Accepting request 971023 from Base:System

OBS-URL: https://build.opensuse.org/request/show/971023
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=357

0011-core-disable-session-keyring-per-system-sevice-entir.patch

@@ -1,45 +0,0 @@
-From 67f3fa5aa2781d42c809da9303f81b28544824d8 Mon Sep 17 00:00:00 2001
-From: Franck Bui <fbui@suse.com>
-Date: Thu, 6 Jul 2017 15:48:10 +0200
-Subject: [PATCH 10/11] core: disable session keyring per system sevice
- entirely for now
-
-Until PAM module "pam_keyinit" is fully integrated in SUSE's PAM stack, this
-feature has to be disabled.
-
-openSUSE is still not ready for enabling the keyring stuff (see
-bsc#1081947). Some services got fixed (sshd, getty@.service) but some still
-haven't (xdm, login, ...)
-
-So leave it disabled again otherwise different users might end up using the
-same session keyring - the one created for the service used for logging in
-(sshd, getty@.service, xdm, etc...)
-
-The integration of pam_keyinit is tracked here:
-https://bugzilla.opensuse.org/show_bug.cgi?id=1081947
-
-See also:
-https://github.com/systemd/systemd/pull/6286
-
-[fbui: fixes boo#1045886]
----
- src/core/execute.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/core/execute.c b/src/core/execute.c
-index 2a337b55a2..b5a1a3b6e5 100644
---- a/src/core/execute.c
-+++ b/src/core/execute.c
-@@ -3356,6 +3356,9 @@ static int setup_keyring(
-         assert(context);
-         assert(p);
- 
-+        /* SUSE: pam_keyinit is still not fully integrated to SUSE's PAM stack... */
-+        return 0;
-+
-         /* Let's set up a new per-service "session" kernel keyring for each system service. This has the benefit that
-          * each service runs with its own keyring shared among all processes of the service, but with no hook-up beyond
-          * that scope, and in particular no link to the per-UID keyring. If we don't do this the keyring will be
--- 
-2.26.2
-

files.systemd

@@ -124,7 +124,6 @@
 %{_bindir}/timedatectl
 %if %{without bootstrap}
 %{_datadir}/bash-completion/completions/busctl
-%{_datadir}/bash-completion/completions/coredumpctl
 %{_datadir}/bash-completion/completions/hostnamectl
 %{_datadir}/bash-completion/completions/journalctl
 %{_datadir}/bash-completion/completions/localectl
@@ -188,7 +187,6 @@
 %{_datadir}/systemd/language-fallback-map
 %if %{without bootstrap}
 %{_datadir}/zsh/site-functions/_busctl
-%{_datadir}/zsh/site-functions/_coredumpctl
 %{_datadir}/zsh/site-functions/_hostnamectl
 %{_datadir}/zsh/site-functions/_journalctl
 %{_datadir}/zsh/site-functions/_localectl

systemd-v250.4+suse.47.ge43a1b0188.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:6633132c53177f605c5744b6cc412c823e32249545ffd0520ac56ef33c270d9c
-size 7626800

systemd-v250.4+suse.54.g736db5a59f.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:61dfe5c41409547e9e358593b0187e63955ec6229dd04f78e7e7398289a40350
+size 7626844

