It includes the following fixes:
9b75a3d050 coredump: do not allow user to access coredumps with changed uid/gid/capabilities (bsc#1205000 CVE-2022-4415)
For a complete list of changes, visit:
bf3fef9988...5a506d73bd
Additionally, it also includes the following backports:
- 20ca3155c5 localed: reload PID1 configuration after modifying /etc/locale.conf
- 3538c202fd test: update TEST-73-LOCALE to define several locale settings in initial PID1 environment
- Drop 5000-coredump-adjust-whitespace.patch
5001-coredump-do-not-allow-user-to-access-coredumps-with-.patch
They are part of v252.4.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1338
6372fb0cc4 btrfs-util: convert O_PATH if necessary, in btrfs quota call (bsc#1205560)
12e68eb0e5 blockdev-util: move O_PATH fd conversion into btrfs_get_block_device_fd() to shorten things
bb2bafdc9d btrfs-util: convert to fd_reopen_condition()
1323232948 fd-util: add new helper fd_reopen_conditional()
- Drop 6000-Revert-tmpfiles-whenever-creating-an-inode-immediate.patch
It's no more needed as a fix for bsc#1205560 has been queued, see above.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1334
d28e81d65c test: fix the default timeout values described in README.testsuite
d921c83f53 meson: install test-kernel-install only when -Dkernel-install=true
c3b6c4b584 tests: update install_suse_systemd()
3c77335b19 tests: install dmi-sysfs module on openSUSE
df632130cd tests: install systemd-resolved on openSUSE
- Add 6000-Revert-tmpfiles-whenever-creating-an-inode-immediate.patch until
upstream issue #25468 is fixed.
- Drop 0001-meson-build-kernel-install-man-page-when-necessary.patch, the patch
has been merged in the SUSE git repo.
This includes the following bug fixes:
- upstream commit 67c3e1f63a5221b47a8fea85ae421671f29f3b7e (bsc#1200723)
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1329
To make sure that the same seed is not replicated when installing from a
'golden' image.
For regular installations the random seed file is initialized by the installer
itself (bsc#1174964). Even if it didn't, the random seed file would be created
on first boot anyway.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1318
So `machinectl import-tar` always works flawlessly. systemd-container already
is an optional package and both tar and gpg are rather basic anyway so no harm
should be done by requiring them.
- Move the systemd sysupdate stuff from the main package to the experimental
sub-package while it's still time. The method used (currently) for updating
openSUSE distro is rpm, not systemd-sysupdate.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1295
98bc28d824 tmpfiles: constify item_compatible() parameters
3faf1a2648 test: adapt install_pam() for openSUSE
b7ca34fa28 test: add test checking tmpfiles conf file precedence
2713693d93 test tmpfiles: add a test for 'w+'
ce2cbefe38 tmpfiles.d: only 'w+' can have multiple lines for the same path (bsc#1198090)
769f5a0cbe Support -D_FORTIFY_SOURCE=3 by using __builtin_dynamic_object_size.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1277
1c229f8fc1 cryptsetup: fall back to traditional unlocking if any TPM2 operation fails
8881f21539 cryptsetup: fix typo
5882148902 journald: make use of CLAMP() in cache_space_refresh()
6ee0601f73 journald: make sure journal_file_open() doesn't leave a corrupted file around after failing (bsc#1198114)
fe928f3d49 fs-util: make sure openat_report_new() initializes return param also on shortcut
3881af1806 fs-util: fix typos in comments
96060b73ba journal-file: port journal_file_open() to openat_report_new()
611d9955bb fs-util: add openat_report_new() wrapper around openat()
f16edb41d4 network: ignore all errors in loading .network files (bsc#1197968)
5422730a7b meson: build kernel-install man page when necessary
45c627cfc2 build: include status of TPM2 in the feature string show by --version
- Drop 0001-meson-build-kernel-install-man-page-when-necessary.patch
It's been merged in the SUSE git repo.
This includes the following bug fixes:
- upstream commit 34357545590d4791d1acbbeb07ae8f7636e187cb (bsc#1198093)
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1274
sub-package: they may deserve a dedicated sub-package in the future but for
now move them to udev so they aren't installed in systemd based containers.
