SHA256
1
0
forked from pool/systemd
Dr. Werner Fink 2014-09-24 15:07:37 +00:00 committed by Git OBS Bridge
parent f84c509322
commit 252d6f3a44
10 changed files with 740 additions and 3 deletions

View File

@ -5,7 +5,7 @@
Index: systemd-210/src/login/logind-action.c Index: systemd-210/src/login/logind-action.c
=================================================================== ===================================================================
--- systemd-210/src/login/logind-action.c --- systemd-210.orig/src/login/logind-action.c
+++ systemd-210/src/login/logind-action.c +++ systemd-210/src/login/logind-action.c
@@ -101,6 +101,11 @@ int manager_handle_action( @@ -101,6 +101,11 @@ int manager_handle_action(
@ -21,7 +21,7 @@ Index: systemd-210/src/login/logind-action.c
return 0; return 0;
Index: systemd-210/src/login/logind-dbus.c Index: systemd-210/src/login/logind-dbus.c
=================================================================== ===================================================================
--- systemd-210/src/login/logind-dbus.c --- systemd-210.orig/src/login/logind-dbus.c
+++ systemd-210/src/login/logind-dbus.c +++ systemd-210/src/login/logind-dbus.c
@@ -1469,9 +1469,11 @@ static int method_do_shutdown_or_sleep( @@ -1469,9 +1469,11 @@ static int method_do_shutdown_or_sleep(
sd_bus_error *error) { sd_bus_error *error) {
@ -43,7 +43,7 @@ Index: systemd-210/src/login/logind-dbus.c
- if (multiple_sessions) { - if (multiple_sessions) {
+ fd = open ("/run/systemd/acpi-shutdown", O_NOFOLLOW|O_PATH|O_CLOEXEC); + fd = open ("/run/systemd/acpi-shutdown", O_NOFOLLOW|O_PATH|O_CLOEXEC);
+ if (fd >= 0) { + if (fd >= 0) {
+ shutdown_through_acpi = ((fstat(fd,&buf) == 0) && (time(NULL) - buf.st_mtime <= 65)); + shutdown_through_acpi = ((fstat(fd,&buf) == 0) && (time(NULL) - buf.st_mtime <= 65) && !sleep_verb);
+ close(fd); + close(fd);
+ unlink ("/run/systemd/acpi-shutdown"); + unlink ("/run/systemd/acpi-shutdown");
+ } + }

