Accepting request 508718 from Base:System

1

OBS-URL: https://build.opensuse.org/request/show/508718
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=256

0001-core-disable-session-keyring-per-system-sevice-entir.patch

@@ -0,0 +1,31 @@
+From 30cceac444bcc67896611154b051669225abaa93 Mon Sep 17 00:00:00 2001
+From: Franck Bui <fbui@suse.com>
+Date: Thu, 6 Jul 2017 15:48:10 +0200
+Subject: [PATCH] core: disable session keyring per system sevice entirely
+ for now
+
+It seems that this stuff needs more thoughts...
+
+See also:
+https://github.com/systemd/systemd/pull/6286
+
+[fbui: fixes bnc#1045886]
+---
+ src/core/service.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 74054887b..874f2be93 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -1341,7 +1341,6 @@ static int service_spawn(
+         } else
+                 path = UNIT(s)->cgroup_path;
+ 
+-        exec_params.flags |= MANAGER_IS_SYSTEM(UNIT(s)->manager) ? EXEC_NEW_KEYRING : 0;
+         exec_params.argv = c->argv;
+         exec_params.environment = final_env;
+         exec_params.fds = fds;
+-- 
+2.13.1
+

systemd-233.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:68abe8a1ad8d19c64f4e10fdee7b8aceebc7d49fc2bb2711408171bdc841e67a
-size 3255548
+oid sha256:31fe0c3bea971e0dd40b9bec3f08080859ab3710f3882e0009582dd0bf16086d
+size 3257376

systemd-mini.changes

@@ -1,3 +1,69 @@
+-------------------------------------------------------------------
+Fri Jul  7 08:19:41 UTC 2017 - jengelh@inai.de
+
+- Edit pkgconfig(liblz4) dependency: liblz4 now uses 1.x *again*
+
+-------------------------------------------------------------------
+Thu Jul  6 14:12:34 UTC 2017 - fbui@suse.com
+
+- Added 0001-core-disable-session-keyring-per-system-sevice-entir.patch (bnc#1045886)
+
+  Temporary patch to disable the session keyring stuff as it's
+  currently broken and may introduce some security holes.
+
+-------------------------------------------------------------------
+Thu Jul  6 12:57:06 UTC 2017 - fbui@suse.com
+
+- Import commit 21827ea0875ff197e16e72003b2bfaa1c6e8daad
+
+  1ad06735f core: fail when syntactically invalid values for User=/Group= fields are detected (bsc#1047023)
+  d563972e2 timesyncd: don't use compiled-in list if FallbackNTP has been configured explicitly
+  f4e0c16f5 gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280)
+  e1345aac5 fix add_esp() in the gpt-auto-generator.c (#6251)
+  c591ece9a automount: don't lstat(2) upon umount request (#6086) (bsc#1040968)
+  643ab2eea gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab
+  f07d2022f fstab-util: introduce fstab_has_fstype() helper
+  bf735bb35 fstab-util: don't eat up errors in fstab_is_mount_point()
+  a4b40fbed resolved: simplify alloc size calculation (bsc#1045290 CVE-2017-9445)
+  8b960bec0 only check signature job error if signature job exists (#6118) (boo#1043758)
+  1418bfb5b job: Ensure JobRunningTimeoutSec= survives serialization (#6128) (bsc#1004995)
+  19b6d5f08 udev: turn off -Wformat-nonliteral for one safe case
+  717ace439 udev: net_id add support for platform bus (ACPI, mostly arm64) devices (#5933)
+  a3bf2e6b5 core/mount: pass "-c" flag to /bin/umount (#6093)
+
+-------------------------------------------------------------------
+Wed Jul  5 07:15:17 UTC 2017 - fbui@suse.com
+
+- Add minimal support for boot.d/* scripts in systemd-sysv-convert (boo#1046750)
+
+  While at it, the handling of the symlink priorities is also removed
+  since it doesn't appear to be used at all.
+
+-------------------------------------------------------------------
+Thu Jun 22 15:24:22 UTC 2017 - fbui@suse.com
+
+- Don't try to restart networkd/resolved if they're disabled (boo#1045521)
+
+  "systemctl try-restart/preset" wants the unit files exist.
+
+-------------------------------------------------------------------
+Thu Jun 22 13:50:46 UTC 2017 - fbui@suse.com
+
+- Stop shipping /usr/lib/sysusers.d/basic.conf (bsc#1006978)
+
+  Ok looks like the previous change was the right thing to do and we
+  continue to follow this path by relying on the new user/group scheme
+
+  Therefore the basic system user/group are now managed and created by
+  system-sysusers and udev also relies on this for the groups it uses
+  in its rule files.
+
+  Ideally we should have listed all of the groups in the deps (with
+  "Requires: group(disk)" but the list of the groups is rather long
+  and the risk for those groups to be re-organized is probably low, so
+  currently we simply use "Requires: system-group-hardware" as a
+  shortcut.
+
 -------------------------------------------------------------------
 Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
 