- Move a bunch of components operating on (mainly block) devices into udev as
without udev they're most likely useless.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1268
37b683c832 journal: preserve acls when rotating user journals with NOCOW attribute set
d043fabebc journal: when copying journal file to undo NOCOW flag, go via fd
78c2766689 journal-file: explicitly handle file systems that do not support hole punching
7ecfb4b098 journal-file: fix error handling of pread() in journald_file_punch_holes()
c4946a412c journal-file: don't use pread() when determining where to append, use mmap as before
d3fbd20628 journal: various fixes to journal_file_read_object()
5897a8e8d4 shared: Handle filesystems that don't support hole punching in COPY_HOLES
27746408e2 journal: Truncate file instead of punching hole in final object
59b6130030 shared: Ensure COPY_HOLES copies trailing holes
ac9ccba73f journal: stat journal file after truncating
0257283444 journal: Copy holes when archiving BTRFS journal files
26c2a9952d shared: Copy holes in sparse files in copy_bytes_full()
6c7191dece copy: fix wrong argument passed to S_ISREG() in copy_file_fd_full()
af0a43024d udev: 60-persistent-storage-tape.rules: handle duplicate device ID (bsc#1195529)
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1263
targets (bsc#1196567)
The script 'upgrade-from-pre-210.sh' used to initialize the default target
during migration from sysvinit to systemd. However it created symlinks to
runlevel targets, which are deprecated and might be missing when
systemd-sysvcompat package is not installed. If such symlinks are found the
script now renames them to point to 'true' systemd target units.
- When migrating from sysvinit to systemd (it probably won't happen anymore),
let's use the default systemd target, which is the graphical.target one. In
most cases it will do the right thing anyway.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1258
Make sure that all mini variants won't be installed in real systems and won't
be involved when building medias with kiwi. Note that sub-packages that
requires systemd (such as udev) don't need any special treatment since the
specific deps are inherited from the main (mini) package.
- spec: simplify systemd-mini-doc dependencies by assuming that the doc
sub-package can't be a build requirement for other packages.
- spec: libsystemd-mini and libudev-mini need to provide libsystemd and libudev
respectively
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1251
systemd-sysvinit was probably provided to allow systems to switch from
sysvinit to systemd by overwriting /sbin/init with a link to systemd. But this
isn't very useful anymore due to the fact that sysvinit is not supported since
several years. Therefore the subpackage contains now the files needed to keep
backward compatibility with SysV init scripts (most notably sysv-generator)
and has been renamed accordingly. The few files that are not specific to
sysvinit (such as /bin/init) have been moved to the main package.
Normally this new subpackage shouldn't be needed (since all packages use
systemd unit files) unless a 3rd party application is installed and still
relies on SysV init scripts.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1250
actually installed when %{with machined} is true.
- Call ldconfig when container subpackage is installed since it ships
nss-mymachines NSS plug-in module.
- Drop 0006-sysv-generator-add-back-support-for-SysV-scripts-for.patch
0009-sysv-add-back-support-for-all-virtual-facility-and-f.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1243
41334be59e meson: minor cleanup
3db0c28462 sysusers: split up systemd.conf
- Drop 0012-resolved-create-etc-resolv.conf-symlink-at-runtime.patch (bsc#1195153)
Since v241, the patch isn't useful anymore because resolved is no more able to
create /etc/resolv.conf symlink by itself,it runs as 'systemd-resolve'
user. The symlink is now handled by a tmpfiles config file which is only
installed when systemd-resolved is. The tmpfiles config file has currently a
lower priority than the one shipped by netconfig.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1240
and systemd-container respectively.
These modules are plug-in modules hence the shared library packaging policy
doesn't apply for them. Moreover they're pretty useless alone without their
respective systemd services, Hence let's reduce the number of sub-packages as
the list keeps increasing.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1238
material.
- Extract bits from 0008-sysv-generator-translate-Required-Start-into-a-Wants.patch
which are not specific to the handling of 'Required-Start:' and move them into a
new patch 1010-sysv-add-back-support-for-all-virtual-facility-and-f.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1222
For a complete list of changes, visit:
458220239c...e2ca79dd77
- Drop the following patches as they have been merged into SUSE/v249 branch:
5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch
5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch
5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1221
e95df40b09 shared/rm-rf: loop over nested directories instead of instead of recursing (CVE-2021-3997 bsc#1194178)
078e04305d shared/rm_rf: refactor rm_rf() to shorten code a bit
6d560d0aca shared/rm_rf: refactor rm_rf_children_inner() to shorten code a bit
6666ff056c localectl: don't omit keymaps files that are symlinks (bsc#1191826)
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1220
5000-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch
5001-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch
5002-shared-rm-rf-loop-over-nested-directories-instead-of.patch
These patches will be dropped and cherry-picked from upstream once upstream
will commit them in their main branch.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1219
30cbebc56f tmpfiles: 'st' may have been used uninitialized
5443654ec0 macro: add new helper RET_NERRNO()
8d90ecc435 rm-rf: optionally fsync() after removing directory tree
591344010d rm-rf: refactor rm_rf_children(), split out body of directory iteration loop
8c7762c4f1 Bump the max number of inodes for /dev to a million (bsc#1192858)
dc9476c881 journal: don't remove the flushed flag when journald is stopped
29efc29efd TEST-10: don't attempt to write a byte to the socket
773fb785b6 Bump the max number of inodes for /dev to 128k (bsc#1192858)
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1218
Change the default implementation of pam_setcred() again, previously
customized to run the full "auth" PAM stack and only call pam_deny.so which is
basically the SUSE default behavior without pam_warn.so.