View File

@ -0,0 +1,135 @@
---
src/udev/udev-event.c | 42 ++++++++++++++++++++++++++++++++++++++++++
src/udev/udev.h | 1 +
src/udev/udevd.c | 23 +++++++++++++++++++++--
3 files changed, 64 insertions(+), 2 deletions(-)
--- src/udev/udev-event.c
+++ src/udev/udev-event.c 2014-09-24 14:32:53.115639820 +0000
@@ -959,6 +959,46 @@ void udev_event_execute_rules(struct ude
}
}
+#ifdef HAVE_KMOD
+static inline void udev_check_and_set_kmod(enum udev_builtin_cmd builtin_cmd, struct udev_event *event) {
+ char filename[UTIL_PATH_SIZE];
+ switch (builtin_cmd) {
+ case UDEV_BUILTIN_KMOD:
+ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)getpid());
+ touch(filename);
+ default:
+ break;
+ }
+}
+
+static inline void udev_check_and_unset_kmod(enum udev_builtin_cmd builtin_cmd, struct udev_event *event) {
+ char filename[UTIL_PATH_SIZE];
+ switch (builtin_cmd) {
+ case UDEV_BUILTIN_KMOD:
+ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)getpid());
+ unlink(filename);
+ default:
+ break;
+ }
+}
+
+bool udev_check_for_kmod(pid_t pid) {
+ char filename[UTIL_PATH_SIZE];
+ struct stat st;
+ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)pid);
+ if (stat(filename, &st) == 0) {
+ return true;
+ }
+ return false;
+}
+#else
+# define udev_set_kmod (a,b)
+# define udev_unset_kmod(a,b)
+bool udev_check_for_kmod(pid_t pid) {
+ return false;
+}
+#endif
+
void udev_event_execute_run(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec, const sigset_t *sigmask) {
struct udev_list_entry *list_entry;
@@ -970,7 +1010,9 @@ void udev_event_execute_run(struct udev_
char command[UTIL_PATH_SIZE];
udev_event_apply_format(event, cmd, command, sizeof(command));
+ udev_check_and_set_kmod(builtin_cmd, event);
udev_builtin_run(event->dev, builtin_cmd, command, false);
+ udev_check_and_unset_kmod(builtin_cmd, event);
} else {
char program[UTIL_PATH_SIZE];
char **envp;
--- src/udev/udevd.c
+++ src/udev/udevd.c 2014-09-24 15:02:30.895592379 +0000
@@ -76,6 +76,7 @@ static int children_max;
static int exec_delay;
static usec_t event_timeout_usec = 180 * USEC_PER_SEC;
static usec_t event_timeout_warn_usec = 180 * USEC_PER_SEC / 3;
+static bool event_killkmod = false;
static sigset_t sigmask_orig;
static UDEV_LIST(event_list);
static UDEV_LIST(worker_list);
@@ -1017,6 +1018,12 @@ static void kernel_cmdline_options(struc
}
event_timeout_usec *= USEC_PER_SEC;
event_timeout_warn_usec = (event_timeout_usec / 3) ? : 1;
+ } else if (startswith(opt, "udev.killkmod=")) {
+ r = parse_boolean(opt + 14);
+ if (r < 0)
+ log_warning("Invalid udev.killkmod Ignoring: %s", opt + 14);
+ else
+ event_killkmod = r;
}
free(s);
@@ -1065,7 +1072,7 @@ int main(int argc, char *argv[]) {
}
for (;;) {
- int option, r;
+ int option;
option = getopt_long(argc, argv, "c:de:DtN:hV", options, NULL);
if (option == -1)
@@ -1356,6 +1363,12 @@ int main(int argc, char *argv[]) {
udev_list_node_init(&event_list);
udev_list_node_init(&worker_list);
+ r = mkdir_p("/run/udev/kmod", 0755);
+ if (r < 0 && errno != EEXIST) {
+ log_error("could not create /run/udev/kmod: %m");
+ goto exit;
+ }
+
for (;;) {
static usec_t last_usec;
struct epoll_event ev[8];
@@ -1440,7 +1453,13 @@ int main(int argc, char *argv[]) {
if (worker->state != WORKER_RUNNING)
continue;
-
+#ifdef HAVE_KMOD
+ if (udev_check_for_kmod(worker->pid)) {
+ log_debug("worker [%u] %s is using kmod", worker->pid, worker->event->devpath);
+ if (!event_killkmod)
+ continue;
+ }
+#endif
ts = now(CLOCK_MONOTONIC);
if ((ts - worker->event_start_usec) > event_timeout_warn_usec) {
--- src/udev/udev.h
+++ src/udev/udev.h 2014-09-24 14:33:33.824008084 +0000
@@ -88,6 +88,7 @@ int udev_event_spawn(struct udev_event *
char *result, size_t ressize);
void udev_event_execute_rules(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec,
struct udev_rules *rules, const sigset_t *sigset);
+bool udev_check_for_kmod(pid_t pid);
void udev_event_execute_run(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec, const sigset_t *sigset);
int udev_build_argv(struct udev *udev, char *cmd, int *argc, char *argv[]);

