From 70cdebfce8c5f71f2fd2b0c4edf9145681ee6a53353f76ede8b9e71f79a57567 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Fri, 16 Sep 2016 12:27:58 +0000 Subject: [PATCH 01/10] - Add rules: block: add support for pmem devices (#3683) (bsc#988119) OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=949 --- ...ck-add-support-for-pmem-devices-3683.patch | 51 +++++++++++++++++++ systemd-mini.changes | 5 ++ systemd-mini.spec | 3 ++ systemd.changes | 5 ++ systemd.spec | 3 ++ 5 files changed, 67 insertions(+) create mode 100644 0001-rules-block-add-support-for-pmem-devices-3683.patch diff --git a/0001-rules-block-add-support-for-pmem-devices-3683.patch b/0001-rules-block-add-support-for-pmem-devices-3683.patch new file mode 100644 index 00000000..2af5f771 --- /dev/null +++ b/0001-rules-block-add-support-for-pmem-devices-3683.patch @@ -0,0 +1,51 @@ +From 31ae8c8741ce9595f4053234d6a6b2fb3616fedf Mon Sep 17 00:00:00 2001 +From: bgbhpe +Date: Fri, 8 Jul 2016 11:43:56 -0400 +Subject: [PATCH 1/1] rules: block: add support for pmem devices (#3683) + +Persistent memory devices can be exposed as block devices as /dev/pmemN +and /dev/pmemNs. pmemN is the raw device and is byte-addressable from +within the kernel and when mmapped by applications from a DAX-mounted +file system. pmemNs has the block translation table (BTT) layered on top, +offering atomic sector/block access. Both pmemN and pmemNs are expected +to contain file systems. + +blkid(8) and lsblk(8) seem to correctly report on pmemN and pmemNs. +systemd v219 will populate /dev/disk/by-uuid/ when, for example, mkfs is +used on pmem, but systemd v228 does not. + +Add pmem to the whitelist. +(cherry picked from commit f3bc4ccc2edf5ad2a99d6ba2795b9999fe76c3df) + +[tblume: fixes bsc#988119] +--- + rules/60-block.rules | 2 +- + rules/60-persistent-storage.rules | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rules/60-block.rules b/rules/60-block.rules +index c74caca..42c7597 100644 +--- a/rules/60-block.rules ++++ b/rules/60-block.rules +@@ -8,4 +8,4 @@ ACTION=="add", SUBSYSTEM=="module", KERNEL=="block", ATTR{parameters/events_dfl_ + ACTION=="change", SUBSYSTEM=="scsi", ENV{DEVTYPE}=="scsi_device", TEST=="block", ATTR{block/*/uevent}="change" + + # watch metadata changes, caused by tools closing the device node which was opened for writing +-ACTION!="remove", SUBSYSTEM=="block", KERNEL=="loop*|nvme*|sd*|vd*|xvd*", OPTIONS+="watch" ++ACTION!="remove", SUBSYSTEM=="block", KERNEL=="loop*|nvme*|sd*|vd*|xvd*|pmem*", OPTIONS+="watch" +diff --git a/rules/60-persistent-storage.rules b/rules/60-persistent-storage.rules +index ee1fb08f..ef5d205 100644 +--- a/rules/60-persistent-storage.rules ++++ b/rules/60-persistent-storage.rules +@@ -6,7 +6,7 @@ + ACTION=="remove", GOTO="persistent_storage_end" + + SUBSYSTEM!="block", GOTO="persistent_storage_end" +-KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*", GOTO="persistent_storage_end" ++KERNEL!="loop*|mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|nvme*|sd*|sr*|vd*|xvd*|bcache*|cciss*|dasd*|ubd*|pmem*", GOTO="persistent_storage_end" + + # ignore partitions that span the entire disk + TEST=="whole_disk", GOTO="persistent_storage_end" +-- +2.10.0 + diff --git a/systemd-mini.changes b/systemd-mini.changes index 33c5c5bc..b6ca4b73 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Sep 16 12:27:02 UTC 2016 - fbui@suse.com + +- Add rules: block: add support for pmem devices (#3683) (bsc#988119) + ------------------------------------------------------------------- Tue Sep 6 08:14:06 UTC 2016 - tbechtold@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index fcbbf9b6..6e6d1850 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -264,6 +264,8 @@ Patch528: 0001-core-re-sync-bus-name-list-after-deserializing-durin.patch Patch529: 0001-systemctl-pid1-do-not-warn-about-missing-install-inf.patch # PATCH-FIX-UPSTREAM -- fixed after 320 Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch +# PATCH-FIX-UPSTREAM -- fixed after 231 +Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch # UDEV PATCHES # ============ @@ -611,6 +613,7 @@ cp %{SOURCE7} m4/ %patch528 -p1 %patch529 -p1 %patch530 -p1 +%patch531 -p1 # udev patches %patch1002 -p1 diff --git a/systemd.changes b/systemd.changes index 33c5c5bc..b6ca4b73 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Sep 16 12:27:02 UTC 2016 - fbui@suse.com + +- Add rules: block: add support for pmem devices (#3683) (bsc#988119) + ------------------------------------------------------------------- Tue Sep 6 08:14:06 UTC 2016 - tbechtold@suse.com diff --git a/systemd.spec b/systemd.spec index a3d3d79e..80c07f49 100644 --- a/systemd.spec +++ b/systemd.spec @@ -259,6 +259,8 @@ Patch528: 0001-core-re-sync-bus-name-list-after-deserializing-durin.patch Patch529: 0001-systemctl-pid1-do-not-warn-about-missing-install-inf.patch # PATCH-FIX-UPSTREAM -- fixed after 320 Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch +# PATCH-FIX-UPSTREAM -- fixed after 231 +Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch # UDEV PATCHES # ============ @@ -606,6 +608,7 @@ cp %{SOURCE7} m4/ %patch528 -p1 %patch529 -p1 %patch530 -p1 +%patch531 -p1 # udev patches %patch1002 -p1 From cf6bf5c1d7a551ef4d23520968dca8dd1a0bf370ec09a3da08ed2bca0e391818 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Fri, 16 Sep 2016 12:39:58 +0000 Subject: [PATCH 02/10] - Build require python and python-lxml in order to generate systemd.directives man page (bsc#986952) OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=950 --- systemd-mini.changes | 6 ++++++ systemd-mini.spec | 12 ++++-------- systemd.changes | 6 ++++++ systemd.spec | 12 ++++-------- 4 files changed, 20 insertions(+), 16 deletions(-) diff --git a/systemd-mini.changes b/systemd-mini.changes index b6ca4b73..10908beb 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Sep 16 12:38:19 UTC 2016 - fbui@suse.com + +- Build require python and python-lxml in order to generate + systemd.directives man page (bsc#986952) + ------------------------------------------------------------------- Fri Sep 16 12:27:02 UTC 2016 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 6e6d1850..6983a648 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -27,7 +27,6 @@ %bcond_without networkd %bcond_without sysvcompat %bcond_with resolved -%bcond_with python %bcond_with parentpathid %if 0%{?suse_version} > 1315 %bcond_without permission @@ -93,12 +92,12 @@ BuildRequires: docbook-xsl-stylesheets BuildRequires: libgcrypt-devel BuildRequires: libxslt-tools # curl and bzip2 are required for building importd +BuildRequires: libapparmor-devel BuildRequires: pkgconfig(bzip2) BuildRequires: pkgconfig(libcurl) -%if %{with python} -BuildRequires: python -%endif -BuildRequires: libapparmor-devel +# python is only required for generating systemd.directives.xml +BuildRequires: python3 +BuildRequires: python3-lxml BuildRequires: pkgconfig(libcryptsetup) >= 1.6.0 BuildRequires: pkgconfig(libmicrohttpd) BuildRequires: pkgconfig(libqrencode) @@ -686,9 +685,6 @@ export CFLAGS="%{optflags}" --disable-importd \ %else --enable-manpages \ -%if %{with python} - --with-python \ -%endif --with-nss-my-hostname-warning \ %endif --enable-selinux \ diff --git a/systemd.changes b/systemd.changes index b6ca4b73..10908beb 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Sep 16 12:38:19 UTC 2016 - fbui@suse.com + +- Build require python and python-lxml in order to generate + systemd.directives man page (bsc#986952) + ------------------------------------------------------------------- Fri Sep 16 12:27:02 UTC 2016 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 80c07f49..a828396c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -25,7 +25,6 @@ %bcond_without networkd %bcond_without sysvcompat %bcond_with resolved -%bcond_with python %bcond_with parentpathid %if 0%{?suse_version} > 1315 %bcond_without permission @@ -88,12 +87,12 @@ BuildRequires: docbook-xsl-stylesheets BuildRequires: libgcrypt-devel BuildRequires: libxslt-tools # curl and bzip2 are required for building importd +BuildRequires: libapparmor-devel BuildRequires: pkgconfig(bzip2) BuildRequires: pkgconfig(libcurl) -%if %{with python} -BuildRequires: python -%endif -BuildRequires: libapparmor-devel +# python is only required for generating systemd.directives.xml +BuildRequires: python3 +BuildRequires: python3-lxml BuildRequires: pkgconfig(libcryptsetup) >= 1.6.0 BuildRequires: pkgconfig(libmicrohttpd) BuildRequires: pkgconfig(libqrencode) @@ -681,9 +680,6 @@ export CFLAGS="%{optflags}" --disable-importd \ %else --enable-manpages \ -%if %{with python} - --with-python \ -%endif --with-nss-my-hostname-warning \ %endif --enable-selinux \ From 81b3fbf7c4752754be2cbe19759cefc14092776d73cecbfa9d9ecb1943238fa7 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Wed, 21 Sep 2016 11:56:10 +0000 Subject: [PATCH 03/10] - udev: don't require nsserv and fillup (bsc#999841) udev has no LSB init scripts nor fillup templates anymore. OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=951 --- systemd-mini.changes | 7 +++++++ systemd-mini.spec | 4 +--- systemd.changes | 7 +++++++ systemd.spec | 4 +--- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/systemd-mini.changes b/systemd-mini.changes index 10908beb..28cb6907 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com + +- udev: don't require nsserv and fillup (bsc#999841) + + udev has no LSB init scripts nor fillup templates anymore. + ------------------------------------------------------------------- Fri Sep 16 12:38:19 UTC 2016 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 6983a648..5bdfaeaa 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -395,8 +395,6 @@ License: GPL-2.0 Group: System/Kernel Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html PreReq: /bin/rm -PreReq: %insserv_prereq -PreReq: %fillup_prereq # Avoid bootstrap cycle with sg3_utils %if "%{?mini}" == "" PreReq: /usr/bin/sg_inq @@ -1081,7 +1079,7 @@ if [ "${YAST_IS_RUNNING}" != "instsys" ]; then fi %postun -n udev%{?mini} -%insserv_cleanup + systemctl daemon-reload || : if [ "${YAST_IS_RUNNING}" != "instsys" ]; then diff --git a/systemd.changes b/systemd.changes index 10908beb..28cb6907 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com + +- udev: don't require nsserv and fillup (bsc#999841) + + udev has no LSB init scripts nor fillup templates anymore. + ------------------------------------------------------------------- Fri Sep 16 12:38:19 UTC 2016 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index a828396c..de89a5ff 100644 --- a/systemd.spec +++ b/systemd.spec @@ -390,8 +390,6 @@ License: GPL-2.0 Group: System/Kernel Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html PreReq: /bin/rm -PreReq: %insserv_prereq -PreReq: %fillup_prereq # Avoid bootstrap cycle with sg3_utils %if "%{?mini}" == "" PreReq: /usr/bin/sg_inq @@ -1076,7 +1074,7 @@ if [ "${YAST_IS_RUNNING}" != "instsys" ]; then fi %postun -n udev%{?mini} -%insserv_cleanup + systemctl daemon-reload || : if [ "${YAST_IS_RUNNING}" != "instsys" ]; then From 35fc3cae4d05203936338d2b4cb680256f38a01402c4ef37ee723cda09895532 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Mon, 26 Sep 2016 09:11:19 +0000 Subject: [PATCH 04/10] - Added patches to fix journal with FSS protection enabled (bsc#1000435) 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=952 --- ...