Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org
Dear Release Team,
We would like to upload the latest stable point release of systemd 252
to bookworm-p-u. Stable release branches are maintained upstream with
the intention of providing bug fixes only and no compatibility
breakages, and with automated non-trivial CI jobs that also cover
Debian and Ubuntu. I have already uploaded to p-u.
Debdiff attached. The only packaging change is to drop a patch merged
upstream and refresh another to remove fuzz.
diff -Nru systemd-252.30/debian/changelog systemd-252.31/debian/changelog
--- systemd-252.30/debian/changelog 2024-08-25 18:35:39.000000000 +0100
+++ systemd-252.31/debian/changelog 2024-10-10 18:40:53.000000000 +0100
@@ -1,3 +1,11 @@
+systemd (252.31-1~deb12u1) bookworm; urgency=medium
+
+ * New upstream version 252.31
+ * Drop journald.conf patch merged upstream
+ * Refresh patches to remove fuzz from update
+
+ -- Luca Boccassi <bl...@debian.org> Thu, 10 Oct 2024 18:40:53 +0100
+
systemd (252.30-1~deb12u2) bookworm; urgency=medium
* Backport patch to revert new comment in /etc/systemd/journald.conf.
diff -Nru systemd-252.30/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch systemd-252.31/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch
--- systemd-252.30/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch 2024-08-25 18:33:30.000000000 +0100
+++ systemd-252.31/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch 2024-10-10 18:40:53.000000000 +0100
@@ -16,8 +16,6 @@
src/journal/journald.conf | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
-diff --git a/man/journald.conf.xml b/man/journald.conf.xml
-index 2db6a0f..160544a 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -356,7 +356,7 @@
@@ -29,11 +27,9 @@
command line options <literal>systemd.journald.forward_to_syslog</literal>,
<literal>systemd.journald.forward_to_kmsg</literal>,
<literal>systemd.journald.forward_to_console</literal>, and
-diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
-index 31358cd..863575c 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
-@@ -2289,6 +2289,7 @@ int server_init(Server *s, const char *namespace) {
+@@ -2289,6 +2289,7 @@
.ratelimit_interval = DEFAULT_RATE_LIMIT_INTERVAL,
.ratelimit_burst = DEFAULT_RATE_LIMIT_BURST,
@@ -41,13 +37,11 @@
.forward_to_wall = true,
.max_file_usec = DEFAULT_MAX_FILE_USEC,
-diff --git a/src/journal/journald.conf b/src/journal/journald.conf
-index 5a60a9d..64f4d4b 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -32,7 +32,7 @@
#RuntimeMaxFiles=100
- #MaxRetentionSec=0
+ #MaxRetentionSec=
#MaxFileSec=1month
-#ForwardToSyslog=no
+#ForwardToSyslog=yes
diff -Nru systemd-252.30/debian/patches/Revert-journal-comment-the-default-value-in-journald.conf.patch systemd-252.31/debian/patches/Revert-journal-comment-the-default-value-in-journald.conf.patch
--- systemd-252.30/debian/patches/Revert-journal-comment-the-default-value-in-journald.conf.patch 2024-08-25 18:34:31.000000000 +0100
+++ systemd-252.31/debian/patches/Revert-journal-comment-the-default-value-in-journald.conf.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,17 +0,0 @@
-Author: Luca Boccassi <bl...@debian.org>
-Bug-Debian: http://bugs.debian.org/1079086
-Description: Revert "journal: comment the default value in journald.conf"
- Because of how dpkg handles config files, this will cause a prompt to
- users on upgrade, which is undesirable for stable updates, so revert it
- in v252-stable.