View File

@ -0,0 +1,82 @@
Based on 2ec3ff668ff03410e94cfef8e3ee9384a8222211 Mon Sep 17 00:00:00 2001
From: David Herrmann <dh.herrmann@gmail.com>
Date: Fri, 19 Sep 2014 13:26:39 +0200
Subject: [PATCH] login: pause devices before acknowledging VT switches
If a session controller does not need synchronous VT switches, we allow
them to pass VT control to logind, which acknowledges all VT switches
unconditionally. This works fine with all sessions using the dbus API,
but causes out-of-sync device use if we switch to legacy sessions that
are notified via VT signals. Those are processed before logind notices
the session-switch via sysfs. Therefore, leaving the old session still
active for a short amount of time.
This, in fact, may cause the legacy session to prepare graphics devices
before the old session was deactivated, and thus, maybe causing the old
session to interfer with graphics device usage.
Fix this by releasing devices immediately before acknowledging VT
switches. This way, sessions without VT handlers are required to support
async session switching (which they do in that case, anyway).
---
src/login/logind-session.c | 21 +++++++++++++++++++++
src/login/logind-session.h | 1 +
src/login/logind.c | 4 ++--
3 files changed, 24 insertions(+), 2 deletions(-)
--- src/login/logind-session.c
+++ src/login/logind-session.c 2014-09-24 07:40:45.786639180 +0000
@@ -1040,6 +1040,27 @@ void session_restore_vt(Session *s) {
s->vtfd = -1;
}
+void session_leave_vt(Session *s) {
+ assert(s);
+
+ /* This is called whenever we get a VT-switch signal from the kernel.
+ * We acknowledge all of them unconditionally. Note that session are
+ * free to overwrite those handlers and we only register them for
+ * sessions with controllers. Legacy sessions are not affected.
+ * However, if we switch from a non-legacy to a legacy session, we must
+ * make sure to pause all device before acknowledging the switch. We
+ * process the real switch only after we are notified via sysfs, so the
+ * legacy session might have already started using the devices. If we
+ * don't pause the devices before the switch, we might confuse the
+ * session we switch to. */
+
+ if (s->vtfd < 0)
+ return;
+
+ session_device_pause_all(s);
+ ioctl(s->vtfd, VT_RELDISP, 1);
+}
+
bool session_is_controller(Session *s, const char *sender) {
assert(s);
--- src/login/logind-session.h
+++ src/login/logind-session.h 2014-09-24 07:41:50.290236363 +0000
@@ -173,6 +173,7 @@ KillWho kill_who_from_string(const char
int session_mute_vt(Session *s);
void session_restore_vt(Session *s);
+void session_leave_vt(Session *s);
bool session_is_controller(Session *s, const char *sender);
int session_set_controller(Session *s, const char *sender, bool force);
--- src/login/logind.c
+++ src/login/logind.c 2014-09-24 00:00:00.000000000 +0000
@@ -743,11 +743,11 @@ static int manager_vt_switch(sd_event_so
}
if (active->vtfd >= 0) {
- ioctl(active->vtfd, VT_RELDISP, 1);
+ session_leave_vt(active);
} else {
LIST_FOREACH(sessions_by_seat, iter, m->seat0->sessions) {
if (iter->vtnr == active->vtnr && iter->vtfd >= 0) {
- ioctl(iter->vtfd, VT_RELDISP, 1);
+ session_leave_vt(iter);
break;
}
}

View File

@ -0,0 +1,21 @@
Based on c00524c9cc7fb498c7244350e25823b8352f078c Mon Sep 17 00:00:00 2001
From: Tom Gundersen <teg@jklm.no>
Date: Fri, 19 Sep 2014 23:02:00 +0200
Subject: [PATCH] nspawn: don't try to create veth link with too long ifname
Reported by: James Lott <james@lottspot.com>
---
src/nspawn/nspawn.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- src/nspawn/nspawn.c
+++ src/nspawn/nspawn.c 2014-09-23 15:33:06.766236272 +0000
@@ -1383,7 +1383,7 @@ static int setup_veth(pid_t pid, char if
/* Use two different interface name prefixes depending whether
* we are in bridge mode or not. */
- snprintf(iface_name, IFNAMSIZ, "%s-%s",
+ snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
arg_network_bridge ? "vb" : "ve", arg_machine);
r = sd_rtnl_open(&rtnl, 0);

