Merge remote-tracking branch 'up/master' into master-riscv64

Signed-off-by: David Abdurachmanov <david.abdurachmanov@sifive.com>
This commit is contained in:
David Abdurachmanov 2019-12-22 11:34:48 +02:00
commit bfc42d4192
Signed by: davidlt
GPG Key ID: 8B7F1DA0E2C9FDBB
6 changed files with 51 additions and 318 deletions

View File

@ -1,178 +0,0 @@
From 224a4eaf6701431af907179e313138213b60ce6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Wed, 3 Apr 2019 10:56:14 +0200
Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
services"
This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
---
units/systemd-coredump@.service.in | 1 -
units/systemd-hostnamed.service.in | 1 -
units/systemd-initctl.service.in | 1 -
units/systemd-journal-remote.service.in | 1 -
units/systemd-journald.service.in | 1 -
units/systemd-localed.service.in | 1 -
units/systemd-logind.service.in | 1 -
units/systemd-machined.service.in | 1 -
units/systemd-networkd.service.in | 1 -
units/systemd-resolved.service.in | 1 -
units/systemd-rfkill.service.in | 1 -
units/systemd-timedated.service.in | 1 -
units/systemd-timesyncd.service.in | 1 -
13 files changed, 13 deletions(-)
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index afb2ab9d17..5babc11e4c 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -22,7 +22,6 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
Nice=9
-NoNewPrivileges=yes
OOMScoreAdjust=500
PrivateDevices=yes
PrivateNetwork=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index b4f606cf78..f7977e1504 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
index c276283908..f48d673d58 100644
--- a/units/systemd-initctl.service.in
+++ b/units/systemd-initctl.service.in
@@ -14,6 +14,5 @@ DefaultDependencies=no
[Service]
ExecStart=@rootlibexecdir@/systemd-initctl
-NoNewPrivileges=yes
NotifyAccess=all
SystemCallArchitectures=native
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index dd6322e62c..c867aca104 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
LockPersonality=yes
LogsDirectory=journal/remote
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index fab405502a..308622e9b3 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 7bca34409a..05fb4f0c80 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateTmp=yes
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 3eef95c661..53af530aea 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index d6deefea08..092abc128f 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
ProtectHostname=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 2c74da6f1e..eaabcb9941 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index eee5d5ea8f..a8f442ef6f 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=!!@rootlibexecdir@/systemd-resolved
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
index 3abb958310..7447ed5b5b 100644
--- a/units/systemd-rfkill.service.in
+++ b/units/systemd-rfkill.service.in
@@ -18,7 +18,6 @@ Before=shutdown.target
[Service]
ExecStart=@rootlibexecdir@/systemd-rfkill
-NoNewPrivileges=yes
StateDirectory=systemd/rfkill
TimeoutSec=30s
Type=notify
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index df546f471f..4d50999a22 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 6512531e1c..2b2e1d73d2 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
LockPersonality=yes
MemoryDenyWriteExecute=yes
-NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes

View File

@ -3,10 +3,7 @@ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Fri, 11 Mar 2016 17:06:17 -0500
Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime
If the symlink doesn't exists, and we are being started, let's
create it to provie name resolution.
If it exists, do nothing. In particular, if it is a broken symlink,
If the symlink exists, do nothing. In particular, if it is a broken symlink,
we cannot really know if the administator configured it to point to
a location used by some service that hasn't started yet, so we
don't touch it in that case either.
@ -17,21 +14,6 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1313085
tmpfiles.d/etc.conf.m4 | 3 ---
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index 2ca9fbdc72..3c8a9ff12a 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -49,6 +49,10 @@ static int run(int argc, char *argv[]) {
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
* privileges are already dropped. */
if (getuid() == 0) {
+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf");
+ if (r < 0 && errno != EEXIST)
+ log_warning_errno(errno,
+ "Could not create /etc/resolv.conf symlink: %m");
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
r = drop_privileges(uid, gid,
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
index f82e0b82ce..66a777bdb2 100644
--- a/tmpfiles.d/etc.conf.m4

