Accepting request 508718 from Base:System

1

OBS-URL: https://build.opensuse.org/request/show/508718
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/systemd?expand=0&rev=256
This commit is contained in:
Dominique Leuenberger 2017-07-17 07:07:55 +00:00 committed by Git OBS Bridge
commit d3be420a93
7 changed files with 250 additions and 106 deletions

View File

@ -0,0 +1,31 @@
From 30cceac444bcc67896611154b051669225abaa93 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Thu, 6 Jul 2017 15:48:10 +0200
Subject: [PATCH] core: disable session keyring per system sevice entirely
for now
It seems that this stuff needs more thoughts...
See also:
https://github.com/systemd/systemd/pull/6286
[fbui: fixes bnc#1045886]
---
src/core/service.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/core/service.c b/src/core/service.c
index 74054887b..874f2be93 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1341,7 +1341,6 @@ static int service_spawn(
} else
path = UNIT(s)->cgroup_path;
- exec_params.flags |= MANAGER_IS_SYSTEM(UNIT(s)->manager) ? EXEC_NEW_KEYRING : 0;
exec_params.argv = c->argv;
exec_params.environment = final_env;
exec_params.fds = fds;
--
2.13.1

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:68abe8a1ad8d19c64f4e10fdee7b8aceebc7d49fc2bb2711408171bdc841e67a
size 3255548
oid sha256:31fe0c3bea971e0dd40b9bec3f08080859ab3710f3882e0009582dd0bf16086d
size 3257376

View File

@ -1,3 +1,69 @@
-------------------------------------------------------------------
Fri Jul 7 08:19:41 UTC 2017 - jengelh@inai.de
- Edit pkgconfig(liblz4) dependency: liblz4 now uses 1.x *again*
-------------------------------------------------------------------
Thu Jul 6 14:12:34 UTC 2017 - fbui@suse.com
- Added 0001-core-disable-session-keyring-per-system-sevice-entir.patch (bnc#1045886)
Temporary patch to disable the session keyring stuff as it's
currently broken and may introduce some security holes.
-------------------------------------------------------------------
Thu Jul 6 12:57:06 UTC 2017 - fbui@suse.com
- Import commit 21827ea0875ff197e16e72003b2bfaa1c6e8daad
1ad06735f core: fail when syntactically invalid values for User=/Group= fields are detected (bsc#1047023)
d563972e2 timesyncd: don't use compiled-in list if FallbackNTP has been configured explicitly
f4e0c16f5 gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280)
e1345aac5 fix add_esp() in the gpt-auto-generator.c (#6251)
c591ece9a automount: don't lstat(2) upon umount request (#6086) (bsc#1040968)
643ab2eea gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab
f07d2022f fstab-util: introduce fstab_has_fstype() helper
bf735bb35 fstab-util: don't eat up errors in fstab_is_mount_point()
a4b40fbed resolved: simplify alloc size calculation (bsc#1045290 CVE-2017-9445)
8b960bec0 only check signature job error if signature job exists (#6118) (boo#1043758)
1418bfb5b job: Ensure JobRunningTimeoutSec= survives serialization (#6128) (bsc#1004995)
19b6d5f08 udev: turn off -Wformat-nonliteral for one safe case
717ace439 udev: net_id add support for platform bus (ACPI, mostly arm64) devices (#5933)
a3bf2e6b5 core/mount: pass "-c" flag to /bin/umount (#6093)
-------------------------------------------------------------------
Wed Jul 5 07:15:17 UTC 2017 - fbui@suse.com
- Add minimal support for boot.d/* scripts in systemd-sysv-convert (boo#1046750)
While at it, the handling of the symlink priorities is also removed
since it doesn't appear to be used at all.
-------------------------------------------------------------------
Thu Jun 22 15:24:22 UTC 2017 - fbui@suse.com
- Don't try to restart networkd/resolved if they're disabled (boo#1045521)
"systemctl try-restart/preset" wants the unit files exist.
-------------------------------------------------------------------
Thu Jun 22 13:50:46 UTC 2017 - fbui@suse.com
- Stop shipping /usr/lib/sysusers.d/basic.conf (bsc#1006978)
Ok looks like the previous change was the right thing to do and we
continue to follow this path by relying on the new user/group scheme
Therefore the basic system user/group are now managed and created by
system-sysusers and udev also relies on this for the groups it uses
in its rule files.
Ideally we should have listed all of the groups in the deps (with
"Requires: group(disk)" but the list of the groups is rather long
and the risk for those groups to be re-organized is probably low, so
currently we simply use "Requires: system-group-hardware" as a
shortcut.
-------------------------------------------------------------------
Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
@ -11,7 +77,7 @@ Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
package isn't pulled in anymore when building the rescue system.
For now make systemd creates the group by adding
"Requires: group(post)".
"Requires: group(lock)".
I'm currently not sure why we don't use sysusers.d stuff for that
purpose and if the "lock" group on /run/lock is still