View File

@ -0,0 +1,414 @@
Based on 16115b0a7b7cdf08fb38084d857d572d8a9088dc Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Thu, 24 Jul 2014 10:40:28 +0200
Subject: [PATCH] socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
---
man/systemd.socket.xml | 26 +++++++
src/core/execute.c | 30 +++++++--
src/core/execute.h | 1
src/core/load-fragment-gperf.gperf.m4 | 3
src/core/mount.c | 1
src/core/service.c | 4 -
src/core/service.h | 3
src/core/socket.c | 16 +++-
src/core/socket.h | 2
src/core/swap.c | 1
src/shared/label.c | 113 ++++++++++++++++++++++++++++++++++
src/shared/label.h | 2
12 files changed, 191 insertions(+), 11 deletions(-)
--- man/systemd.socket.xml
+++ man/systemd.socket.xml 2014-09-23 15:36:49.000000000 +0000
@@ -570,6 +570,32 @@
</varlistentry>
<varlistentry>
+ <term><varname>SELinuxContextFromNet=</varname></term>
+ <listitem><para>Takes a boolean
+ argument. When true systemd will attempt
+ to figure out the SELinux label used
+ for the instantiated service from the
+ information handed by the peer over the
+ network. Note that only the security
+ level is used from the information
+ provided by the peer. Other parts of
+ the resulting SELinux context originate
+ from either the target binary that is
+ effectively triggered by socket unit
+ are taken from the value of the
+ <varname>SELinuxContext=</varname>
+ option.This configuration option only
+ affects sockets with
+ <varname>Accept=</varname> mode set to
+ <literal>true</literal>. Also note that
+ this option is useful only when
+ MLS/MCS SELinux policy is
+ deployed. Defaults to
+ <literal>false</literal>.
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>PipeSize=</varname></term>
<listitem><para>Takes an size in
bytes. Controls the pipe buffer size
--- src/core/execute.c
+++ src/core/execute.c 2014-09-24 09:22:08.882735864 +0000
@@ -82,6 +82,7 @@
#include "selinux-util.h"
#include "errno-list.h"
#include "apparmor-util.h"
+#include "label.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
@@ -1123,6 +1124,7 @@ int exec_spawn(ExecCommand *command,
bool apply_chroot,
bool apply_tty_stdin,
bool confirm_spawn,
+ bool selinux_context_net,
CGroupControllerMask cgroup_supported,
const char *cgroup_path,
const char *unit_id,
@@ -1594,11 +1596,29 @@ int exec_spawn(ExecCommand *command,
#endif
#ifdef HAVE_SELINUX
- if (context->selinux_context && use_selinux()) {
- err = setexeccon(context->selinux_context);
- if (err < 0 && !context->selinux_context_ignore) {
- r = EXIT_SELINUX_CONTEXT;
- goto fail_child;
+ if (use_selinux()) {
+ if (context->selinux_context) {
+ err = setexeccon(context->selinux_context);
+ if (err < 0 && !context->selinux_context_ignore) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
+ }
+
+ if (selinux_context_net && socket_fd >= 0) {
+ _cleanup_free_ char *label = NULL;
+
+ err = label_get_child_mls_label(socket_fd, command->path, &label);
+ if (err < 0) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
+
+ err = setexeccon(label);
+ if (err < 0) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
}
}
#endif
--- src/core/execute.h
+++ src/core/execute.h 2014-09-23 15:46:26.000000000 +0000
@@ -195,6 +195,7 @@ int exec_spawn(ExecCommand *command,
bool apply_chroot,
bool apply_tty_stdin,
bool confirm_spawn,
+ bool selinux_context_net,
CGroupControllerMask cgroup_mask,
const char *cgroup_path,
const char *unit_id,
--- src/core/load-fragment-gperf.gperf.m4