@@ -11,7 +77,7 @@ Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
   package isn't pulled in anymore when building the rescue system.
 
   For now make systemd creates the group by adding
-  "Requires: group(post)".
+  "Requires: group(lock)".
 
   I'm currently not sure why we don't use sysusers.d stuff for that
   purpose and if the "lock" group on /run/lock is still

systemd-mini.spec

@@ -83,7 +83,7 @@ BuildRequires:  suse-module-tools >= 12.4
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(blkid) >= 2.26
 BuildRequires:  pkgconfig(libkmod) >= 15
-BuildRequires:  pkgconfig(liblz4) >= 125
+BuildRequires:  pkgconfig(liblz4)
 BuildRequires:  pkgconfig(liblzma)
 BuildRequires:  pkgconfig(libpci) >= 3
 BuildRequires:  pkgconfig(libpcre)
@@ -155,6 +155,14 @@ Source14:       kbd-model-map.legacy
 
 Source1065:     udev-remount-tmpfs
 
+# Patches listed in here are really special cases. Normally all
+# changes must go to upstream first and then are cherry-picked in the
+# SUSE git repository. But in very few cases, some stuff might be
+# broken in upstream and need an urgent fix. Even in this case, the
+# patches are temporary and should be removed as soon as a fix is
+# merged by upstream.
+Patch1:         0001-core-disable-session-keyring-per-system-sevice-entir.patch
+
 %description
 Systemd is a system and service manager, compatible with SysV and LSB
 init scripts for Linux. systemd provides aggressive parallelization
@@ -225,9 +233,8 @@ Summary:        A rule-based device node and kernel event manager
 License:        GPL-2.0
 Group:          System/Kernel
 Url:            http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
+Requires:       system-group-hardware
 Requires(pre):  /usr/bin/stat
-Requires(pre):  /usr/sbin/groupadd
-Requires(pre):  /usr/bin/getent
 Requires(post): sed
 Requires(post): /usr/bin/systemctl
 
@@ -399,6 +406,7 @@ Some systemd commands offer bash completion, but it is an optional dependency.
 
 %prep
 %setup -q -n systemd-%{version}
+%autopatch -p1
 
 # only needed for bootstrap
 %if 0%{?bootstrap}
@@ -530,6 +538,10 @@ rm %{buildroot}%{_libexecdir}/systemd/libsystemd-shared.so
 # aaa_base (in procps for now)
 rm -f %{buildroot}%{_prefix}/lib/sysctl.d/50-default.conf
 
+# The definition of the basic users/groups are defined by system-user
+# on SUSE (bsc#1006978).
+rm -f %{buildroot}%{_prefix}/lib/sysusers.d/basic.conf
+
 # Remove README file in init.d as (SUSE) rpm requires executable files
 # in this directory... oh well.
 rm -f %{buildroot}/etc/init.d/README
@@ -682,10 +694,14 @@ if [ $1 -eq 1 ]; then
         # unit.
         systemctl preset remote-fs.target || :
         systemctl preset getty@.service   || :
+        systemctl preset systemd-timesyncd.service || :
+%if %{with networkd}
         systemctl preset systemd-networkd.service || :
         systemctl preset systemd-networkd-wait-online.service || :
-        systemctl preset systemd-timesyncd.service || :
+%endif
+%if %{with resolved}
         systemctl preset systemd-resolved.service  || :
+%endif
 fi >/dev/null
 