-calculation-when-appending-a-data-o.patch | 54 +++++++++++ ...E_ARCHIVED-as-part-of-offlining-2740.patch | 93 +++++++++++++++++++ ...n-we-fail-to-append-a-tag-to-a-journ.patch | 36 +++++++ systemd-mini.changes | 9 ++ systemd-mini.spec | 6 ++ systemd.changes | 9 ++ systemd.spec | 6 ++ 7 files changed, 213 insertions(+) create mode 100644 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch create mode 100644 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch create mode 100644 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch diff --git a/0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch b/0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch new file mode 100644 index 00000000..99e9c6cb --- /dev/null +++ b/0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch @@ -0,0 +1,54 @@ +From 6dac79e09ec1b45f05b3e9a5f1f445859b6eefd2 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 23 Sep 2016 13:33:01 +0200 +Subject: [PATCH 1/1] journal: fix HMAC calculation when appending a data + object + +Since commit 5996c7c295e073ce21d41305169132c8aa993ad0 (v190 !), the +calculation of the HMAC is broken because the hash for a data object +including a field is done in the wrong order: the field object is +hashed before the data object is. + +However during verification, the hash is done in the opposite order as +objects are scanned sequentially. + +(cherry picked from commit 33685a5a3a98c6ded64d0cc25e37d0180ceb0a6a) + +[fbui: fixes bsc#1000435] +--- + src/journal/journal-file.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c +index a9882cf..a24d97d 100644 +--- a/src/journal/journal-file.c ++++ b/src/journal/journal-file.c +@@ -1111,6 +1111,12 @@ static int journal_file_append_data( + if (r < 0) + return r; + ++#ifdef HAVE_GCRYPT ++ r = journal_file_hmac_put_object(f, OBJECT_DATA, o, p); ++ if (r < 0) ++ return r; ++#endif ++ + /* The linking might have altered the window, so let's + * refresh our pointer */ + r = journal_file_move_to_object(f, OBJECT_DATA, p, &o); +@@ -1135,12 +1141,6 @@ static int journal_file_append_data( + fo->field.head_data_offset = le64toh(p); + } + +-#ifdef HAVE_GCRYPT +- r = journal_file_hmac_put_object(f, OBJECT_DATA, o, p); +- if (r < 0) +- return r; +-#endif +- + if (ret) + *ret = o; + +-- +2.10.0 + diff --git a/0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch b/0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch new file mode 100644 index 00000000..93e158b2 --- /dev/null +++ b/0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch @@ -0,0 +1,93 @@ +From 0d0bad044f8f19c472acb69d10861a66d3d267b6 Mon Sep 17 00:00:00 2001 +From: Vito Caputo +Date: Tue, 26 Apr 2016 23:29:43 -0700 +Subject: [PATCH 1/1] journal: set STATE_ARCHIVED as part of offlining (#2740) + +The only code path which makes a journal durable is via +journal_file_set_offline(). + +When we perform a rotate the journal's header->state is being set to +STATE_ARCHIVED prior to journal_file_set_offline() being called. + +In journal_file_set_offline(), we short-circuit the entire offline when +f->header->state != STATE_ONLINE. + +This all results in none of the journal_file_set_offline() fsync() calls +being reached when rotate archives a journal, so archived journals are +never explicitly made durable. + +What we do now is instead of setting the f->header->state to +STATE_ARCHIVED directly in journal_file_rotate() prior to +journal_file_close(), we set an archive flag in f->archive for the +journal_file_set_offline() machinery to honor by committing +STATE_ARCHIVED instead of STATE_OFFLINE when set. + +Prior to this, rotated journals were never getting fsync() explicitly +performed on them, since journal_file_set_offline() short-circuited. +Obviously this is undesirable, and depends entirely on the underlying +filesystem as to how much durability was achieved when simply closing +the file. + +Note that this problem existed prior to the recent asynchronous fsync +changes, but those changes do facilitate our performing this durable +offline on rotate without blocking, regardless of the underlying +filesystem sync-on-close semantics. + +(cherry picked from commit 8eb851711fd166024297c425e9261200c36f489d) + +[fbui: context adjustment: the asynchronous journal_file_set_offline() + thingie doesn't exist in v228] + +[fbui: this also fixes the case when we wanted to append a tag (for + FSS verification) when closing the journal. Before this patch, + journal_file_append_tag() failed (silently) because re-opening + the journal to write the tag was not possible since it was + already in "archived" mode.] +--- + src/journal/journal-file.c | 10 ++++++++-- + src/journal/journal-file.h | 1 + + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c +index f9ff954..e7eecad 100644 +--- a/src/journal/journal-file.c ++++ b/src/journal/journal-file.c +@@ -130,7 +130,7 @@ int journal_file_set_offline(JournalFile *f) { + if (mmap_cache_got_sigbus(f->mmap, f->fd)) + return -EIO; + +- f->header->state = STATE_OFFLINE; ++ f->header->state = f->archive ? STATE_ARCHIVED : STATE_OFFLINE; + + if (mmap_cache_got_sigbus(f->mmap, f->fd)) + return -EIO; +@@ -2813,7 +2813,13 @@ int journal_file_rotate(JournalFile **f, bool compress, bool seal) { + if (r < 0 && errno != ENOENT) + return -errno; + +- old_file->header->state = STATE_ARCHIVED; ++ /* Set as archive so offlining commits w/state=STATE_ARCHIVED. ++ * Previously we would set old_file->header->state to STATE_ARCHIVED directly here, ++ * but journal_file_set_offline() short-circuits when state != STATE_ONLINE, which ++ * would result in the rotated journal never getting fsync() called before closing. ++ * Now we simply queue the archive state by setting an archive bit, leaving the state ++ * as STATE_ONLINE so proper offlining occurs. */ ++ old_file->archive = true; + + /* Currently, btrfs is not very good with out write patterns + * and fragments heavily. Let's defrag our journal files when +diff --git a/src/journal/journal-file.h b/src/journal/journal-file.h +index 898d12d..436e5ff 100644 +--- a/src/journal/journal-file.h ++++ b/src/journal/journal-file.h +@@ -76,6 +76,7 @@ typedef struct JournalFile { + bool compress_lz4:1; + bool seal:1; + bool defrag_on_close:1; ++ bool archive:1; + + bool tail_entry_monotonic_valid:1; + +-- +2.10.0 + diff --git a/0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch b/0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch new file mode 100644 index 00000000..c4dd9e96 --- /dev/null +++ b/0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch @@ -0,0 +1,36 @@ +From 9f47fe6b6a9aad001e99f1fdea78a0c54ce8ae55 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Fri, 23 Sep 2016 12:12:13 +0200 +Subject: [PATCH 1/1] journal: warn when we fail to append a tag to a journal + +We shouldn't silently fail when appending the tag to a journal file +since FSS protection will simply be disabled in this case. + +(cherry picked from commit 43cd8794839548a6f332875e8bee8bed2652bf2c) +--- + src/journal/journal-file.