+++ src/core/load-fragment-gperf.gperf.m4 2014-09-23 00:00:00.000000000 +0000
@@ -242,6 +242,9 @@ Socket.SmackLabelIPOut, config_
`Socket.SmackLabel, config_parse_warn_compat, 0, 0
Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0
Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0')
+m4_ifdef(`HAVE_SELINUX',
+`Socket.SELinuxContextFromNet, config_parse_bool, 0, offsetof(Socket, selinux_context_from_net)',
+`Socket.SELinuxContextFromNet, config_parse_warn_compat, 0, 0')
EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
--- src/core/mount.c
+++ src/core/mount.c 2014-09-24 09:16:26.234235379 +0000
@@ -785,6 +785,7 @@ static int mount_spawn(Mount *m, ExecCom
true,
true,
UNIT(m)->manager->confirm_spawn,
+ false,
UNIT(m)->manager->cgroup_supported,
UNIT(m)->cgroup_path,
UNIT(m)->id,
--- src/core/service.c
+++ src/core/service.c 2014-09-23 15:49:24.000000000 +0000
@@ -1856,6 +1856,7 @@ static int service_spawn(
apply_chroot,
apply_tty_stdin,
UNIT(s)->manager->confirm_spawn,
+ s->socket_fd_selinux_context_net,
UNIT(s)->manager->cgroup_supported,
path,
UNIT(s)->id,
@@ -3787,7 +3788,7 @@ static void service_bus_name_owner_chang
}
}
-int service_set_socket_fd(Service *s, int fd, Socket *sock) {
+int service_set_socket_fd(Service *s, int fd, Socket *sock, bool selinux_context_net) {
_cleanup_free_ char *peer = NULL;
int r;
@@ -3825,6 +3826,7 @@ int service_set_socket_fd(Service *s, in
}
s->socket_fd = fd;
+ s->socket_fd_selinux_context_net = selinux_context_net;
unit_ref_set(&s->accept_socket, UNIT(sock));
--- src/core/service.h
+++ src/core/service.h 2014-09-23 15:51:13.000000000 +0000
@@ -159,6 +159,7 @@ struct Service {
pid_t main_pid, control_pid;
int socket_fd;
+ bool socket_fd_selinux_context_net;
bool permissions_start_only;
bool root_directory_start_only;
bool remain_after_exit;
@@ -204,7 +205,7 @@ extern const UnitVTable service_vtable;
struct Socket;
-int service_set_socket_fd(Service *s, int fd, struct Socket *socket);
+int service_set_socket_fd(Service *s, int fd, struct Socket *socket, bool selinux_context_net);
const char* service_state_to_string(ServiceState i) _const_;
ServiceState service_state_from_string(const char *s) _pure_;
--- src/core/socket.c
+++ src/core/socket.c 2014-09-24 09:13:29.698735735 +0000
@@ -453,7 +453,8 @@ static void socket_dump(Unit *u, FILE *f
"%sBroadcast: %s\n"
"%sPassCredentials: %s\n"
"%sPassSecurity: %s\n"
- "%sTCPCongestion: %s\n",
+ "%sTCPCongestion: %s\n"
+ "%sSELinuxContextFromNet: %s\n",
prefix, socket_state_to_string(s->state),
prefix, socket_result_to_string(s->result),
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
@@ -466,7 +467,8 @@ static void socket_dump(Unit *u, FILE *f
prefix, yes_no(s->broadcast),
prefix, yes_no(s->pass_cred),
prefix, yes_no(s->pass_sec),
- prefix, strna(s->tcp_congestion));
+ prefix, strna(s->tcp_congestion),
+ prefix, yes_no(s->selinux_context_from_net));
if (s->control_pid > 0)
fprintf(f,
@@ -1000,7 +1002,12 @@ static int socket_open_fds(Socket *s) {
if (p->type == SOCKET_SOCKET) {
- if (!know_label) {
+ if (!know_label && s->selinux_context_from_net) {
+ r = label_get_our_label(&label);
+ if (r < 0)
+ return r;
+ know_label = true;
+ } else if (!know_label) {
if ((r = socket_instantiate_service(s)) < 0)
return r;
@@ -1247,6 +1254,7 @@ static int socket_spawn(Socket *s, ExecC
true,
true,
UNIT(s)->manager->confirm_spawn,
+ s->selinux_context_from_net,
UNIT(s)->manager->cgroup_supported,
UNIT(s)->cgroup_path,
UNIT(s)->id,