 # since v207 /etc/sysctl.conf is no longer parsed, however
@@ -745,9 +761,13 @@ fi
 %systemd_postun
 # Avoid restarting logind until fixed upstream (issue #1163)
 %systemd_postun_with_restart systemd-journald.service
-%systemd_postun_with_restart systemd-networkd.service
 %systemd_postun_with_restart systemd-timesyncd.service
+%if %{with networkd}
+%systemd_postun_with_restart systemd-networkd.service
+%endif
+%if %{with resolved}
 %systemd_postun_with_restart systemd-resolved.service
+%endif
 
 %pretrans -n udev%{?mini} -p <lua>
 if posix.stat("/lib/udev") and not posix.stat("/usr/lib/udev") then
@@ -773,12 +793,6 @@ if [ $1 -eq 1 ]; then
 	echo "COMPAT_SYMLINK_GENERATION=2">/usr/lib/udev/compat-symlink-generation
 fi
 
-# Create "tape"/"input" group which is referenced by some udev rules
-# that we're shipping. FIXME: maybe we should consider using
-# "sysusers_create basic.conf" instead ?
-getent group tape >/dev/null || groupadd -r tape || :
-getent group input >/dev/null || groupadd -r input || :
-
 %post -n udev%{?mini}
 %udev_hwdb_update
 

systemd-sysv-convert

@@ -5,8 +5,7 @@ if [ "$UID" != "0" ]; then
 	exit 1
 fi
 
-declare -A results_runlevel
-declare -A results_priority
+declare -A results_target
 
 usage() {
 	cat << EOF
@@ -33,75 +32,30 @@ EOF
 }
 
 find_service() {
-	local service
-	local runlevel
-	declare -i priority
+	local service=$1
+	local rcnd=$2
 
-	service=$1
-	runlevel=$2
-	priority=-1
-
-	for l in $(ls /etc/rc.d/rc$runlevel.d/) ; do
-		initscript=$(basename $l)
-		if [ ${initscript:0:1} != "S" -o ${initscript:3} != "$service" ]; then
-			continue
-		fi
-		if [ ${initscript:1:2} -ge 0 -a ${initscript:1:2} -le 99 -a ${initscript:1:2} -ge $priority ]; then
-			if [ ${initscript:1:1} == 0 ]; then
-				priority=${initscript:2:1}
-			else
-				priority=${initscript:1:2}
-			fi
-		fi
-	done
-	if [ $priority -ge 0 ]; then
-		return $priority
-	fi
-	return 255
+	case $rcnd in
+	boot.d)		[ -L /etc/rc.d/$rcnd/S??boot.$service ] ;;
+	*)		[ -L /etc/rc.d/$rcnd/S??$service ]
+	esac
 }
 
 lookup_database() {
-	local services
+	local services=$@
 	local service
-	local service_file
 	local runlevel
 	local priority
-	local -i k
-	declare -a parsed
 
-	services=$@
-	k=0
-	results_runlevel=()
-	results_priority=()
-
-	while read line ; do
-		k+=1
-		parsed=($line)
-		service=${parsed[0]}
-		runlevel=${parsed[1]}
-		priority=${parsed[2]}
-		if [ $runlevel -lt 2 -o $runlevel -gt 5 ]; then
-			echo "Runlevel out of bounds in database line $k. Ignoring" >/dev/stderr
-			continue
-		fi
-		if [ $priority -lt 0 -o $priority -gt 99 ]; then
-			echo "Priority out of bounds in database line $k. Ignoring" >/dev/stderr
-			continue
-		fi
-
-		declare -i found
-		found=0
+	# 'priority' field is not used but is kept for backward compat
+	# reason.
+	while read service runlevel priority; do
 		for s in $services ; do
 			if [ $s == $service ]; then
-				found=1
-				continue
+				results_target[$service]+=" runlevel$runlevel.target"
+				break
 			fi
 		done
-		if [ $found -eq 0 ]; then
-			continue
-		fi
-		results_runlevel[$service]+=" $runlevel"
-		results_priority[$service]+=" $priority"
 	done < /var/lib/systemd/sysv-convert/database
 }
 
