # PATCH-FIX-SUSE Do not poison kmsg ring buffer with systemd/udev messages (bnc#877021) Patch219: log-target-null-instead-kmsg.patch +# PATCH-FIX-UPSTREAM added at 2014/05/14 +Patch220: 0001-replace-more-dup-by-F_DUPFD_CLOEXEC.patch +# PATCH-FIX-UPSTREAM added at 2014/05/14 +Patch221: 0002-pam_systemd-use-F_DUPFD_CLOEXEC-when-dupping-session.patch +# PATCH-FIX-UPSTREAM added at 2014/05/16 +Patch222: 0001-core-close-socket-fds-asynchronously.patch +# PATCH-FIX-UPSTREAM added at 2014/05/16 +Patch223: 0002-logind-bring-polkit-policy-for-hibernate-in-line-wit.patch +# PATCH-FIX-UPSTREAM added at 2014/05/16 +Patch224: 0003-core-make-sure-to-serialize-jobs-for-all-units.patch # UDEV PATCHES # ============ @@ -828,6 +838,11 @@ cp %{SOURCE7} m4/ %patch217 -p0 %patch218 -p0 %patch219 -p1 +%patch220 -p0 +%patch221 -p0 +%patch222 -p0 +%patch223 -p0 +%patch224 -p0 # udev patches %patch1001 -p1