---- a/src/journal/journald.conf
-+++ b/src/journal/journald.conf
-@@ -30,7 +30,7 @@
- #RuntimeKeepFree=
- #RuntimeMaxFileSize=
- #RuntimeMaxFiles=100
--#MaxRetentionSec=0
-+#MaxRetentionSec=
- #MaxFileSec=1month
- #ForwardToSyslog=yes
- #ForwardToKMsg=no
diff -Nru systemd-252.30/debian/patches/series systemd-252.31/debian/patches/series
--- systemd-252.30/debian/patches/series 2024-08-25 18:32:58.000000000 +0100
+++ systemd-252.31/debian/patches/series 2024-10-10 18:39:48.000000000 +0100
@@ -18,4 +18,3 @@
debian/systemctl-do-not-shutdown-immediately-on-scheduled-shutdo.patch
debian/Downgrade-a-couple-of-warnings-to-debug.patch
debian/Skip-flaky-test_resolved_domain_restricted_dns-in-network.patch
-Revert-journal-comment-the-default-value-in-journald.conf.patch
diff -Nru systemd-252.30/hwdb.d/60-evdev.hwdb systemd-252.31/hwdb.d/60-evdev.hwdb
--- systemd-252.30/hwdb.d/60-evdev.hwdb 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/hwdb.d/60-evdev.hwdb 2024-10-10 18:34:03.000000000 +0100
@@ -255,6 +255,13 @@
# Dell
#########################################
+# Dell AlpsPS/2 ALPS DualPoint TouchPad
+evdev:name:AlpsPS/2 ALPS DualPoint TouchPad:dmi:*:svnDellInc.*:pnLatitudeE7440*:
+ EVDEV_ABS_00=:::28
+ EVDEV_ABS_01=:::28
+ EVDEV_ABS_35=:::28
+ EVDEV_ABS_36=:::28
+
# Dell Vostro 1510
evdev:name:AlpsPS/2 ALPS GlidePoint*:dmi:bvn*:bvr*:bd*:svnDellInc.:pnVostro1510:*
EVDEV_ABS_00=::14
diff -Nru systemd-252.30/hwdb.d/60-keyboard.hwdb systemd-252.31/hwdb.d/60-keyboard.hwdb
--- systemd-252.30/hwdb.d/60-keyboard.hwdb 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/hwdb.d/60-keyboard.hwdb 2024-10-10 18:34:03.000000000 +0100
@@ -223,7 +223,7 @@
# Swift SF314-511
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAcer*:pnSwiftSF314-511:pvr*
- KEYBOARD_KEY_8a=f20 # Fn+F12, microphone mute
+ KEYBOARD_KEY_8a=f20 # Fn+F12, microphone mute
# Predator PHN16-71
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAcer*:pnPredatorPHN16-71:*
@@ -231,6 +231,10 @@
KEYBOARD_KEY_f5=prog1 # "predator sense" button
KEYBOARD_KEY_66=micmute # Microphone mute button
+# Predator PHN16-72
+evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAcer*:pnPredatorPHN16-72:*
+ KEYBOARD_KEY_66=micmute # Microphone mute button
+
# Nitro AN515-58
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAcer*:pnNitro*AN*515-58:pvr*
KEYBOARD_KEY_8a=f20 # Microphone mute button
@@ -259,7 +263,7 @@
# Aquarius Cmp NS483
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAquarius*:pnCmp*NS483*:*
KEYBOARD_KEY_56=backslash
- KEYBOARD_KEY_76=f21 # Touchpad Toggle
+ KEYBOARD_KEY_76=f21 # Touchpad Toggle
###########################################################
# Asus
@@ -341,6 +345,9 @@
KEYBOARD_KEY_f7=f21 # Touchpad Toggle
KEYBOARD_KEY_f8=f21 # Touchpad Toggle
+evdev:atkbd:dmi:bvn*:bvr*:svnNotebook:pnV5xTNC_TND_TNE:*
+ KEYBOARD_KEY_81=f20 # Fn+4; Mic Mute
+
###########################################################
# Compal
###########################################################
@@ -973,7 +980,7 @@
# LE14U/LE15U
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnKVADRA*:pn*LE1*U*:*