@@ -114,16 +68,19 @@ case "$1" in
 	--save)
 		shift
 		for service in $@ ; do
-			if [ ! -r "/etc/init.d/$service" ]; then
+			if [ ! -r /etc/init.d/$service ] && [ ! -r /etc/init.d/boot.$service ]; then
 				echo "SysV service $service does not exist, skipping"
 				continue
 			fi
-			for runlevel in 2 3 4 5; do
-				find_service $service $runlevel
-				priority=$?
-				if [ $priority -lt 255 ]; then
-					echo "$service	$runlevel	$priority" >>/var/lib/systemd/sysv-convert/database
-				fi
+			for rcnd in rc2.d rc3.d rc4.d rc5.d boot.d; do
+				case $rcnd in
+				rc*.d)	runlevel=${rcnd:2:1} ;;
+				boot.d)	runlevel=3 ;;
+				esac
+
+				# Write a dumb priority as it is not used.
+				find_service $service $rcnd &&
+				echo "$service	$runlevel 50" >>/var/lib/systemd/sysv-convert/database
 			done
 		done
 		;;
@@ -132,17 +89,13 @@ case "$1" in
 		services=$@
 		lookup_database $services
 		for service in $services; do
-  			if [ -z "${results_runlevel[$service]}" ]; then
-				echo No information found about service $service found. >/dev/stderr
+  			if [ -z "${results_target[$service]}" ]; then
+				echo "No information about service $service found." >/dev/stderr
 				let fail++
 				continue
 			fi
-			declare -i count
-			count=0
-			priority=(${results_priority[$service]})
-			for runlevel in ${results_runlevel[$service]}; do
-				echo SysV service $service enabled in runlevel $runlevel at priority ${priority[$count]}
-				count+=1
+			for target in ${results_target[$service]}; do
+				echo "SysV service '$service' is pulled by $target"
 			done
 		done
 		;;
@@ -170,16 +123,16 @@ case "$1" in
 		if [ -e /var/lib/systemd/sysv-convert/database ]; then
 			lookup_database $services
 			for service in $services; do
-				[ -f "/lib/systemd/system/$service.service" ] && service_file="/lib/systemd/system/$service.service"
-				[ -f "/usr/lib/systemd/system/$service.service" ] && service_file="/usr/lib/systemd/system/$service.service"
+				[ -f "/lib/systemd/system/$service.service" ] && unit="/lib/systemd/system/$service.service"
+				[ -f "/usr/lib/systemd/system/$service.service" ] && unit="/usr/lib/systemd/system/$service.service"
 
 				# If $service is not present in the database,
 				# then it simply means that the sysv init
 				# service was not enabled at all.
-				for runlevel in ${results_runlevel[$service]}; do
-					echo ln -sf $service_file /etc/systemd/system/runlevel$runlevel.target.wants/$service.service >/dev/stderr
-					mkdir -p "/etc/systemd/system/runlevel$runlevel.target.wants"
-					/bin/ln -sf $service_file /etc/systemd/system/runlevel$runlevel.target.wants/$service.service
+				for target in ${results_target[$service]}; do
+					echo ln -sf $unit /etc/systemd/system/$target.wants/$service.service >/dev/stderr
+					mkdir -p "/etc/systemd/system/$target.wants"
+					/bin/ln -sf $unit /etc/systemd/system/$target.wants/$service.service
 				done
 			done
 		fi