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/src/journal/journal-file.c b/src/journal/journal-file.c +index e7eecad..a9882cf 100644 +--- a/src/journal/journal-file.c ++++ b/src/journal/journal-file.c +@@ -145,8 +145,13 @@ JournalFile* journal_file_close(JournalFile *f) { + + #ifdef HAVE_GCRYPT + /* Write the final tag */ +- if (f->seal && f->writable) +- journal_file_append_tag(f); ++ if (f->seal && f->writable) { ++ int r; ++ ++ r = journal_file_append_tag(f); ++ if (r < 0) ++ log_error_errno(r, "Failed to append tag when closing journal: %m"); ++ } + #endif + + journal_file_set_offline(f); +-- +2.10.0 + diff --git a/systemd-mini.changes b/systemd-mini.changes index 28cb6907..28301f52 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Sep 26 09:09:27 UTC 2016 - fbui@suse.com + +- Added patches to fix journal with FSS protection enabled (bsc#1000435) + + 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch + 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch + 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch + ------------------------------------------------------------------- Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 5bdfaeaa..019a7ca2 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -265,6 +265,9 @@ Patch529: 0001-systemctl-pid1-do-not-warn-about-missing-install-inf.patch Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch # PATCH-FIX-UPSTREAM -- fixed after 231 Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch +Patch532: 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch +Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch +Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch # UDEV PATCHES # ============ @@ -611,6 +614,9 @@ cp %{SOURCE7} m4/ %patch529 -p1 %patch530 -p1 %patch531 -p1 +%patch532 -p1 +%patch533 -p1 +%patch534 -p1 # udev patches %patch1002 -p1 diff --git a/systemd.changes b/systemd.changes index 28cb6907..28301f52 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Mon Sep 26 09:09:27 UTC 2016 - fbui@suse.com + +- Added patches to fix journal with FSS protection enabled (bsc#1000435) + + 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch + 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch + 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch + ------------------------------------------------------------------- Wed Sep 21 11:54:39 UTC 2016 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index de89a5ff..7a6e61dc 100644 --- a/systemd.spec +++ b/systemd.spec @@ -260,6 +260,9 @@ Patch529: 0001-systemctl-pid1-do-not-warn-about-missing-install-inf.patch Patch530: systemd-230-cgroup2-use-new-fstype-for-unified-hierarchy.patch # PATCH-FIX-UPSTREAM -- fixed after 231 Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch +Patch532: 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch +Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch +Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch # UDEV PATCHES # ============ @@ -606,6 +609,9 @@ cp %{SOURCE7} m4/ %patch529 -p1 %patch530 -p1 %patch531 -p1 +%patch532 -p1 +%patch533 -p1 +%patch534 -p1 # udev patches %patch1002 -p1 From b56d5010a66c83dfe8d673eabc0baac3eed46cc22a749344dc5c4020270627f9 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Mon, 26 Sep 2016 09:55:28 +0000 Subject: [PATCH 05/10] Mention 0001-rules-block-add-support-for-pmem-devices-3683.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=953 --- systemd-mini.changes | 2 ++ systemd.changes | 2 ++ 2 files changed, 4 insertions(+) diff --git a/systemd-mini.changes b/systemd-mini.changes index 28301f52..b948b00c 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -25,6 +25,8 @@ Fri Sep 16 12:27:02 UTC 2016 - fbui@suse.com - Add rules: block: add support for pmem devices (#3683) (bsc#988119) + 0001-rules-block-add-support-for-pmem-devices-3683.patch + ------------------------------------------------------------------- Tue Sep 6 08:14:06 UTC 2016 - tbechtold@suse.com diff --git a/systemd.changes b/systemd.changes index 28301f52..b948b00c 100644 --- a/systemd.changes +++ b/systemd.changes @@ -25,6 +25,8 @@ Fri Sep 16 12:27:02 UTC 2016 - fbui@suse.com - Add rules: block: add support for pmem devices (#3683) (bsc#988119) + 0001-rules-block-add-support-for-pmem-devices-3683.patch + ------------------------------------------------------------------- Tue Sep 6 08:14:06 UTC 2016 - tbechtold@suse.com From 4f8c3e2552edc1e0f23f7d30ded876f21ccd223c503c9a165933435f22ad4d52 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Tue, 27 Sep 2016 09:44:14 +0000 Subject: [PATCH 06/10] - systemd-sysv-convert: make sure that/var/lib/systemd/sysv-convert/database is always initialized (bsc#982211) If "--save" command was used and the sysv init script wasn't enabled at all, the database file wasn't created at all. This makes the subsequent call to "--apply" fail even though it's a valid scenario. OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=954 --- systemd-mini.changes | 11 +++++++++++ systemd-sysv-convert | 12 +++++------- systemd.changes | 11 +++++++++++ 3 files changed, 27 insertions(+), 7 deletions(-) diff --git a/systemd-mini.changes b/systemd-mini.changes index b948b00c..1f4f2d70 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Sep 26 14:23:14 UTC 2016 - fbui@suse.com + +- systemd-sysv-convert: make sure that + /var/lib/systemd/sysv-convert/database is always initialized (bsc#982211) + + If "--save" command was used and the sysv init script wasn't enabled + at all the database file wasn't created at all. This makes the + subsequent call to "--apply" fail even though this should not + considered as an