@@ -1568,7 +1576,7 @@ static void socket_enter_running(Socket
unit_choose_id(UNIT(service), name);
- r = service_set_socket_fd(service, cfd, s);
+ r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
if (r < 0)
goto fail;
--- src/core/socket.h
+++ src/core/socket.h 2014-09-23 15:55:17.000000000 +0000
@@ -154,6 +154,8 @@ struct Socket {
char *smack;
char *smack_ip_in;
char *smack_ip_out;
+
+ bool selinux_context_from_net;
};
/* Called from the service code when collecting fds */
--- src/core/swap.c
+++ src/core/swap.c 2014-09-24 09:17:18.438735618 +0000
@@ -642,6 +642,7 @@ static int swap_spawn(Swap *s, ExecComma
true,
true,
UNIT(s)->manager->confirm_spawn,
+ false,
UNIT(s)->manager->cgroup_supported,
UNIT(s)->cgroup_path,
UNIT(s)->id,
--- src/shared/label.c
+++ src/shared/label.c 2014-09-23 00:00:00.000000000 +0000
@@ -31,6 +31,7 @@
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
+#include <selinux/context.h>
#endif
#include "label.h"
@@ -41,6 +42,12 @@
#include "smack-util.h"
#ifdef HAVE_SELINUX
+DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
+DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
+
+#define _cleanup_security_context_free_ _cleanup_(freeconp)
+#define _cleanup_context_free_ _cleanup_(context_freep)
+
static struct selabel_handle *label_hnd = NULL;
#endif
@@ -243,6 +250,112 @@ fail:
return r;
}
+int label_get_our_label(char **label) {
+ int r = -EOPNOTSUPP;
+ char *l = NULL;
+
+#ifdef HAVE_SELINUX
+ r = getcon(&l);
+ if (r < 0)
+ return r;
+
+ *label = l;
+#endif
+
+ return r;
+}
+
+int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
+ int r = -EOPNOTSUPP;
+
+#ifdef HAVE_SELINUX
+
+ _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
+ _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
+ security_class_t sclass;
+
+ const char *range = NULL;
+
+ assert(socket_fd >= 0);
+ assert(exe);
+ assert(label);
+
+ r = getcon(&mycon);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = getpeercon(socket_fd, &peercon);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ r = getexeccon(&fcon);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ if (!fcon) {
+ /* If there is no context set for next exec let's use context
+ of target executable */
+ r = getfilecon(exe, &fcon);
+ if (r < 0) {
+ r = -errno;
+ goto out;
+ }
+ }
+
+ bcon = context_new(mycon);
+ if (!bcon) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ pcon = context_new(peercon);
+ if (!pcon) {
+ r = -ENOMEM;
+ goto out;
+ }
+
+ range = context_range_get(pcon);
+ if (!range) {
+ r = -errno;
+ goto out;
+ }
+
+ r = context_range_set(bcon, range);
+ if (r) {
+ r = -errno;
+ goto out;
+ }
+
+ freecon(mycon);
+ mycon = context_str(bcon);
+ if (!mycon) {
+ r = -errno;
+ goto out;
+ }
+
+ sclass = string_to_security_class("process");
+ r = security_compute_create(mycon, fcon, sclass, &ret);
+ if (r < 0) {
+ r = -EINVAL;
+ goto out;
+ }
+
+ *label = ret;
+ r = 0;
+
+out:
+ if (r < 0 && security_getenforce() == 1)
+ return r;
+#endif
+ return r;
+}
+
int label_context_set(const char *path, mode_t mode) {
int r = 0;
--- src/shared/label.h
+++ src/shared/label.h 2014-09-23 00:00:00.000000000 +0000
@@ -40,6 +40,8 @@ void label_context_clear(void);
void label_free(const char *label);
int label_get_create_label_from_exe(const char *exe, char **label);
+int label_get_our_label(char **label);
+int label_get_child_mls_label(int socket_fd, const char *exec, char **label);
int label_mkdir(const char *path, mode_t mode);

