diff --git a/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch b/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch deleted file mode 100644 index 39c2f50..0000000 --- a/0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch +++ /dev/null @@ -1,178 +0,0 @@ -From 224a4eaf6701431af907179e313138213b60ce6c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Wed, 3 Apr 2019 10:56:14 +0200 -Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running - services" - -This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4. ---- - units/systemd-coredump@.service.in | 1 - - units/systemd-hostnamed.service.in | 1 - - units/systemd-initctl.service.in | 1 - - units/systemd-journal-remote.service.in | 1 - - units/systemd-journald.service.in | 1 - - units/systemd-localed.service.in | 1 - - units/systemd-logind.service.in | 1 - - units/systemd-machined.service.in | 1 - - units/systemd-networkd.service.in | 1 - - units/systemd-resolved.service.in | 1 - - units/systemd-rfkill.service.in | 1 - - units/systemd-timedated.service.in | 1 - - units/systemd-timesyncd.service.in | 1 - - 13 files changed, 13 deletions(-) - -diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in -index afb2ab9d17..5babc11e4c 100644 ---- a/units/systemd-coredump@.service.in -+++ b/units/systemd-coredump@.service.in -@@ -22,7 +22,6 @@ IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes - Nice=9 --NoNewPrivileges=yes - OOMScoreAdjust=500 - PrivateDevices=yes - PrivateNetwork=yes -diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in -index b4f606cf78..f7977e1504 100644 ---- a/units/systemd-hostnamed.service.in -+++ b/units/systemd-hostnamed.service.in -@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateNetwork=yes - PrivateTmp=yes -diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in -index c276283908..f48d673d58 100644 ---- a/units/systemd-initctl.service.in -+++ b/units/systemd-initctl.service.in -@@ -14,6 +14,5 @@ DefaultDependencies=no - - [Service] - ExecStart=@rootlibexecdir@/systemd-initctl --NoNewPrivileges=yes - NotifyAccess=all - SystemCallArchitectures=native -diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in -index dd6322e62c..c867aca104 100644 ---- a/units/systemd-journal-remote.service.in -+++ b/units/systemd-journal-remote.service.in -@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va - LockPersonality=yes - LogsDirectory=journal/remote - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateNetwork=yes - PrivateTmp=yes -diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in -index fab405502a..308622e9b3 100644 ---- a/units/systemd-journald.service.in -+++ b/units/systemd-journald.service.in -@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224 - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - Restart=always - RestartSec=0 - RestrictAddressFamilies=AF_UNIX AF_NETLINK -diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in -index 7bca34409a..05fb4f0c80 100644 ---- a/units/systemd-localed.service.in -+++ b/units/systemd-localed.service.in -@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateNetwork=yes - PrivateTmp=yes -diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in -index 3eef95c661..53af530aea 100644 ---- a/units/systemd-logind.service.in -+++ b/units/systemd-logind.service.in -@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512 - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateTmp=yes - ProtectControlGroups=yes - ProtectHome=yes -diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in -index d6deefea08..092abc128f 100644 ---- a/units/systemd-machined.service.in -+++ b/units/systemd-machined.service.in -@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - ProtectHostname=yes - RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 - RestrictRealtime=yes -diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in -index 2c74da6f1e..eaabcb9941 100644 ---- a/units/systemd-networkd.service.in -+++ b/units/systemd-networkd.service.in -@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N - ExecStart=!!@rootlibexecdir@/systemd-networkd - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - ProtectControlGroups=yes - ProtectHome=yes - ProtectKernelModules=yes -diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in -index eee5d5ea8f..a8f442ef6f 100644 ---- a/units/systemd-resolved.service.in -+++ b/units/systemd-resolved.service.in -@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE - ExecStart=!!