error. + ------------------------------------------------------------------- Mon Sep 26 09:09:27 UTC 2016 - fbui@suse.com diff --git a/systemd-sysv-convert b/systemd-sysv-convert index 8ba3f211..4d98e4f6 100644 --- a/systemd-sysv-convert +++ b/systemd-sysv-convert @@ -118,9 +118,9 @@ case "$1" in find_service $service $runlevel priority=$? if [ $priority -lt 255 ]; then - echo "$service $runlevel $priority" >> /var/lib/systemd/sysv-convert/database + echo "$service $runlevel $priority" fi - done + done >>/var/lib/systemd/sysv-convert/database done ;; --show) @@ -158,11 +158,9 @@ case "$1" in [ -f "/lib/systemd/system/$service.service" ] && service_file="/lib/systemd/system/$service.service" [ -f "/usr/lib/systemd/system/$service.service" ] && service_file="/usr/lib/systemd/system/$service.service" - if [ -z "${results_runlevel[$service]}" ]; then - echo No information found about service $service found. >/dev/stderr - fail=1 - continue - fi + # If $service is not present in the database, + # then it simply means that the sysv init + # service was not enabled at all. for runlevel in ${results_runlevel[$service]}; do echo ln -sf $service_file /etc/systemd/system/runlevel$runlevel.target.wants/$service.service >/dev/stderr mkdir -p "/etc/systemd/system/runlevel$runlevel.target.wants" diff --git a/systemd.changes b/systemd.changes index b948b00c..1f4f2d70 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Sep 26 14:23:14 UTC 2016 - fbui@suse.com + +- systemd-sysv-convert: make sure that + /var/lib/systemd/sysv-convert/database is always initialized (bsc#982211) + + If "--save" command was used and the sysv init script wasn't enabled + at all the database file wasn't created at all. This makes the + subsequent call to "--apply" fail even though this should not + considered as an error. + ------------------------------------------------------------------- Mon Sep 26 09:09:27 UTC 2016 - fbui@suse.com From 69195f70d5c0e24350a429fe9ad26566cfea40268d4462d2e4f4c06a81e68e0c Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Thu, 29 Sep 2016 06:27:17 +0000 Subject: [PATCH 07/10] - Revert "udev: don't require nsserv and fillup" It's been judged too late for being part of SLE12 final release. Nevertheless it's part of Factory and will be reintroduced after the final release is out (ie through an update). OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=955 --- systemd-mini.changes | 9 +++++++++ systemd-mini.spec | 4 +++- systemd.changes | 9 +++++++++ systemd.spec | 4 +++- 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/systemd-mini.changes b/systemd-mini.changes index 1f4f2d70..2a62e823 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Sep 29 06:24:01 UTC 2016 - fbui@suse.com + +- Revert "udev: don't require nsserv and fillup" + + It's been judged too late for being part of SLE12 final release. + Nevertheless it's part of Factory and will be reintroduced after the + final release is out (ie through an update). + ------------------------------------------------------------------- Mon Sep 26 14:23:14 UTC 2016 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 019a7ca2..49d4183e 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -398,6 +398,8 @@ License: GPL-2.0 Group: System/Kernel Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html PreReq: /bin/rm +PreReq: %insserv_prereq +PreReq: %fillup_prereq # Avoid bootstrap cycle with sg3_utils %if "%{?mini}" == "" PreReq: /usr/bin/sg_inq @@ -1085,7 +1087,7 @@ if [ "${YAST_IS_RUNNING}" != "instsys" ]; then fi %postun -n udev%{?mini} - +%insserv_cleanup systemctl daemon-reload || : if [ "${YAST_IS_RUNNING}" != "instsys" ]; then diff --git a/systemd.changes b/systemd.changes index 1f4f2d70..2a62e823 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Sep 29 06:24:01 UTC 2016 - fbui@suse.com + +- Revert "udev: don't require nsserv and fillup" + + It's been judged too late for being part of SLE12 final release. + Nevertheless it's part of Factory and will be reintroduced after the + final release is out (ie through an update). + ------------------------------------------------------------------- Mon Sep 26 14:23:14 UTC 2016 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 7a6e61dc..e0408923 100644 --- a/systemd.spec +++ b/systemd.spec @@ -393,6 +393,8 @@ License: GPL-2.0 Group: System/Kernel Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html PreReq: /bin/rm +PreReq: %insserv_prereq +PreReq: %fillup_prereq # Avoid bootstrap cycle with sg3_utils %if "%{?mini}" == "" PreReq: /usr/bin/sg_inq @@ -1080,7 +1082,7 @@ if [ "${YAST_IS_RUNNING}" != "instsys" ]; then fi %postun -n udev%{?mini} - +%insserv_cleanup systemctl daemon-reload || : if [ "${YAST_IS_RUNNING}" != "instsys" ]; then From 04bd746a0e1b5b5309c6a02aad4ae112c0115826377b0bfd15a093c1f5373710 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Thu, 29 Sep 2016 13:04:00 +0000 Subject: [PATCH 08/10] - Added 2 patches to fix bsc#1001765 0001-If-the-notification-message-length-is-0-ignore-the-m.patch 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=956 --- ...ion-message-length-is-0-ignore-the-m.patch | 31 ++++++++++++ ...n-any-error-in-manager_dispatch_noti.patch | 49 +++++++++++++++++++ systemd-mini.changes | 8 +++ systemd-mini.spec | 4 ++ systemd.changes | 8 +++ systemd.spec | 4 ++ 6 files changed, 104 insertions(+) create mode 100644 0001-If-the-notification-message-length-is-0-ignore-the-m.patch create mode 100644 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch diff --git a/0001-If-the-notification-message-length-is-0-ignore-the-m.patch b/0001-If-the-notification-message-length-is-0-ignore-the-m.patch new file mode 100644 index 00000000..b93ae667 --- /dev/null +++ b/0001-If-the-notification-message-length-is-0-ignore-the-m.patch @@ -0,0 +1,31 @@ +From 531ac2b2349da02acc9c382849758e07eb92b020 Mon Sep 17 00:00:00 2001 +From: Jorge Niedbalski +Date: Wed, 28 Sep 2016 18:25:50 -0300 +Subject: [PATCH 1/1] If the notification message length is 0, ignore the + message (#4237) + +Fixes #4234. + +Signed-off-by: Jorge Niedbalski +--- + src/core/manager.