View File

@ -83,7 +83,7 @@ BuildRequires: suse-module-tools >= 12.4
BuildRequires: systemd-rpm-macros
BuildRequires: pkgconfig(blkid) >= 2.26
BuildRequires: pkgconfig(libkmod) >= 15
BuildRequires: pkgconfig(liblz4) >= 125
BuildRequires: pkgconfig(liblz4)
BuildRequires: pkgconfig(liblzma)
BuildRequires: pkgconfig(libpci) >= 3
BuildRequires: pkgconfig(libpcre)
@ -155,6 +155,14 @@ Source14: kbd-model-map.legacy
Source1065: udev-remount-tmpfs
# Patches listed in here are really special cases. Normally all
# changes must go to upstream first and then are cherry-picked in the
# SUSE git repository. But in very few cases, some stuff might be
# broken in upstream and need an urgent fix. Even in this case, the
# patches are temporary and should be removed as soon as a fix is
# merged by upstream.
Patch1: 0001-core-disable-session-keyring-per-system-sevice-entir.patch
%description
Systemd is a system and service manager, compatible with SysV and LSB
init scripts for Linux. systemd provides aggressive parallelization
@ -225,9 +233,8 @@ Summary: A rule-based device node and kernel event manager
License: GPL-2.0
Group: System/Kernel
Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
Requires: system-group-hardware
Requires(pre): /usr/bin/stat
Requires(pre): /usr/sbin/groupadd
Requires(pre): /usr/bin/getent
Requires(post): sed
Requires(post): /usr/bin/systemctl
@ -399,6 +406,7 @@ Some systemd commands offer bash completion, but it is an optional dependency.
%prep
%setup -q -n systemd-%{version}
%autopatch -p1
# only needed for bootstrap
%if 0%{?bootstrap}
@ -530,6 +538,10 @@ rm %{buildroot}%{_libexecdir}/systemd/libsystemd-shared.so
# aaa_base (in procps for now)
rm -f %{buildroot}%{_prefix}/lib/sysctl.d/50-default.conf
# The definition of the basic users/groups are defined by system-user
# on SUSE (bsc#1006978).
rm -f %{buildroot}%{_prefix}/lib/sysusers.d/basic.conf
# Remove README file in init.d as (SUSE) rpm requires executable files
# in this directory... oh well.
rm -f %{buildroot}/etc/init.d/README
@ -682,10 +694,14 @@ if [ $1 -eq 1 ]; then
# unit.
systemctl preset remote-fs.target || :
systemctl preset getty@.service || :
systemctl preset systemd-timesyncd.service || :
%if %{with networkd}
systemctl preset systemd-networkd.service || :
systemctl preset systemd-networkd-wait-online.service || :
systemctl preset systemd-timesyncd.service || :
%endif
%if %{with resolved}
systemctl preset systemd-resolved.service || :
%endif
fi >/dev/null
# since v207 /etc/sysctl.conf is no longer parsed, however
@ -745,9 +761,13 @@ fi
%systemd_postun
# Avoid restarting logind until fixed upstream (issue #1163)
%systemd_postun_with_restart systemd-journald.service
%systemd_postun_with_restart systemd-networkd.service
%systemd_postun_with_restart systemd-timesyncd.service
%if %{with networkd}
%systemd_postun_with_restart systemd-networkd.service
%endif
%if %{with resolved}
%systemd_postun_with_restart systemd-resolved.service
%endif
%pretrans -n udev%{?mini} -p <lua>
if posix.stat("/lib/udev") and not posix.stat("/usr/lib/udev") then
@ -773,12 +793,6 @@ if [ $1 -eq 1 ]; then
echo "COMPAT_SYMLINK_GENERATION=2">/usr/lib/udev/compat-symlink-generation
fi
# Create "tape"/"input" group which is referenced by some udev rules
# that we're shipping. FIXME: maybe we should consider using
# "sysusers_create basic.conf" instead ?
getent group tape >/dev/null || groupadd -r tape || :
getent group input >/dev/null || groupadd -r input || :
%post -n udev%{?mini}
%udev_hwdb_update