@rootlibexecdir@/systemd-resolved - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateTmp=yes - ProtectControlGroups=yes -diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in -index 3abb958310..7447ed5b5b 100644 ---- a/units/systemd-rfkill.service.in -+++ b/units/systemd-rfkill.service.in -@@ -18,7 +18,6 @@ Before=shutdown.target - - [Service] - ExecStart=@rootlibexecdir@/systemd-rfkill --NoNewPrivileges=yes - StateDirectory=systemd/rfkill - TimeoutSec=30s - Type=notify -diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in -index df546f471f..4d50999a22 100644 ---- a/units/systemd-timedated.service.in -+++ b/units/systemd-timedated.service.in -@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated - IPAddressDeny=any - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateTmp=yes - ProtectControlGroups=yes - ProtectHome=yes -diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in -index 6512531e1c..2b2e1d73d2 100644 ---- a/units/systemd-timesyncd.service.in -+++ b/units/systemd-timesyncd.service.in -@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME - ExecStart=!!@rootlibexecdir@/systemd-timesyncd - LockPersonality=yes - MemoryDenyWriteExecute=yes --NoNewPrivileges=yes - PrivateDevices=yes - PrivateTmp=yes - ProtectControlGroups=yes diff --git a/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch b/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch index 9aefc6d..f4cd87c 100644 --- a/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch +++ b/0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -3,10 +3,7 @@ From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Fri, 11 Mar 2016 17:06:17 -0500 Subject: [PATCH] resolved: create /etc/resolv.conf symlink at runtime -If the symlink doesn't exists, and we are being started, let's -create it to provie name resolution. - -If it exists, do nothing. In particular, if it is a broken symlink, +If the symlink exists, do nothing. In particular, if it is a broken symlink, we cannot really know if the administator configured it to point to a location used by some service that hasn't started yet, so we don't touch it in that case either. @@ -17,21 +14,6 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1313085 tmpfiles.d/etc.conf.m4 | 3 --- 2 files changed, 4 insertions(+), 3 deletions(-) -diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c -index 2ca9fbdc72..3c8a9ff12a 100644 ---- a/src/resolve/resolved.c -+++ b/src/resolve/resolved.c -@@ -49,6 +49,10 @@ static int run(int argc, char *argv[]) { - /* Drop privileges, but only if we have been started as root. If we are not running as root we assume most - * privileges are already dropped. */ - if (getuid() == 0) { -+ r = symlink("../run/systemd/resolve/resolv.conf", "/etc/resolv.conf"); -+ if (r < 0 && errno != EEXIST) -+ log_warning_errno(errno, -+ "Could not create /etc/resolv.conf symlink: %m"); - - /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */ - r = drop_privileges(uid, gid, diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4 index f82e0b82ce..66a777bdb2 100644 --- a/tmpfiles.d/etc.conf.m4 diff --git a/13792.patch b/13792.patch deleted file mode 100644 index e127ebc..0000000 --- a/13792.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 8af4c8abfb59ab66f1f5a34f0eac1342e6f0c7e5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= -Date: Thu, 17 Oct 2019 12:37:12 +0200 -Subject: [PATCH] udev: tag any display devices as master-of-seat when - nomodeset is used -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes #13773. See also https://bugzilla.redhat.com/show_bug.cgi?id=1728240, -https://github.com/sddm/sddm/issues/1204. - -When nomodeset is used on the kernel command line, there is no graphics -device that the kernel knows, so we don't tag anything as master-of-seat, -and seat0 has CanGraphical=no. - -$ loginctl seat-status seat0 ; loginctl show-seat seat0 -seat0 - Devices: - ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 - │ input:input0 "Power Button" - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1 - │ usb:usb1 - │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4 - │ input:input4 "QEMU QEMU USB Tablet" - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2 - │ usb:usb2 - ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0 - │ sound:card0 "Intel" - ├─/sys/devices/platform/i8042/serio0/input/input1 - │ input:input1 "AT Translated Set 2 keyboard" - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock - │ │ leds:input1::capslock - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock - │ │ leds:input1::numlock - │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock - │ leds:input1::scrolllock - └─/sys/devices/platform/i8042/serio1/input/input3 - input:input3 "ImExPS/2 Generic Explorer Mouse" -Id=seat0 -CanMultiSession=yes -CanTTY=yes -CanGraphical=no -Sessions= -IdleHint=yes -IdleSinceHint=0 -IdleSinceHintMonotonic=0 - -Let's tag the PCI device with "master-of-seat", so we get CanGraphical=yes, and "seat", -so it is show as part of the seat: - -[fedora@f31-bios ~]$ loginctl seat-status seat0 ; loginctl show-seat seat0 -seat0 - Devices: - ├─/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input0 - │ input:input0 "Power Button" - ├─/sys/devices/pci0000:00/0000:00:01.0 - │ [MASTER] pci:0000:00:01.0 - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1 - │ usb:usb1 - │ └─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb1/1-1/1-1:1.0/0003:0627:0001.0001/input/input4 - │ input:input4 "QEMU QEMU USB Tablet" - ├─/sys/devices/pci0000:00/0000:00:02.1/0000:02:00.0/usb2 - │ usb:usb2 - ├─/sys/devices/pci0000:00/0000:00:1b.0/sound/card0 - │ sound:card0 "Intel" - ├─/sys/devices/platform/i8042/serio0/input/input1 - │ input:input1 "AT Translated Set 2 keyboard" - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::capslock - │ │ leds:input1::capslock - │ ├─/sys/devices/platform/i8042/serio0/input/input1/input1::numlock - │ │ leds:input1::numlock - │ └─/sys/devices/platform/i8042/serio0/input/input1/input1::scrolllock - │ leds:input1::scrolllock - └─/sys/devices/platform/i8042/serio1/input/input3 - input:input3 "ImExPS/2 Generic Explorer Mouse" -Id=seat0 -CanMultiSession=yes -CanTTY=yes -CanGraphical=yes -Sessions= -IdleHint=yes -IdleSinceHint=0 -IdleSinceHintMonotonic=0 ---- - src/login/71-seat.rules.in | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/login/71-seat.rules.in b/src/login/71-seat.rules.in -index 6010f048aef..2bbd18363e6 100644 ---- a/src/login/71-seat.rules.in -+++ b/src/login/71-seat.rules.in -@@ -24,6 +24,11 @@ SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", DRIVERS=="hyperv_fb", TAG+="master-of- - # Allow efifb / uvesafb to be a master if KMS is disabled - SUBSYSTEM=="graphics", KERNEL=="fb[0-9]", IMPORT{cmdline}="nomodeset", TAG+="master-of-seat" - -+# Allow any PCI graphics device to be a master and synthesize a seat if KMS -+# is disabled and the kernel doesn't have a driver that would work with this device. -+SUBSYSTEM=="pci", ENV{ID_PCI_CLASS_FROM_DATABASE}=="Display controller", \ -+ ENV{DRIVER}=="", IMPORT{cmdline}="nomodeset", TAG+="seat", TAG+="master-of-seat" -+ - SUBSYSTEM=="drm", KERNEL=="card[0-9]*", TAG+="seat", TAG+="master-of-seat" - SUBSYSTEM=="usb", ATTR{bDeviceClass}=="09", TAG+="seat" - diff --git a/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch b/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch index 4de01c4..5714b53 100644 --- a/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch +++ b/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch @@ -15,21 +15,21 @@ See the bug for more discussion and links. 2 files changed, 6 insertions(+) create mode 100644 rules/60-block-scheduler.rules -diff --git a/rules/60-block-scheduler.rules b/rules/60-block-scheduler.rules +diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules new file mode 100644 index 00000000000..480b941761f --- /dev/null -+++ b/rules/60-block-scheduler.rules ++++ b/rules.d/60-block-scheduler.rules @@ -0,0 +1,5 @@ +# do not edit this file, it will be overwritten on update + +ACTION=="add", SUBSYSTEM=="block", \ + KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \ + ATTR{queue/scheduler}="bfq" -diff --git a/rules/meson.build b/rules/meson.build +diff --git a/rules.d/meson.build b/rules.d/meson.build index b6a32ba77e2..1da958b4d46 100644 ---- a/rules/meson.build -+++ b/rules/meson.build +--- a/rules.d/meson.build ++++ b/rules.d/meson.build @@ -2,6 +2,7 @@ rules = files(''' diff --git a/sources b/sources index 05390ac..acce0a2 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-ef67743.tar.gz) = 9e905ef4f310f5cbd739f15d51e8c500b0e6ce2fbd2ad33b6568e06212ecfb5bba1347754c00b37d30a5b65cd2432d99aef87ebbafa1a94b4185d773f4ce4987 +SHA512 (systemd-244.1.tar.gz) = 7a604d2dcf29b51eeac609813eb8dfca2900fc1d6b5ae6a211704fc695f4fb909644d86e87c790c53dec8fac3cb6f1e628266d44234d2b35d12e06bbf4fbaf8e diff --git a/systemd.spec