View File

@ -1,104 +0,0 @@
From 8af4c8abfb59ab66f1f5a34f0eac1342e6f0c7e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Thu, 17 Oct 2019 12:37:12 +0200
Subject: [PATCH] udev: tag any display devices as master-of-seat when
nomodeset is used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes #13773. See also https://bugzilla.redhat.com/show_bug.cgi?id=1728240,
https://github.com/sddm/sddm/issues/1204.
When nomodeset is used on the kernel command line, there is no graphics
device that the kernel knows, so we don't tag anything as master-of-seat,
and seat0 has CanGraphical=no.
$ loginctl seat-status seat0 ; loginctl show-seat seat0
seat0
Devices:
├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
│ input:input0 "Power Button"
├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1
│ usb:usb1
│ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4
│ input:input4 "QEMU QEMU USB Tablet"
├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2
│ usb:usb2
├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0
│ sound:card0 "Intel"
├─/sys/devices/platform/i8042/serio0/input/input1
│ input:input1 "AT Translated Set 2 keyboard"
│ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock
│ │ leds:input1::capslock
│ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock
│ │ leds:input1::numlock
│ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock
│ leds:input1::scrolllock
└─/sys/devices/platform/i8042/serio1/input/input3
input:input3 "ImExPS/2 Generic Explorer Mouse"
Id=seat0
CanMultiSession=yes
CanTTY=yes
CanGraphical=no
Sessions=
IdleHint=yes
IdleSinceHint=0
IdleSinceHintMonotonic=0
Let's tag the PCI device with "master-of-seat", so we get CanGraphical=yes, and "seat",
so it is show as part of the seat:
[fedora@f31-bios ~]$ loginctl seat-status seat0 ; loginctl show-seat seat0
seat0
Devices:
├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0
│ input:input0 "Power Button"
├─/sys/devices/pci0000:00/0000:00:01.0
│ [MASTER] pci:0000:00:01.0
├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1
│ usb:usb1
│ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4
│ input:input4 "QEMU QEMU USB Tablet"
├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2
│ usb:usb2
├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0
│ sound:card0 "Intel"
├─/sys/devices/platform/i8042/serio0/input/input1
│ input:input1 "AT Translated Set 2 keyboard"
│ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock
│ │ leds:input1::capslock
│ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock
│ │ leds:input1::numlock
│ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock
│ leds:input1::scrolllock
└─/sys/devices/platform/i8042/serio1/input/input3
input:input3 "ImExPS/2 Generic Explorer Mouse"
Id=seat0
CanMultiSession=yes
CanTTY=yes
CanGraphical=yes
Sessions=
IdleHint=yes
IdleSinceHint=0
IdleSinceHintMonotonic=0
---
src/login/71-seat.rules.in | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/login/71-seat.rules.in b/src/login/71-seat.rules.in
index 6010f048aef..2bbd18363e6 100644
--- a/src/login/71-seat.rules.in
+++ b/src/login/71-seat.rules.in
@@ -24,6 +24,11 @@ SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", DRIVERS=="hyperv_fb", TAG+="master-of-
# Allow efifb / uvesafb to be a master if KMS is disabled
SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", IMPORT{cmdline}="nomodeset", TAG+="master-of-seat"
+# Allow any PCI graphics device to be a master and synthesize a seat if KMS
+# is disabled and the kernel doesn't have a driver that would work with this device.
+SUBSYSTEM=="pci", ENV{ID_PCI_CLASS_FROM_DATABASE}=="Display controller", \
+ ENV{DRIVER}=="", IMPORT{cmdline}="nomodeset", TAG+="seat", TAG+="master-of-seat"
+
SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="seat", TAG+="master-of-seat"
SUBSYSTEM=="usb", ATTR{bDeviceClass}=="09", TAG+="seat"

View File

@ -15,21 +15,21 @@ See the bug for more discussion and links.
2 files changed, 6 insertions(+)
create mode 100644 rules/60-block-scheduler.rules
diff --git a/rules/60-block-scheduler.rules b/rules/60-block-scheduler.rules
diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
new file mode 100644
index 00000000000..480b941761f
--- /dev/null
+++ b/rules/60-block-scheduler.rules
+++ b/rules.d/60-block-scheduler.rules
@@ -0,0 +1,5 @@
+# do not edit this file, it will be overwritten on update
+
+ACTION=="add", SUBSYSTEM=="block", \
+ KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
+ ATTR{queue/scheduler}="bfq"
diff --git a/rules/meson.build b/rules/meson.build
diff --git a/rules.d/meson.build b/rules.d/meson.build
index b6a32ba77e2..1da958b4d46 100644
--- a/rules/meson.build
+++ b/rules/meson.build
--- a/rules.d/meson.build
+++ b/rules.d/meson.build
@@ -2,6 +2,7 @@
rules = files('''

View File

@ -1 +1 @@
SHA512 (systemd-ef67743.tar.gz) = 9e905ef4f310f5cbd739f15d51e8c500b0e6ce2fbd2ad33b6568e06212ecfb5bba1347754c00b37d30a5b65cd2432d99aef87ebbafa1a94b4185d773f4ce4987
SHA512 (systemd-244.1.tar.gz) = 7a604d2dcf29b51eeac609813eb8dfca2900fc1d6b5ae6a211704fc695f4fb909644d86e87c790c53dec8fac3cb6f1e628266d44234d2b35d12e06bbf4fbaf8e