View File

@ -5,8 +5,7 @@ if [ "$UID" != "0" ]; then
exit 1
fi
declare -A results_runlevel
declare -A results_priority
declare -A results_target
usage() {
cat << EOF
@ -33,75 +32,30 @@ EOF
}
find_service() {
local service
local runlevel
declare -i priority
local service=$1
local rcnd=$2
service=$1
runlevel=$2
priority=-1
for l in $(ls /etc/rc.d/rc$runlevel.d/) ; do
initscript=$(basename $l)
if [ ${initscript:0:1} != "S" -o ${initscript:3} != "$service" ]; then
continue
fi
if [ ${initscript:1:2} -ge 0 -a ${initscript:1:2} -le 99 -a ${initscript:1:2} -ge $priority ]; then
if [ ${initscript:1:1} == 0 ]; then
priority=${initscript:2:1}
else
priority=${initscript:1:2}
fi
fi
done
if [ $priority -ge 0 ]; then
return $priority
fi
return 255
case $rcnd in
boot.d) [ -L /etc/rc.d/$rcnd/S??boot.$service ] ;;
*) [ -L /etc/rc.d/$rcnd/S??$service ]
esac
}
lookup_database() {
local services
local services=$@
local service
local service_file
local runlevel
local priority
local -i k
declare -a parsed
services=$@
k=0
results_runlevel=()
results_priority=()
while read line ; do
k+=1
parsed=($line)
service=${parsed[0]}
runlevel=${parsed[1]}
priority=${parsed[2]}
if [ $runlevel -lt 2 -o $runlevel -gt 5 ]; then
echo "Runlevel out of bounds in database line $k. Ignoring" >/dev/stderr
continue
fi
if [ $priority -lt 0 -o $priority -gt 99 ]; then
echo "Priority out of bounds in database line $k. Ignoring" >/dev/stderr
continue
fi
declare -i found
found=0
# 'priority' field is not used but is kept for backward compat
# reason.
while read service runlevel priority; do
for s in $services ; do
if [ $s == $service ]; then
found=1
continue
results_target[$service]+=" runlevel$runlevel.target"
break
fi
done
if [ $found -eq 0 ]; then
continue
fi
results_runlevel[$service]+=" $runlevel"
results_priority[$service]+=" $priority"
done < /var/lib/systemd/sysv-convert/database
}
@ -114,16 +68,19 @@ case "$1" in
--save)
shift
for service in $@ ; do
if [ ! -r "/etc/init.d/$service" ]; then
if [ ! -r /etc/init.d/$service ] && [ ! -r /etc/init.d/boot.$service ]; then
echo "SysV service $service does not exist, skipping"
continue
fi
for runlevel in 2 3 4 5; do
find_service $service $runlevel
priority=$?
if [ $priority -lt 255 ]; then
echo "$service $runlevel $priority" >>/var/lib/systemd/sysv-convert/database
fi
for rcnd in rc2.d rc3.d rc4.d rc5.d boot.d; do
case $rcnd in
rc*.d) runlevel=${rcnd:2:1} ;;
boot.d) runlevel=3 ;;
esac
# Write a dumb priority as it is not used.
find_service $service $rcnd &&
echo "$service $runlevel 50" >>/var/lib/systemd/sysv-convert/database
done
done
;;
@ -132,17 +89,13 @@ case "$1" in
services=$@
lookup_database $services
for service in $services; do
if [ -z "${results_runlevel[$service]}" ]; then
echo No information found about service $service found. >/dev/stderr
if [ -z "${results_target[$service]}" ]; then
echo "No information about service $service found." >/dev/stderr
let fail++
continue
fi
declare -i count
count=0
priority=(${results_priority[$service]})
for runlevel in ${results_runlevel[$service]}; do
echo SysV service $service enabled in runlevel $runlevel at priority ${priority[$count]}
count+=1
for target in ${results_target[$service]}; do
echo "SysV service '$service' is pulled by $target"
done
done
;;
@ -170,16 +123,16 @@ case "$1" in
if [ -e /var/lib/systemd/sysv-convert/database ]; then
lookup_database $services
for service in $services; do
[ -f "/lib/systemd/system/$service.service" ] && service_file="/lib/systemd/system/$service.service"
[ -f "/usr/lib/systemd/system/$service.service" ] && service_file="/usr/lib/systemd/system/$service.service"
[ -f "/lib/systemd/system/$service.service" ] && unit="/lib/systemd/system/$service.service"
[ -f "/usr/lib/systemd/system/$service.service" ] && unit="/usr/lib/systemd/system/$service.service"
# If $service is not present in the database,
# then it simply means that the sysv init
# service was not enabled at all.
for runlevel in ${results_runlevel[$service]}; do
echo ln -sf $service_file /etc/systemd/system/runlevel$runlevel.target.wants/$service.service >/dev/stderr
mkdir -p "/etc/systemd/system/runlevel$runlevel.target.wants"
/bin/ln -sf $service_file /etc/systemd/system/runlevel$runlevel.target.wants/$service.service
for target in ${results_target[$service]}; do
echo ln -sf $unit /etc/systemd/system/$target.wants/$service.service >/dev/stderr
mkdir -p "/etc/systemd/system/$target.wants"
/bin/ln -sf $unit /etc/systemd/system/$target.wants/$service.service
done
done
fi