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/core/manager.c b/src/core/manager.c +index fa8deb9..43e231c 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1721,6 +1721,10 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t + + return -errno; + } ++ if (n == 0) { ++ log_debug("Got zero-length notification message. Ignoring."); ++ return 0; ++ } + + CMSG_FOREACH(cmsg, &msghdr) { + if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) { +-- +2.10.0 + diff --git a/0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch b/0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch new file mode 100644 index 00000000..6b2cd3fd --- /dev/null +++ b/0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch @@ -0,0 +1,49 @@ +From: Franck Bui +Date: Thu, 29 Sep 2016 11:59:49 +0200 +Subject: [PATCH 1/1] pid1: don't return any error in + manager_dispatch_notify_fd() + +If manager_dispatch_notify_fd() fails and returns an error then the handling of +service notifications will be disabled entirely leading to a compromised system. + +For example pid1 won't be able to receive the WATCHDOG messages anymore and +will kill all services supposed to send such messages. +--- + src/core/manager.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 43e231c..5704005 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1716,10 +1716,14 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t + + n = recvmsg(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC); + if (n < 0) { +- if (errno == EAGAIN || errno == EINTR) +- return 0; ++ if (!IN_SET(errno, EAGAIN, EINTR)) ++ log_error("Failed to receive notification message: %m"); + +- return -errno; ++ /* It's not an option to return an error here since it ++ * would disable the notification handler entirely. Services ++ * wouldn't be able to send the WATCHDOG message for ++ * example... */ ++ return 0; + } + if (n == 0) { + log_debug("Got zero-length notification message. Ignoring."); +@@ -1746,7 +1750,8 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t + r = fdset_new_array(&fds, fd_array, n_fds); + if (r < 0) { + close_many(fd_array, n_fds); +- return log_oom(); ++ log_oom(); ++ return 0; + } + } + +-- +2.10.0 + diff --git a/systemd-mini.changes b/systemd-mini.changes index 2a62e823..5f15875b 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 29 12:51:38 UTC 2016 - fbui@suse.com + +- Added 2 patches to fix bsc#1001765 + + 0001-If-the-notification-message-length-is-0-ignore-the-m.patch + 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch + ------------------------------------------------------------------- Thu Sep 29 06:24:01 UTC 2016 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 49d4183e..b705a49d 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -268,6 +268,8 @@ Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch Patch532: 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch +Patch535: 0001-If-the-notification-message-length-is-0-ignore-the-m.patch +Patch536: 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch # UDEV PATCHES # ============ @@ -619,6 +621,8 @@ cp %{SOURCE7} m4/ %patch532 -p1 %patch533 -p1 %patch534 -p1 +%patch535 -p1 +%patch536 -p1 # udev patches %patch1002 -p1 diff --git a/systemd.changes b/systemd.changes index 2a62e823..5f15875b 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 29 12:51:38 UTC 2016 - fbui@suse.com + +- Added 2 patches to fix bsc#1001765 + + 0001-If-the-notification-message-length-is-0-ignore-the-m.patch + 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch + ------------------------------------------------------------------- Thu Sep 29 06:24:01 UTC 2016 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index e0408923..a4de68d3 100644 --- a/systemd.spec +++ b/systemd.spec @@ -263,6 +263,8 @@ Patch531: 0001-rules-block-add-support-for-pmem-devices-3683.patch Patch532: 0001-journal-set-STATE_ARCHIVED-as-part-of-offlining-2740.patch Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch +Patch535: 0001-If-the-notification-message-length-is-0-ignore-the-m.patch +Patch536: 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch # UDEV PATCHES # ============ @@ -614,6 +616,8 @@ cp %{SOURCE7} m4/ %patch532 -p1 %patch533 -p1 %patch534 -p1 +%patch535 -p1 +%patch536 -p1 # udev patches %patch1002 -p1 From f782e8dfea64598a84776a3fc540a8c3ccc21b2087d1e482a7b4185b2737cd63 Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Thu, 29 Sep 2016 13:08:51 +0000 Subject: [PATCH 09/10] - Re add back "udev: don't require nsserv and fillup" Did this in the wrong project... it was a complicated day today ;) OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=957 --- systemd-mini.changes | 7 +++++++ systemd-mini.spec | 4 +--- systemd.changes | 7 +++++++ systemd.spec | 4 +--- 4 files changed, 16 insertions(+), 6 deletions(-) diff --git a/systemd-mini.changes b/systemd-mini.changes index 5f15875b..902903ae 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 29 13:05:44 UTC 2016 - fbui@suse.com + +- Re add back "udev: don't require nsserv and fillup" + + Did this in the wrong project... it was a complicated day today ;) + ------------------------------------------------------------------- Thu Sep 29 12:51:38 UTC 2016 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index b705a49d..4d8bc8c9 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -400,8 +400,6 @@ License: GPL-2.0 Group: System/Kernel Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html PreReq: /bin/rm -PreReq: %insserv_prereq -PreReq: %fillup_prereq # Avoid bootstrap cycle with sg3_utils %if "%{?mini}" == "" PreReq: /usr/bin/sg_inq @@ -1091,7 +1089,7 @@ if [ "${YAST_IS_RUNNING}" != "instsys" ]; then fi %postun -n udev%{?mini} -%insserv_cleanup + systemctl daemon-reload || : if [ "${YAST_IS_RUNNING}" != "instsys" ]; then diff --git a/systemd.changes b/systemd.changes index 5f15875b..902903ae 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 29 13:05:44 UTC 2016 - fbui@suse.com + +- Re add back "udev: don't require nsserv and fillup" + + Did this in the wrong project... it was a complicated day today ;) + ------------------------------------------------------------------- Thu Sep 29 12:51:38 UTC 2016 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index a4de68d3..45de4744 100644 --- a/systemd.spec +++ b/systemd.spec @@ -395,8 +395,6 @@ License: GPL-2.0 Group: System/Kernel Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html PreReq: /bin/rm -PreReq: %insserv_prereq -PreReq: %fillup_prereq # Avoid bootstrap cycle with sg3_utils %if "%{?mini}" == "" PreReq: /usr/bin/sg_inq @@ -1086,7 +1084,7 @@ if [ "${YAST_IS_RUNNING}" != "instsys" ]; then fi %postun -n udev%{?mini} -%insserv_cleanup + systemctl daemon-reload || : if [ "${YAST_IS_RUNNING}" != "instsys" ]; then From c385bc66e200944e2d060f3b8aa2b8568bdf0aa7a2cc2f97e6af69afed0d1feb Mon Sep 17 00:00:00 2001 From: Franck Bui Date: Fri, 30 Sep 2016 06:17:15 +0000 Subject: [PATCH 10/10] - Import a better fix from upstream for bsc#1001765 - Added: 0001-pid1-more-informative-error-message-for-ignored-noti.patch 0001-pid1-process-zero-length-notification-messages-again.patch - Updated (no code changes, only patch metadata) 0001-If-the-notification-message-length-is-0-ignore-the-m.patch 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=958 --- ...ion-message-length-is-0-ignore-the-m.patch | 7 +- ...n-any-error-in-manager_dispatch_noti.patch | 12 +-- ...ative-error-message-for-ignored-noti.patch | 38 +++++++++ ...o-length-notification-messages-again.patch | 82 +++++++++++++++++++ systemd-mini.changes | 15 ++++ systemd-mini.spec | 4 + systemd.changes | 15 ++++ systemd.spec | 4 + 8 files changed, 169 insertions(+), 8 deletions(-) create mode 100644 0001-pid1-more-informative-error-message-for-ignored-noti.patch create mode 100644 0001-pid1-process-zero-length-notification-messages-again.patch diff --git a/0001-If-the-notification-message-length-is-0-ignore-the-m.patch b/0001-If-the-notification-message-length-is-0-ignore-the-m.patch index b93ae667..688f4785 100644 --- a/0001-If-the-notification-message-length-is-0-ignore-the-m.patch +++ b/0001-If-the-notification-message-length-is-0-ignore-the-m.patch @@ -1,4 +1,4 @@ -From 531ac2b2349da02acc9c382849758e07eb92b020 Mon Sep 17 00:00:00 2001 +From ddcd0b726adfd78260ec3d6a446800d85980069e Mon Sep 17 00:00:00 2001 From: Jorge Niedbalski Date: Wed, 28 Sep 2016 18:25:50 -0300 Subject: [PATCH 1/1] If the notification message length is 0, ignore the @@ -7,15 +7,16 @@ Subject: [PATCH 1/1] If the notification message length is 0, ignore the Fixes #4234. Signed-off-by: Jorge Niedbalski +(cherry picked from commit 531ac2b2349da02acc9c382849758e07eb92b020) --- src/core/manager.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/core/manager.c b/src/core/manager.c -index fa8deb9..43e231c 100644 +index 229cb31..56ca9cf 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -1721,6 +1721,10 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t +@@ -1565,6 +1565,10 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t return -errno; } diff --git a/0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch b/0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch index 6b2cd3fd..73ebf147 100644 --- a/0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch +++ b/0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch @@ -1,22 +1,24 @@ +From c47885438517ac77ee34a30ee3d09e5deb9968f6 Mon Sep 17 00:00:00 2001 From: Franck Bui -Date: Thu, 29 Sep 2016 11:59:49 +0200 +Date: Thu, 29 Sep 2016 19:44:34 +0200 Subject: [PATCH 1/1] pid1: don't return any error in - manager_dispatch_notify_fd() + manager_dispatch_notify_fd() (#4240) If manager_dispatch_notify_fd() fails and returns an error then the handling of service notifications will be disabled entirely leading to a compromised system. For example pid1 won't be able to receive the WATCHDOG messages anymore and will kill all services supposed to send such messages. +(cherry picked from commit 9987750e7a4c62e0eb8473603150596ba7c3a015) --- src/core/manager.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/core/manager.c b/src/core/manager.c -index 43e231c..5704005 100644 +index 56ca9cf..06d78e4 100644 --- a/src/core/manager.c +++ b/src/core/manager.c -@@ -1716,10 +1716,14 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t +@@ -1560,10 +1560,14 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t n = recvmsg(m->notify_fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC); if (n < 0) { @@ -34,7 +36,7 @@ index 43e231c..5704005 100644 } if (n == 0) { log_debug("Got zero-length notification message. Ignoring."); -@@ -1746,7 +1750,8 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t +@@ -1590,7 +1594,8 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r = fdset_new_array(&fds, fd_array, n_fds); if (r < 0) { close_many(fd_array, n_fds); diff --git a/0001-pid1-more-informative-error-message-for-ignored-noti.patch b/0001-pid1-more-informative-error-message-for-ignored-noti.patch new file mode 100644 index 00000000..6773ccd3 --- /dev/null +++ b/0001-pid1-more-informative-error-message-for-ignored-noti.patch @@ -0,0 +1,38 @@ +From eb54b43fe31392c9f77505d8f9cd86d1f050b49d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 29 Sep 2016 16:07:41 +0200 +Subject: [PATCH 1/1] pid1: more informative error message for ignored + notifications + +It's probably easier to diagnose a bad notification message if the +contents are printed. But still, do anything only if debugging is on. + +(cherry picked from commit a86b76753d7868c2d05f046f601bc7dc89fc2203) +--- + src/core/manager.