This is considered safer, especially on SLE where a regression was spotted by
QA.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1217
For a complete list of changes, visit:
c34c987126...523f32df57
- Import commit c34c98712600bc206919ec6ed136195f75ac1967
f99aa40c6e TEST-12: make sure 'adm' group exist
6c7194ff99 TEST-08: don't force ext4 for /
dd1814b8f9 test: use kbd-mode-map we ship in one more test case
94c5febf2a test: fix TEST-10-ISSUE-2467
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1213
3b4a005095 meson: add missing include directory when using xkbcommon
4c4e642712 meson: allow extra net naming schemes to be defined during configuration (jsc#SLE-18514)
78466e4464 meson: drop the list of valid net naming schemes
b9a2098f9d netif-naming: inline one iterator variable
d7fbbc5e74 Add remaining supported schemes as options for default-net-naming-scheme
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1203
Build conditionals (%bcond_with and %bcond_without) are used to
define a specific feature of systemd. "gnu-efi" is rather an
implemenation detail. Also not really sure what "efi" option alone
is useful for since systemd-boot & co depends on "gnu-efi".
- Enable sd_boot support for aarch64
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1202
are established (bsc#1190515)
systemd-user PAM service needs to define a default implementation of
pam_setcred() otherwise the fallback (defined by /etc/pam.d/other)
is used, which consists of pam_warn.so + pam_deny.so, and will throw
a warning each time a user logs in.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1197
This setgid bit has been already reviewed in the past and wasn't a
concern. However we want the mode/ownership adjusted by tmpfiles and
avoid the duplication of these info in rpm.
- Don't ghost own any directories created dynamically by tmpfiles
Again rpmlint complains but it doesn't seem to make sense to try to
track all paths (including theirs perms, ownerships...) created
dynamically. And 'rpm -V' is likely to report issues later with
these paths anyway.
This effectively partially reverts the two previous commits.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1194
This sub package was introduced in order to configure persistent
journal and also to make sure that another syslog provider (such as
rsyslog) couldn't be installed at the same time: each syslog
provider conflicts with each others.
However this mechanism didn't work since uninstalling systemd-logger
wasn't magically turning off persistent logging because
/var/log/journal is likely to be populated hence not removed.
Moreover using a subpackage to configure the mode of journald was
overkill and the usual ways (main conf file or drop-ins) should be
preferred.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1190
8d65ec4a66 test: wc is needed by test/units/testsuite-50.sh
1527bcc5dd test: make the installation of the debug tools optional in the image
f4e6bf0b37 journalctl: never fail at flushing when the flushed flag is set (bsc#1188588)
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1189
- it's been renamed into 'systemd-testsuite'
- it includes the extended tests too
- the relevant commits have been backported to SUSE/v249 so no SUSE
specific patch is needed to run the extended tests (see below)
- the deps needed by the extended tests have been added
- Import commit 7f23815a706cf2b2df3eac2eb2f8220736b8f427
ad216581b6 test: if haveged is part of initrd it needs to be installed in the image too
088fbb71d0 test: adapt install_pam() for openSUSE
4d631c1f0c Revert "test: adapt TEST-13-NSPAWN-SMOKE for SUSE"
ef956eb8a2 test: on openSUSE the static linked version of busybox is named "busybox-static"
6f7ce633b0 TEST-13-*: in busybox container sleep(1) takes a delay in seconds only
278baaa3ec test: don't try to find BUILD_DIR when NO_BUILD is set
3bba2f876a test: add support for NO_BUILD=1 on openSUSE
d77cbc1b64 test: make busybox TEST-13-only dependency
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=1178