systemd.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Wed Apr 20 07:59:23 UTC 2022 - Ludwig Nussel <lnussel@suse.de>
+
+- spec: sign the systemd-boot efi binary (boo#1198586)
+
+-------------------------------------------------------------------
+Tue Apr 19 11:17:03 UTC 2022 - Franck Bui <fbui@suse.com>
+
+- Drop 0011-core-disable-session-keyring-per-system-sevice-entir.patch
+
+  Since bsc#1081947 has been addressed, we can attempt to re-enable private
+  session kernel keyring for each system service hence each service gets a
+  session keyring that is specific to the service.
+
+-------------------------------------------------------------------
+Tue Apr 19 07:30:31 UTC 2022 - Franck Bui <fbui@suse.com>
+
+- Import commit 736db5a59f1ab1317ef64ec6e7dc394250178146
+
+  98bc28d824 tmpfiles: constify item_compatible() parameters
+  3faf1a2648 test: adapt install_pam() for openSUSE
+  b7ca34fa28 test: add test checking tmpfiles conf file precedence
+  2713693d93 test tmpfiles: add a test for 'w+'
+  ce2cbefe38 tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
+  769f5a0cbe Support -D_FORTIFY_SOURCE=3 by using __builtin_dynamic_object_size.
+
+-------------------------------------------------------------------
+Sat Apr  9 12:54:30 UTC 2022 - Andreas Schwab <schwab@suse.de>
+
+- libseccomp is needed everywhere
+
+-------------------------------------------------------------------
+Thu Apr  7 19:27:11 UTC 2022 - Franck Bui <fbui@suse.com>
+
+- Move coredumpctl completion files into systemd-coredump sub-package.
+
 -------------------------------------------------------------------
 Wed Apr  6 09:55:10 UTC 2022 - Franck Bui <fbui@suse.com>
 

systemd.spec

@@ -19,7 +19,7 @@
 %global flavor @BUILD_FLAVOR@%{nil}
 
 %define min_kernel_version 4.5
-%define suse_version +suse.47.ge43a1b0188
+%define suse_version +suse.54.g736db5a59f
 %define _testsuitedir /usr/lib/systemd/tests
 %define xinitconfdir %{?_distconfdir}%{!?_distconfdir:%{_sysconfdir}}/X11/xinit
 
@@ -93,11 +93,9 @@ BuildRequires:  pkgconfig(liblz4)
 BuildRequires:  pkgconfig(liblzma)
 BuildRequires:  pkgconfig(libpcre2-8)
 BuildRequires:  pkgconfig(libqrencode)
+BuildRequires:  pkgconfig(libseccomp) >= 2.3.1
 BuildRequires:  pkgconfig(libselinux) >= 2.1.9
 BuildRequires:  pkgconfig(libzstd)
-%ifarch aarch64 %ix86 x86_64 x32 %arm ppc64le s390x
-BuildRequires:  pkgconfig(libseccomp) >= 2.3.1
-%endif
 %endif
 BuildRequires:  fdupes
 BuildRequires:  gperf
@@ -197,7 +195,6 @@ Patch5:         0005-udev-create-default-symlinks-for-primary-cd_dvd-driv.patch
 Patch8:         0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
 %endif
 Patch10:        0001-conf-parser-introduce-early-drop-ins.patch
-Patch11:        0011-core-disable-session-keyring-per-system-sevice-entir.patch
 Patch12:        0009-pid1-handle-console-specificities-weirdness-for-s390.patch
 
 # Temporary workaround until bsc#1197178 is addressed.
@@ -308,6 +305,7 @@ License:        GPL-2.0-only
 URL:            http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
 %if %{with sd_boot}
 BuildRequires:  gnu-efi
+BuildRequires:  pesign-obs-integration
 %endif
 Requires:       %{name} = %{version}-%{release}
 %systemd_requires
@@ -723,6 +721,12 @@ Have fun with these services at your own risk.
 %install
 %meson_install
 
+%if %{with sd_boot}
+%ifarch x86_64
+export BRP_PESIGN_FILES="/usr/lib/systemd/boot/efi/systemd-bootx64.efi"
+%endif
+%endif
+
 # Don't ship resolvconf symlink for now as it conflicts with the
 # binary shipped by openresolv and provides limited compatibility
 # only
@@ -1317,6 +1321,8 @@ fi
 %config(noreplace) %{_sysconfdir}/systemd/coredump.conf
 %dir %{_localstatedir}/lib/systemd/coredump
 %if %{without bootstrap}
+%{_datadir}/bash-completion/completions/coredumpctl
+%{_datadir}/zsh/site-functions/_coredumpctl
 %{_mandir}/man1/coredumpctl*
 %{_mandir}/man5/coredump.conf*
 %{_mandir}/man8/systemd-coredump*