View File

@ -1,4 +1,4 @@
%global commit ef677436aa203c24816021dd698b57f219f0ff64
#global commit ef677436aa203c24816021dd698b57f219f0ff64
%{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})}
%global stable 1
@ -14,8 +14,8 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 243
Release: 4%{?commit:.git%{shortcommit}}.0.riscv64%{?dist}
Version: 244.1
Release: 2%{?commit:.git%{shortcommit}}.0.riscv64%{?dist}
# For a breakdown of the licensing, see README
License: LGPLv2+ and MIT and GPLv2+
Summary: System and Service Manager
@ -26,8 +26,12 @@ Summary: System and Service Manager
%if %{defined commit}
Source0: https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
%else
%if 0%{?stable}
Source0: https://github.com/systemd/systemd-stable/archive/v%{github_version}/%{name}-%{github_version}.tar.gz
%else
Source0: https://github.com/systemd/systemd/archive/v%{github_version}/%{name}-%{github_version}.tar.gz
%endif
%endif
# This file must be available before %%prep.
# It is generated during systemd build and can be found in build/src/core/.
Source1: triggers.systemd
@ -55,13 +59,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# https://bugzilla.redhat.com/show_bug.cgi?id=1738828
Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch
Patch0002: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1728240
# https://github.com/systemd/systemd/issues/13773
# https://github.com/systemd/systemd/pull/13792
Patch0003: 13792.patch
Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
#Patch0040: systemd-seccomp-riscv64.patch
@ -154,6 +151,10 @@ Conflicts: fedora-release < 23-0.12
Obsoletes: timedatex < 0.6-3
Provides: timedatex = 0.6-3
# https://bugzilla.redhat.com/show_bug.cgi?id=1753381
Provides: u2f-hidraw-policy = 1.0.2-40
Obsoletes: u2f-hidraw-policy < 1.0.2-40
%description
systemd is a system and service manager that runs as PID 1 and starts
the rest of the system. It provides aggressive parallelization
@ -305,6 +306,8 @@ CONFIGURE_OPTS=(
-Dsysvinit-path=/etc/rc.d/init.d
-Drc-local=/etc/rc.d/rc.local
-Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org'
-Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin
-Dservice-watchdog=
-Ddev-kvm-mode=0666
-Dkmod=true
-Dxkbcommon=true
@ -715,10 +718,40 @@ fi
%files tests -f .file-list-tests
%changelog
* Fri Nov 08 2019 David Abdurachmanov <david.abdurachmanov@sifive.com> - 243-4.gitef67743.0.riscv64
* Sun Dec 22 2019 David Abdurachmanov <david.abdurachmanov@sifive.com> - 244.1-2.0.riscv64
- Disable SECCOMP until the test can pass
- Add SECCOMP support for RISC-V 64-bit (riscv64)
* Sat Dec 21 2019 <zbyszek@nano-f31> - 244.1-2
- Disable service watchdogs (for systemd units)
* Sun Dec 15 2019 <zbyszek@nano-f31> - 244.1-1
- Update to latest stable batch (systemd-networkd fixups, better
support for seccomp on s390x, minor cleanups to documentation).
- Drop patch to revert addition of NoNewPrivileges to systemd units
* Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 244-1
- Update to latest version. Just minor bugs fixed since the pre-release.
* Fri Nov 22 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 244~rc1-1
- Update to latest pre-release version,
see https://github.com/systemd/systemd/blob/master/NEWS#L3.
Biggest items: cgroups v2 cpuset controller, fido_id builtin in udev,
systemd-networkd does not create a default route for link local addressing,
systemd-networkd supports dynamic reconfiguration and a bunch of new settings.
Network files support matching on WLAN SSID and BSSID.
- Better error messages when preset/enable/disable are used with a glob (#1763488)
- u2f-hidraw-policy package is obsoleted (#1753381)
* Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 243.4
- Latest bugfix release. Systemd-stable snapshots will now be numbered.
- Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148)
- systemd-modules-load.service should only warn, not fail, on error (#1254340)
- Fix incorrect certificate validation with DNS over TLS (#1771725, #1771726,
CVE-2018-21029)
- Fix regression with crypttab keys with colons
- Various memleaks and minor memory access issues, warning adjustments
* Fri Oct 18 2019 Adam Williamson <awilliam@redhat.com> - 243-4.gitef67743
- Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240)