View File

@ -0,0 +1,25 @@
Based on 8507eb20b64010b26f23822cbf442bb0bf96511c Mon Sep 17 00:00:00 2001
From: Emil Renner Berthing <systemd@esmil.dk>
Date: Fri, 19 Sep 2014 20:26:53 +0200
Subject: [PATCH] util: avoid non-portable __WORDSIZE
Lets not unnecessarily rely on __WORDSIZE, which is not clearly specified
by any spec. Use explicit size comparisons if we're not interested in the
WORDSIZE, anyway.
(David: adjust commit message to explain why we do this)
---
src/shared/util.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- src/shared/util.h
+++ src/shared/util.h 2014-09-24 06:58:11.378235669 +0000
@@ -166,7 +166,7 @@ int safe_atolli(const char *s, long long
int safe_atod(const char *s, double *ret_d);
-#if __WORDSIZE == 32
+#if LONG_MAX == INT_MAX
static inline int safe_atolu(const char *s, unsigned long *ret_u) {
assert_cc(sizeof(unsigned long) == sizeof(unsigned));
return safe_atou(s, (unsigned*) ret_u);

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Wed Sep 24 08:36:42 UTC 2014 - werner@suse.de
- Update patch 0001-bnc888612-logind-polkit-acpi.patch
-------------------------------------------------------------------
Wed Sep 24 07:47:54 UTC 2014 - werner@suse.de
- Add upstream patches
0001-login-pause-devices-before-acknowledging-VT-switches.patch
May help that history of the shell is saved
0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
0001-socket-introduce-SELinuxContextFromNet-option.patch (bsc#897801)
0002-util-avoid-non-portable-__WORDSIZE.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de

View File

@ -888,6 +888,14 @@ Patch428: 0005-shared-label.h-add-missing-stdio.h-include.patch
Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch
# PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612) # PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612)
Patch430: 0001-bnc888612-logind-polkit-acpi.patch Patch430: 0001-bnc888612-logind-polkit-acpi.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24 -- May help that history of the shell is saved
Patch431: 0001-login-pause-devices-before-acknowledging-VT-switches.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24
Patch432: 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24 (bsc#897801)
Patch433: 0001-socket-introduce-SELinuxContextFromNet-option.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24
Patch434: 0002-util-avoid-non-portable-__WORDSIZE.patch
# UDEV PATCHES # UDEV PATCHES
# ============ # ============
@ -1658,6 +1666,10 @@ cp %{SOURCE7} m4/
%patch428 -p0 %patch428 -p0
%patch429 -p0 %patch429 -p0
%patch430 -p1 %patch430 -p1
%patch431 -p0
%patch432 -p0
%patch433 -p0
%patch434 -p0
# udev patches # udev patches
%patch1001 -p1 %patch1001 -p1

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Wed Sep 24 15:05:49 UTC 2014 - werner@suse.de
- Add patch 0001-infinit-timeout-for-kmod-loaded-modules.patch to
be able to avoid killing a running kmod/modprobe (bnc#889297)
-------------------------------------------------------------------
Wed Sep 24 08:36:42 UTC 2014 - werner@suse.de
- Update patch 0001-bnc888612-logind-polkit-acpi.patch
-------------------------------------------------------------------
Wed Sep 24 07:47:54 UTC 2014 - werner@suse.de
- Add upstream patches
0001-login-pause-devices-before-acknowledging-VT-switches.patch
May help that history of the shell is saved
0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
0001-socket-introduce-SELinuxContextFromNet-option.patch (bsc#897801)
0002-util-avoid-non-portable-__WORDSIZE.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de

View File

@ -883,6 +883,14 @@ Patch428: 0005-shared-label.h-add-missing-stdio.h-include.patch
Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch
# PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612) # PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612)
Patch430: 0001-bnc888612-logind-polkit-acpi.patch Patch430: 0001-bnc888612-logind-polkit-acpi.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24 -- May help that history of the shell is saved
Patch431: 0001-login-pause-devices-before-acknowledging-VT-switches.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24
Patch432: 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24 (bsc#897801)
Patch433: 0001-socket-introduce-SELinuxContextFromNet-option.patch
# PATCH-FIX-UPSTREAM added at 2014/09/24
Patch434: 0002-util-avoid-non-portable-__WORDSIZE.patch
# UDEV PATCHES # UDEV PATCHES
# ============ # ============
@ -1653,6 +1661,10 @@ cp %{SOURCE7} m4/
%patch428 -p0 %patch428 -p0
%patch429 -p0 %patch429 -p0
%patch430 -p1 %patch430 -p1
%patch431 -p0
%patch432 -p0
%patch433 -p0
%patch434 -p0
# udev patches # udev patches
%patch1001 -p1 %patch1001 -p1