systemd.changes

@@ -1,3 +1,69 @@
+-------------------------------------------------------------------
+Fri Jul  7 08:19:41 UTC 2017 - jengelh@inai.de
+
+- Edit pkgconfig(liblz4) dependency: liblz4 now uses 1.x *again*
+
+-------------------------------------------------------------------
+Thu Jul  6 14:12:34 UTC 2017 - fbui@suse.com
+
+- Added 0001-core-disable-session-keyring-per-system-sevice-entir.patch (bnc#1045886)
+
+  Temporary patch to disable the session keyring stuff as it's
+  currently broken and may introduce some security holes.
+
+-------------------------------------------------------------------
+Thu Jul  6 12:57:06 UTC 2017 - fbui@suse.com
+
+- Import commit 21827ea0875ff197e16e72003b2bfaa1c6e8daad
+
+  1ad06735f core: fail when syntactically invalid values for User=/Group= fields are detected (bsc#1047023)
+  d563972e2 timesyncd: don't use compiled-in list if FallbackNTP has been configured explicitly
+  f4e0c16f5 gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280)
+  e1345aac5 fix add_esp() in the gpt-auto-generator.c (#6251)
+  c591ece9a automount: don't lstat(2) upon umount request (#6086) (bsc#1040968)
+  643ab2eea gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab
+  f07d2022f fstab-util: introduce fstab_has_fstype() helper
+  bf735bb35 fstab-util: don't eat up errors in fstab_is_mount_point()
+  a4b40fbed resolved: simplify alloc size calculation (bsc#1045290 CVE-2017-9445)
+  8b960bec0 only check signature job error if signature job exists (#6118) (boo#1043758)
+  1418bfb5b job: Ensure JobRunningTimeoutSec= survives serialization (#6128) (bsc#1004995)
+  19b6d5f08 udev: turn off -Wformat-nonliteral for one safe case
+  717ace439 udev: net_id add support for platform bus (ACPI, mostly arm64) devices (#5933)
+  a3bf2e6b5 core/mount: pass "-c" flag to /bin/umount (#6093)
+
+-------------------------------------------------------------------
+Wed Jul  5 07:15:17 UTC 2017 - fbui@suse.com
+
+- Add minimal support for boot.d/* scripts in systemd-sysv-convert (boo#1046750)
+
+  While at it, the handling of the symlink priorities is also removed
+  since it doesn't appear to be used at all.
+
+-------------------------------------------------------------------
+Thu Jun 22 15:24:22 UTC 2017 - fbui@suse.com
+
+- Don't try to restart networkd/resolved if they're disabled (boo#1045521)
+
+  "systemctl try-restart/preset" wants the unit files exist.
+
+-------------------------------------------------------------------
+Thu Jun 22 13:50:46 UTC 2017 - fbui@suse.com
+
+- Stop shipping /usr/lib/sysusers.d/basic.conf (bsc#1006978)
+
+  Ok looks like the previous change was the right thing to do and we
+  continue to follow this path by relying on the new user/group scheme
+
+  Therefore the basic system user/group are now managed and created by
+  system-sysusers and udev also relies on this for the groups it uses
+  in its rule files.
+
+  Ideally we should have listed all of the groups in the deps (with
+  "Requires: group(disk)" but the list of the groups is rather long
+  and the risk for those groups to be re-organized is probably low, so
+  currently we simply use "Requires: system-group-hardware" as a
+  shortcut.
+
 -------------------------------------------------------------------
 Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
 
@@ -11,7 +77,7 @@ Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
   package isn't pulled in anymore when building the rescue system.
 
   For now make systemd creates the group by adding
-  "Requires: group(post)".
+  "Requires: group(lock)".
 