b/systemd.spec index d5a931f..1dfa53c 100644 --- a/systemd.spec +++ b/systemd.spec @@ -1,4 +1,4 @@ -%global commit ef677436aa203c24816021dd698b57f219f0ff64 +#global commit ef677436aa203c24816021dd698b57f219f0ff64 %{?commit:%global shortcommit %(c=%{commit}; echo ${c:0:7})} %global stable 1 @@ -14,8 +14,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 243 -Release: 4%{?commit:.git%{shortcommit}}.0.riscv64%{?dist} +Version: 244.1 +Release: 2%{?commit:.git%{shortcommit}}.0.riscv64%{?dist} # For a breakdown of the licensing, see README License: LGPLv2+ and MIT and GPLv2+ Summary: System and Service Manager @@ -26,8 +26,12 @@ Summary: System and Service Manager %if %{defined commit} Source0: https://github.com/systemd/systemd%{?stable:-stable}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz %else +%if 0%{?stable} +Source0: https://github.com/systemd/systemd-stable/archive/v%{github_version}/%{name}-%{github_version}.tar.gz +%else Source0: https://github.com/systemd/systemd/archive/v%{github_version}/%{name}-%{github_version}.tar.gz %endif +%endif # This file must be available before %%prep. # It is generated during systemd build and can be found in build/src/core/. Source1: triggers.systemd @@ -55,13 +59,6 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[ # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0001: https://github.com/keszybz/systemd/commit/464a73411c13596a130a7a8f0ac00ca728e5f69e.patch -Patch0002: 0002-Revert-units-set-NoNewPrivileges-for-all-long-runnin.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=1728240 -# https://github.com/systemd/systemd/issues/13773 -# https://github.com/systemd/systemd/pull/13792 -Patch0003: 13792.patch - Patch0998: 0998-resolved-create-etc-resolv.conf-symlink-at-runtime.patch #Patch0040: systemd-seccomp-riscv64.patch @@ -154,6 +151,10 @@ Conflicts: fedora-release < 23-0.12 Obsoletes: timedatex < 0.6-3 Provides: timedatex = 0.6-3 +# https://bugzilla.redhat.com/show_bug.cgi?id=1753381 +Provides: u2f-hidraw-policy = 1.0.2-40 +Obsoletes: u2f-hidraw-policy < 1.0.2-40 + %description systemd is a system and service manager that runs as PID 1 and starts the rest of the system. It provides aggressive parallelization @@ -305,6 +306,8 @@ CONFIGURE_OPTS=( -Dsysvinit-path=/etc/rc.d/init.d -Drc-local=/etc/rc.d/rc.local -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org' + -Duser-path=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin + -Dservice-watchdog= -Ddev-kvm-mode=0666 -Dkmod=true -Dxkbcommon=true @@ -715,10 +718,40 @@ fi %files tests -f .file-list-tests %changelog -* Fri Nov 08 2019 David Abdurachmanov - 243-4.gitef67743.0.riscv64 +* Sun Dec 22 2019 David Abdurachmanov - 244.1-2.0.riscv64 - Disable SECCOMP until the test can pass - Add SECCOMP support for RISC-V 64-bit (riscv64) +* Sat Dec 21 2019 - 244.1-2 +- Disable service watchdogs (for systemd units) + +* Sun Dec 15 2019 - 244.1-1 +- Update to latest stable batch (systemd-networkd fixups, better + support for seccomp on s390x, minor cleanups to documentation). +- Drop patch to revert addition of NoNewPrivileges to systemd units + +* Fri Nov 29 2019 Zbigniew Jędrzejewski-Szmek - 244-1 +- Update to latest version. Just minor bugs fixed since the pre-release. + +* Fri Nov 22 2019 Zbigniew Jędrzejewski-Szmek - 244~rc1-1 +- Update to latest pre-release version, + see https://github.com/systemd/systemd/blob/master/NEWS#L3. + Biggest items: cgroups v2 cpuset controller, fido_id builtin in udev, + systemd-networkd does not create a default route for link local addressing, + systemd-networkd supports dynamic reconfiguration and a bunch of new settings. + Network files support matching on WLAN SSID and BSSID. +- Better error messages when preset/enable/disable are used with a glob (#1763488) +- u2f-hidraw-policy package is obsoleted (#1753381) + +* Tue Nov 19 2019 Zbigniew Jędrzejewski-Szmek - 243.4 +- Latest bugfix release. Systemd-stable snapshots will now be numbered. +- Fix broken PrivateDevices filter on big-endian, s390x in particular (#1769148) +- systemd-modules-load.service should only warn, not fail, on error (#1254340) +- Fix incorrect certificate validation with DNS over TLS (#1771725, #1771726, + CVE-2018-21029) +- Fix regression with crypttab keys with colons +- Various memleaks and minor memory access issues, warning adjustments + * Fri Oct 18 2019 Adam Williamson - 243-4.gitef67743 - Backport PR #13792 to fix nomodeset+BIOS CanGraphical bug (#1728240)