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 58d346e..0d0158a 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1516,8 +1516,14 @@ static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const + + if (UNIT_VTABLE(u)->notify_message) + UNIT_VTABLE(u)->notify_message(u, pid, tags, fds); +- else +- log_unit_debug(u, "Got notification message for unit. Ignoring."); ++ else if (_unlikely_(log_get_max_level() >= LOG_DEBUG)) { ++ _cleanup_free_ char *x = NULL, *y = NULL; ++ ++ x = cescape(buf); ++ if (x) ++ y = ellipsize(x, 20, 90); ++ log_unit_debug(u, "Got notification message \"%s\", ignoring.", strnull(y)); ++ } + } + + static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) { +-- +2.10.0 + diff --git a/0001-pid1-process-zero-length-notification-messages-again.patch b/0001-pid1-process-zero-length-notification-messages-again.patch new file mode 100644 index 00000000..72e6905f --- /dev/null +++ b/0001-pid1-process-zero-length-notification-messages-again.patch @@ -0,0 +1,82 @@ +From 98c4bab7add94bdfb6cc238376c47a9c73a4fe39 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Thu, 29 Sep 2016 16:06:02 +0200 +Subject: [PATCH 1/1] pid1: process zero-length notification messages again + +This undoes 531ac2b234. I acked that patch without looking at the code +carefully enough. There are two problems: +- we want to process the fds anyway +- in principle empty notification messages are valid, and we should + process them as usual, including logging using log_unit_debug(). + +(cherry picked from commit 8523bf7dd514a3a2c6114b7b8fb8f308b4f09fc4) + +[fbui: adjust context] +--- + src/core/manager.c | 15 ++++++--------- + 1 file changed, 6 insertions(+), 9 deletions(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 06d78e4..58d346e 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -1501,13 +1501,12 @@ static unsigned manager_dispatch_dbus_queue(Manager *m) { + return n; + } + +-static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, size_t n, FDSet *fds) { ++static void manager_invoke_notify_message(Manager *m, Unit *u, pid_t pid, const char *buf, FDSet *fds) { + _cleanup_strv_free_ char **tags = NULL; + + assert(m); + assert(u); + assert(buf); +- assert(n > 0); + + tags = strv_split(buf, "\n\r"); + if (!tags) { +@@ -1569,10 +1568,6 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t + * example... */ + return 0; + } +- if (n == 0) { +- log_debug("Got zero-length notification message. Ignoring."); +- return 0; +- } + + CMSG_FOREACH(cmsg, &msghdr) { + if (cmsg->cmsg_level == SOL_SOCKET && cmsg->cmsg_type == SCM_RIGHTS) { +@@ -1609,25 +1604,27 @@ static int manager_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t + return 0; + } + ++ /* The message should be a string. Here we make sure it's NUL-terminated, ++ * but only the part until first NUL will be used anyway. */ + buf[n] = 0; + + /* Notify every unit that might be interested, but try + * to avoid notifying the same one multiple times. */ + u1 = manager_get_unit_by_pid_cgroup(m, ucred->pid); + if (u1) { +- manager_invoke_notify_message(m, u1, ucred->pid, buf, n, fds); ++ manager_invoke_notify_message(m, u1, ucred->pid, buf, fds); + found = true; + } + + u2 = hashmap_get(m->watch_pids1, PID_TO_PTR(ucred->pid)); + if (u2 && u2 != u1) { +- manager_invoke_notify_message(m, u2, ucred->pid, buf, n, fds); ++ manager_invoke_notify_message(m, u2, ucred->pid, buf, fds); + found = true; + } + + u3 = hashmap_get(m->watch_pids2, PID_TO_PTR(ucred->pid)); + if (u3 && u3 != u2 && u3 != u1) { +- manager_invoke_notify_message(m, u3, ucred->pid, buf, n, fds); ++ manager_invoke_notify_message(m, u3, ucred->pid, buf, fds); + found = true; + } + +-- +2.10.0 + diff --git a/systemd-mini.changes b/systemd-mini.changes index 902903ae..e71f989e 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Fri Sep 30 06:07:06 UTC 2016 - fbui@suse.com + +- Import a better fix from upstream for bsc#1001765 + + - Added: + + 0001-pid1-more-informative-error-message-for-ignored-noti.patch + 0001-pid1-process-zero-length-notification-messages-again.patch + + - Updated (no code changes, only patch metadata) + + 0001-If-the-notification-message-length-is-0-ignore-the-m.patch + 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch + ------------------------------------------------------------------- Thu Sep 29 13:05:44 UTC 2016 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index 4d8bc8c9..c1c25587 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -270,6 +270,8 @@ Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch Patch535: 0001-If-the-notification-message-length-is-0-ignore-the-m.patch Patch536: 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch +Patch537: 0001-pid1-process-zero-length-notification-messages-again.patch +Patch538: 0001-pid1-more-informative-error-message-for-ignored-noti.patch # UDEV PATCHES # ============ @@ -621,6 +623,8 @@ cp %{SOURCE7} m4/ %patch534 -p1 %patch535 -p1 %patch536 -p1 +%patch537 -p1 +%patch538 -p1 # udev patches %patch1002 -p1 diff --git a/systemd.changes b/systemd.changes index 902903ae..e71f989e 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Fri Sep 30 06:07:06 UTC 2016 - fbui@suse.com + +- Import a better fix from upstream for bsc#1001765 + + - Added: + + 0001-pid1-more-informative-error-message-for-ignored-noti.patch + 0001-pid1-process-zero-length-notification-messages-again.patch + + - Updated (no code changes, only patch metadata) + + 0001-If-the-notification-message-length-is-0-ignore-the-m.patch + 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch + ------------------------------------------------------------------- Thu Sep 29 13:05:44 UTC 2016 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 45de4744..ca15920f 100644 --- a/systemd.spec +++ b/systemd.spec @@ -265,6 +265,8 @@ Patch533: 0001-journal-warn-when-we-fail-to-append-a-tag-to-a-journ.patch Patch534: 0001-journal-fix-HMAC-calculation-when-appending-a-data-o.patch Patch535: 0001-If-the-notification-message-length-is-0-ignore-the-m.patch Patch536: 0001-pid1-don-t-return-any-error-in-manager_dispatch_noti.patch +Patch537: 0001-pid1-process-zero-length-notification-messages-again.patch +Patch538: 0001-pid1-more-informative-error-message-for-ignored-noti.patch # UDEV PATCHES # ============ @@ -616,6 +618,8 @@ cp %{SOURCE7} m4/ %patch534 -p1 %patch535 -p1 %patch536 -p1 +%patch537 -p1 +%patch538 -p1 # udev patches %patch1002 -p1