   I'm currently not sure why we don't use sysusers.d stuff for that
   purpose and if the "lock" group on /run/lock is still

systemd.spec

@@ -81,7 +81,7 @@ BuildRequires:  suse-module-tools >= 12.4
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  pkgconfig(blkid) >= 2.26
 BuildRequires:  pkgconfig(libkmod) >= 15
-BuildRequires:  pkgconfig(liblz4) >= 125
+BuildRequires:  pkgconfig(liblz4)
 BuildRequires:  pkgconfig(liblzma)
 BuildRequires:  pkgconfig(libpci) >= 3
 BuildRequires:  pkgconfig(libpcre)
@@ -153,6 +153,14 @@ Source14:       kbd-model-map.legacy
 
 Source1065:     udev-remount-tmpfs
 
+# Patches listed in here are really special cases. Normally all
+# changes must go to upstream first and then are cherry-picked in the
+# SUSE git repository. But in very few cases, some stuff might be
+# broken in upstream and need an urgent fix. Even in this case, the
+# patches are temporary and should be removed as soon as a fix is
+# merged by upstream.
+Patch1:         0001-core-disable-session-keyring-per-system-sevice-entir.patch
+
 %description
 Systemd is a system and service manager, compatible with SysV and LSB
 init scripts for Linux. systemd provides aggressive parallelization
@@ -223,9 +231,8 @@ Summary:        A rule-based device node and kernel event manager
 License:        GPL-2.0
 Group:          System/Kernel
 Url:            http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
+Requires:       system-group-hardware
 Requires(pre):  /usr/bin/stat
-Requires(pre):  /usr/sbin/groupadd
-Requires(pre):  /usr/bin/getent
 Requires(post): sed
 Requires(post): /usr/bin/systemctl
 
@@ -397,6 +404,7 @@ Some systemd commands offer bash completion, but it is an optional dependency.
 
 %prep
 %setup -q -n systemd-%{version}
+%autopatch -p1
 
 # only needed for bootstrap
 %if 0%{?bootstrap}
@@ -528,6 +536,10 @@ rm %{buildroot}%{_libexecdir}/systemd/libsystemd-shared.so
 # aaa_base (in procps for now)
 rm -f %{buildroot}%{_prefix}/lib/sysctl.d/50-default.conf
 
+# The definition of the basic users/groups are defined by system-user
+# on SUSE (bsc#1006978).
+rm -f %{buildroot}%{_prefix}/lib/sysusers.d/basic.conf
+
 # Remove README file in init.d as (SUSE) rpm requires executable files
 # in this directory... oh well.
 rm -f %{buildroot}/etc/init.d/README
@@ -680,10 +692,14 @@ if [ $1 -eq 1 ]; then
         # unit.
         systemctl preset remote-fs.target || :
         systemctl preset getty@.service   || :
+        systemctl preset systemd-timesyncd.service || :
+%if %{with networkd}
         systemctl preset systemd-networkd.service || :
         systemctl preset systemd-networkd-wait-online.service || :
-        systemctl preset systemd-timesyncd.service || :
+%endif
+%if %{with resolved}
         systemctl preset systemd-resolved.service  || :
+%endif
 fi >/dev/null
 
 # since v207 /etc/sysctl.conf is no longer parsed, however
@@ -743,9 +759,13 @@ fi
 %systemd_postun
 # Avoid restarting logind until fixed upstream (issue #1163)
 %systemd_postun_with_restart systemd-journald.service
-%systemd_postun_with_restart systemd-networkd.service
 %systemd_postun_with_restart systemd-timesyncd.service
+%if %{with networkd}
+%systemd_postun_with_restart systemd-networkd.service
+%endif
+%if %{with resolved}
 %systemd_postun_with_restart systemd-resolved.service
+%endif
 
 %pretrans -n udev%{?mini} -p <lua>
 if posix.stat("/lib/udev") and not posix.stat("/usr/lib/udev") then
@@ -771,12 +791,6 @@ if [ $1 -eq 1 ]; then
 	echo "COMPAT_SYMLINK_GENERATION=2">/usr/lib/udev/compat-symlink-generation
 fi
 
-# Create "tape"/"input" group which is referenced by some udev rules
-# that we're shipping. FIXME: maybe we should consider using
-# "sysusers_create basic.conf" instead ?
-getent group tape >/dev/null || groupadd -r tape || :
-getent group input >/dev/null || groupadd -r input || :
-
 %post -n udev%{?mini}
 %udev_hwdb_update