View File

@ -1,3 +1,69 @@
-------------------------------------------------------------------
Fri Jul 7 08:19:41 UTC 2017 - jengelh@inai.de
- Edit pkgconfig(liblz4) dependency: liblz4 now uses 1.x *again*
-------------------------------------------------------------------
Thu Jul 6 14:12:34 UTC 2017 - fbui@suse.com
- Added 0001-core-disable-session-keyring-per-system-sevice-entir.patch (bnc#1045886)
Temporary patch to disable the session keyring stuff as it's
currently broken and may introduce some security holes.
-------------------------------------------------------------------
Thu Jul 6 12:57:06 UTC 2017 - fbui@suse.com
- Import commit 21827ea0875ff197e16e72003b2bfaa1c6e8daad
1ad06735f core: fail when syntactically invalid values for User=/Group= fields are detected (bsc#1047023)
d563972e2 timesyncd: don't use compiled-in list if FallbackNTP has been configured explicitly
f4e0c16f5 gpt-auto-generator: fix the handling of the value returned by fstab_has_fstype() in add_swap() (#6280)
e1345aac5 fix add_esp() in the gpt-auto-generator.c (#6251)
c591ece9a automount: don't lstat(2) upon umount request (#6086) (bsc#1040968)
643ab2eea gpt-auto-generator: disable gpt auto logic for swaps if at least one is defined in fstab
f07d2022f fstab-util: introduce fstab_has_fstype() helper
bf735bb35 fstab-util: don't eat up errors in fstab_is_mount_point()
a4b40fbed resolved: simplify alloc size calculation (bsc#1045290 CVE-2017-9445)
8b960bec0 only check signature job error if signature job exists (#6118) (boo#1043758)
1418bfb5b job: Ensure JobRunningTimeoutSec= survives serialization (#6128) (bsc#1004995)
19b6d5f08 udev: turn off -Wformat-nonliteral for one safe case
717ace439 udev: net_id add support for platform bus (ACPI, mostly arm64) devices (#5933)
a3bf2e6b5 core/mount: pass "-c" flag to /bin/umount (#6093)
-------------------------------------------------------------------
Wed Jul 5 07:15:17 UTC 2017 - fbui@suse.com
- Add minimal support for boot.d/* scripts in systemd-sysv-convert (boo#1046750)
While at it, the handling of the symlink priorities is also removed
since it doesn't appear to be used at all.
-------------------------------------------------------------------
Thu Jun 22 15:24:22 UTC 2017 - fbui@suse.com
- Don't try to restart networkd/resolved if they're disabled (boo#1045521)
"systemctl try-restart/preset" wants the unit files exist.
-------------------------------------------------------------------
Thu Jun 22 13:50:46 UTC 2017 - fbui@suse.com
- Stop shipping /usr/lib/sysusers.d/basic.conf (bsc#1006978)
Ok looks like the previous change was the right thing to do and we
continue to follow this path by relying on the new user/group scheme
Therefore the basic system user/group are now managed and created by
system-sysusers and udev also relies on this for the groups it uses
in its rule files.
Ideally we should have listed all of the groups in the deps (with
"Requires: group(disk)" but the list of the groups is rather long
and the risk for those groups to be re-organized is probably low, so
currently we simply use "Requires: system-group-hardware" as a
shortcut.
-------------------------------------------------------------------
Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
@ -11,7 +77,7 @@ Fri Jun 16 09:14:43 UTC 2017 - fbui@suse.com
package isn't pulled in anymore when building the rescue system.
For now make systemd creates the group by adding
"Requires: group(post)".
"Requires: group(lock)".
I'm currently not sure why we don't use sysusers.d stuff for that
purpose and if the "lock" group on /run/lock is still

