diff --git a/0001-core-disable-session-keyring-per-system-sevice-entir.patch b/0001-core-disable-session-keyring-per-system-sevice-entir.patch new file mode 100644 index 00000000..62580997 --- /dev/null +++ b/0001-core-disable-session-keyring-per-system-sevice-entir.patch @@ -0,0 +1,31 @@ +From 30cceac444bcc67896611154b051669225abaa93 Mon Sep 17 00:00:00 2001 +From: Franck Bui +Date: Thu, 6 Jul 2017 15:48:10 +0200 +Subject: [PATCH] core: disable session keyring per system sevice entirely + for now + +It seems that this stuff needs more thoughts... + +See also: +https://github.com/systemd/systemd/pull/6286 + +[fbui: fixes bnc#1045886] +--- + src/core/service.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 74054887b..874f2be93 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -1341,7 +1341,6 @@ static int service_spawn( + } else + path = UNIT(s)->cgroup_path; + +- exec_params.flags |= MANAGER_IS_SYSTEM(UNIT(s)->manager) ? EXEC_NEW_KEYRING : 0; + exec_params.argv = c->argv; + exec_params.environment = final_env; + exec_params.fds = fds; +-- +2.13.1 + diff --git a/systemd-mini.changes b/systemd-mini.changes index ec11b71d..d2288481 100644 --- a/systemd-mini.changes +++ b/systemd-mini.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Jul 6 14:12:34 UTC 2017 - fbui@suse.com + +- Added 0001-core-disable-session-keyring-per-system-sevice-entir.patch (bnc#1045886) + + Temporary patch to disable the session keyring stuff as it's + currently broken and may introduce some security holes. + ------------------------------------------------------------------- Thu Jul 6 12:57:06 UTC 2017 - fbui@suse.com diff --git a/systemd-mini.spec b/systemd-mini.spec index a33d0889..87fc1e21 100644 --- a/systemd-mini.spec +++ b/systemd-mini.spec @@ -155,6 +155,14 @@ Source14: kbd-model-map.legacy Source1065: udev-remount-tmpfs +# Patches listed in here are really special cases. Normally all +# changes must go to upstream first and then are cherry-picked in the +# SUSE git repository. But in very few cases, some stuff might be +# broken in upstream and need an urgent fix. Even in this case, the +# patches are temporary and should be removed as soon as a fix is +# merged by upstream. +Patch1: 0001-core-disable-session-keyring-per-system-sevice-entir.patch + %description Systemd is a system and service manager, compatible with SysV and LSB init scripts for Linux. systemd provides aggressive parallelization @@ -398,6 +406,7 @@ Some systemd commands offer bash completion, but it is an optional dependency. %prep %setup -q -n systemd-%{version} +%autopatch -p1 # only needed for bootstrap %if 0%{?bootstrap} diff --git a/systemd.changes b/systemd.changes index ec11b71d..d2288481 100644 --- a/systemd.changes +++ b/systemd.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Jul 6 14:12:34 UTC 2017 - fbui@suse.com + +- Added 0001-core-disable-session-keyring-per-system-sevice-entir.patch (bnc#1045886) + + Temporary patch to disable the session keyring stuff as it's + currently broken and may introduce some security holes. + ------------------------------------------------------------------- Thu Jul 6 12:57:06 UTC 2017 - fbui@suse.com diff --git a/systemd.spec b/systemd.spec index 512bce3d..4de82616 100644 --- a/systemd.spec +++ b/systemd.spec @@ -153,6 +153,14 @@ Source14: kbd-model-map.legacy Source1065: udev-remount-tmpfs +# Patches listed in here are really special cases. Normally all +# changes must go to upstream first and then are cherry-picked in the +# SUSE git repository. But in very few cases, some stuff might be +# broken in upstream and need an urgent fix. Even in this case, the +# patches are temporary and should be removed as soon as a fix is +# merged by upstream. +Patch1: 0001-core-disable-session-keyring-per-system-sevice-entir.patch + %description Systemd is a system and service manager, compatible with SysV and LSB init scripts for Linux. systemd provides aggressive parallelization @@ -396,6 +404,7 @@ Some systemd commands offer bash completion, but it is an optional dependency. %prep %setup -q -n systemd-%{version} +%autopatch -p1 # only needed for bootstrap %if 0%{?bootstrap}