Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: k...@debian.org, debian-b...@debian.org, pkg-systemd-maintain...@lists.alioth.debian.org
Hi, I'd like to make a stable upload for systemd fixing two issues which users explictly requested. Both issues are fixed in unstable and direct cherry-picks from upstream. Here's the annotated changelog systemd (241-7~deb10u7) buster; urgency=medium * core: make sure to restore the control command id, too. Fixes a segfault in systemd that can be triggered when both daemon-reload and a service restart happen concurrently. (Closes: #984495) https://salsa.debian.org/systemd-team/systemd/-/commit/99b743134a64d35506bdea0aac36eda47a19fc1a Happens rarely and is not easy to trigger. But a segfault in PID 1 is never nice, so seems worthwile to fix. * seccomp: allow turning off of seccomp filtering via env var. Since glibc 2.33 faccessat() is implemented via faccessat2(), which is breaking running containers that use such a version of glibc under systemd-nspawn in Buster. Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it possible to run such new containers. (Closes: #984573) https://salsa.debian.org/systemd-team/systemd/-/commit/e3268f6d9a2bdc739c55292d579a818f1190b77a With buster becoming older, we have more and more distros that use glibc 2.33 (like Arch or Fedora) and can't be run under systemd-nspawn. With the above env var it is possible to do so. There are no changes related to udev, so d-i should not be affected. But as we need an ack because of the udeb, I've CCed kibi/debian-boot as usual. Complete debdiff is attached. Regards, Michael
diff --git a/debian/changelog b/debian/changelog index 61dcee2..d9b9f23 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +systemd (241-7~deb10u7) buster; urgency=medium + + * core: make sure to restore the control command id, too. + Fixes a segfault in systemd that can be triggered when both + daemon-reload and a service restart happen concurrently. (Closes: #984495) + * seccomp: allow turning off of seccomp filtering via env var. + Since glibc 2.33 faccessat() is implemented via faccessat2(), which + is breaking running containers that use such a version of glibc under + systemd-nspawn in Buster. + Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it + possible to run such new containers. (Closes: #984573) + + -- Michael Biebl <bi...@debian.org> Thu, 18 Mar 2021 20:59:14 +0100 + systemd (241-7~deb10u6) buster; urgency=medium * journal: do not trigger assertion when journal_file_close() get NULL diff --git a/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch new file mode 100644 index 0000000..5df25ac --- /dev/null +++ b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch @@ -0,0 +1,27 @@ +From: Lennart Poettering <lenn...@poettering.net> +Date: Wed, 22 Apr 2020 20:34:02 +0200 +Subject: core: make sure to restore the control command id, too + +Fixes: #15356 +(cherry picked from commit e9da62b18af647bfa73807e1c7fc3bfa4bb4b2ac) +--- + src/core/service.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/core/service.c b/src/core/service.c +index 5f5bcb3..eb66884 100644 +--- a/src/core/service.c ++++ b/src/core/service.c +@@ -2689,9 +2689,10 @@ static int service_deserialize_exec_command(Unit *u, const char *key, const char + break; + } + +- if (command && control) ++ if (command && control) { + s->control_command = command; +- else if (command) ++ s->control_command_id = id; ++ } else if (command) + s->main_command = command; + else + log_unit_warning(u, "Current command vanished from the unit file, execution of the command list won't be resumed."); diff --git a/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch new file mode 100644 index 0000000..12d823f --- /dev/null +++ b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch @@ -0,0 +1,79 @@ +From: Lennart Poettering <lenn...@poettering.net> +Date: Mon, 2 Nov 2020 14:51:10 +0100 +Subject: seccomp: allow turning off of seccomp filtering via env var + +Fixes: #17504 + +Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603 + +(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d) +--- + docs/ENVIRONMENT.md | 3 +++ + src/nspawn/nspawn-seccomp.c | 2 +- + src/shared/seccomp-util.c | 19 +++++++++++++++---- + 3 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md +index 99b5b03..286a5e2 100644 +--- a/docs/ENVIRONMENT.md ++++ b/docs/ENVIRONMENT.md +@@ -58,6 +58,9 @@ All tools: + this only controls use of Unicode emoji glyphs, and has no effect on other + Unicode glyphs. + ++* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if ++ support for it is compiled in and available in the kernel. ++ + systemctl: + + * `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus +diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c +index e7ef80f..17abfce 100644 +--- a/src/nspawn/nspawn-seccomp.c ++++ b/src/nspawn/nspawn-seccomp.c +@@ -168,7 +168,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys + int r; + + if (!is_seccomp_available()) { +- log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering"); ++ log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering"); + return 0; + } + +diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c +index 958128c..cbab63c 100644 +--- a/src/shared/seccomp-util.c ++++ b/src/shared/seccomp-util.c +@@ -19,6 +19,7 @@ + #include "strv.h" + #include "util.h" + #include "errno-list.h" ++#include "env-util.h" + + const uint32_t seccomp_local_archs[] = { + +@@ -242,10 +243,20 @@ static bool is_seccomp_filter_available(void) { + bool is_seccomp_available(void) { + static int cached_enabled = -1; + +- if (cached_enabled < 0) +- cached_enabled = +- is_basic_seccomp_available() && +- is_seccomp_filter_available(); ++ if (cached_enabled < 0) { ++ int b; ++ ++ b = getenv_bool_secure("SYSTEMD_SECCOMP"); ++ if (b != 0) { ++ if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */ ++ log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring."); ++ ++ cached_enabled = ++ is_basic_seccomp_available() && ++ is_seccomp_filter_available(); ++ } else ++ cached_enabled = false; ++ } + + return cached_enabled; + } diff --git a/debian/patches/series b/debian/patches/series index 24dae93..a2bbd15 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -58,6 +58,8 @@ networkd-do-not-generate-MAC-for-bridge-device.patch journal-do-not-trigger-assertion-when-journal_file_close-.patch test-bpf-skip-test-when-run-inside-containers.patch tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch +core-make-sure-to-restore-the-control-command-id-too.patch +seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch debian/Use-Debian-specific-config-files.patch debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch debian/Make-run-lock-tmpfs-an-API-fs.patch