View File

@ -81,7 +81,7 @@ BuildRequires: suse-module-tools >= 12.4
BuildRequires: systemd-rpm-macros
BuildRequires: pkgconfig(blkid) >= 2.26
BuildRequires: pkgconfig(libkmod) >= 15
BuildRequires: pkgconfig(liblz4) >= 125
BuildRequires: pkgconfig(liblz4)
BuildRequires: pkgconfig(liblzma)
BuildRequires: pkgconfig(libpci) >= 3
BuildRequires: pkgconfig(libpcre)
@ -153,6 +153,14 @@ Source14: kbd-model-map.legacy
Source1065: udev-remount-tmpfs
# Patches listed in here are really special cases. Normally all
# changes must go to upstream first and then are cherry-picked in the
# SUSE git repository. But in very few cases, some stuff might be
# broken in upstream and need an urgent fix. Even in this case, the
# patches are temporary and should be removed as soon as a fix is
# merged by upstream.
Patch1: 0001-core-disable-session-keyring-per-system-sevice-entir.patch
%description
Systemd is a system and service manager, compatible with SysV and LSB
init scripts for Linux. systemd provides aggressive parallelization
@ -223,9 +231,8 @@ Summary: A rule-based device node and kernel event manager
License: GPL-2.0
Group: System/Kernel
Url: http://www.kernel.org/pub/linux/utils/kernel/hotplug/udev.html
Requires: system-group-hardware
Requires(pre): /usr/bin/stat
Requires(pre): /usr/sbin/groupadd
Requires(pre): /usr/bin/getent
Requires(post): sed
Requires(post): /usr/bin/systemctl
@ -397,6 +404,7 @@ Some systemd commands offer bash completion, but it is an optional dependency.
%prep
%setup -q -n systemd-%{version}
%autopatch -p1
# only needed for bootstrap
%if 0%{?bootstrap}
@ -528,6 +536,10 @@ rm %{buildroot}%{_libexecdir}/systemd/libsystemd-shared.so
# aaa_base (in procps for now)
rm -f %{buildroot}%{_prefix}/lib/sysctl.d/50-default.conf
# The definition of the basic users/groups are defined by system-user
# on SUSE (bsc#1006978).
rm -f %{buildroot}%{_prefix}/lib/sysusers.d/basic.conf
# Remove README file in init.d as (SUSE) rpm requires executable files
# in this directory... oh well.
rm -f %{buildroot}/etc/init.d/README
@ -680,10 +692,14 @@ if [ $1 -eq 1 ]; then
# unit.
systemctl preset remote-fs.target || :
systemctl preset getty@.service || :
systemctl preset systemd-timesyncd.service || :
%if %{with networkd}
systemctl preset systemd-networkd.service || :
systemctl preset systemd-networkd-wait-online.service || :
systemctl preset systemd-timesyncd.service || :
%endif
%if %{with resolved}
systemctl preset systemd-resolved.service || :
%endif
fi >/dev/null
# since v207 /etc/sysctl.conf is no longer parsed, however
@ -743,9 +759,13 @@ fi
%systemd_postun
# Avoid restarting logind until fixed upstream (issue #1163)
%systemd_postun_with_restart systemd-journald.service
%systemd_postun_with_restart systemd-networkd.service
%systemd_postun_with_restart systemd-timesyncd.service
%if %{with networkd}
%systemd_postun_with_restart systemd-networkd.service
%endif
%if %{with resolved}
%systemd_postun_with_restart systemd-resolved.service
%endif
%pretrans -n udev%{?mini} -p <lua>
if posix.stat("/lib/udev") and not posix.stat("/usr/lib/udev") then
@ -771,12 +791,6 @@ if [ $1 -eq 1 ]; then
echo "COMPAT_SYMLINK_GENERATION=2">/usr/lib/udev/compat-symlink-generation
fi
# Create "tape"/"input" group which is referenced by some udev rules
# that we're shipping. FIXME: maybe we should consider using
# "sysusers_create basic.conf" instead ?
getent group tape >/dev/null || groupadd -r tape || :
getent group input >/dev/null || groupadd -r input || :
%post -n udev%{?mini}
%udev_hwdb_update