- KEYBOARD_KEY_76=f21 # Fn+F1 Toggle touchpad, sends meta+ctrl+toggle
+ KEYBOARD_KEY_76=f21 # Fn+F1 Toggle touchpad, sends meta+ctrl+toggle
###########################################################
# Lenovo
@@ -1901,9 +1908,9 @@
# Galaxy Book (2021) NP750XDA-KD4SE
evdev:atkbd:dmi:bvn*:bvr*:bd*:svn[sS][aA][mM][sS][uU][nN][gG]*:pn750XDA:pvr*
KEYBOARD_KEY_81=!esc
- KEYBOARD_KEY_ce=!prog1 # Fn+F1 launch settings
- KEYBOARD_KEY_ae=!volumedown # Fn+F7 volume down
- KEYBOARD_KEY_b0=!volumeup # Fn+F8 volume up
+ KEYBOARD_KEY_ce=!prog1 # Fn+F1 launch settings
+ KEYBOARD_KEY_ae=!volumedown # Fn+F7 volume down
+ KEYBOARD_KEY_b0=!volumeup # Fn+F8 volume up
###########################################################
@@ -2028,13 +2035,13 @@
# Portege Z830 ACPI quickstart buttons
evdev:name:Quickstart Button 1:dmi:bvn*:bvr*:bd*:svnTOSHIBA*:pnPORTEGEZ830:*
- KEYBOARD_KEY_1=prog1 # TOSHIBA eco button
+ KEYBOARD_KEY_1=prog1 # TOSHIBA eco button
evdev:name:Quickstart Button 2:dmi:bvn*:bvr*:bd*:svnTOSHIBA*:pnPORTEGEZ830:*
- KEYBOARD_KEY_1=prog2 # TOSHIBA Presentation button
+ KEYBOARD_KEY_1=prog2 # TOSHIBA Presentation button
evdev:name:Quickstart Button 3:dmi:bvn*:bvr*:bd*:svnTOSHIBA*:pnPORTEGEZ830:*
- KEYBOARD_KEY_1=f21 # Touchpad toggle
+ KEYBOARD_KEY_1=f21 # Touchpad toggle
###########################################################
# VIA
@@ -2067,11 +2074,11 @@
# Home: LeftCtrl + Esc -> LeftMeta (ignore LeftCtrl, map Esc to LeftMeta)
# Back: Backspace -> back (map backspace to back)
evdev:name:FTSC1000:00 2808:509C Keyboard:dmi:*:svnXiaomiInc:pnMipad2:*
- KEYBOARD_KEY_700e0=unknown # LeftCtrl -> ignore
- KEYBOARD_KEY_700e3=unknown # LeftMeta -> ignore
- KEYBOARD_KEY_70016=menu # S -> menu
- KEYBOARD_KEY_70029=leftmeta # Esc -> LeftMeta (Windows key / Win8 tablets home)
- KEYBOARD_KEY_7002a=back # Backspace -> back
+ KEYBOARD_KEY_700e0=unknown # LeftCtrl -> ignore
+ KEYBOARD_KEY_700e3=unknown # LeftMeta -> ignore
+ KEYBOARD_KEY_70016=menu # S -> menu
+ KEYBOARD_KEY_70029=leftmeta # Esc -> LeftMeta (Windows key / Win8 tablets home)
+ KEYBOARD_KEY_7002a=back # Backspace -> back
###########################################################
# Zepto
@@ -2183,7 +2190,7 @@
evdev:name:AT Translated Set 2 keyboard:dmi:bvn*:bvr*:bd*:svnPositivoBahia-VAIO:pnVJPW1[12]F11X*:pvr*:*
# Vaio FE14 (VJFE41F11X, VJE42F11X, VJFE44F11X, VJFE54F11X)
evdev:name:AT Translated Set 2 keyboard:dmi:bvn*:bvr*:bd*:svnPositivoBahia-VAIO:pnVJFE*:pvr*:*
- KEYBOARD_KEY_76=f21 # Fn+F1 toggle touchpad
+ KEYBOARD_KEY_76=f21 # Fn+F1 toggle touchpad
###########################################################
# Positivo
@@ -2288,6 +2295,18 @@
#
# Presence of a LED is implicit when the property is absent.
+# Apple Wireless keyboards
+evdev:input:b0005v05aCp022C*
+evdev:input:b0005v05aCp022D*
+evdev:input:b0005v05aCp022E*
+evdev:input:b0005v05aCp0239*
+evdev:input:b0005v05aCp023A*
+evdev:input:b0005v05aCp023B*
+evdev:input:b0005v05aCp0255*
+evdev:input:b0005v05aCp0256*
+evdev:input:b0005v05aCp0257*
+ KEYBOARD_LED_NUMLOCK=0
+
# Logitech K750
evdev:input:b0003v046Dp4002*
KEYBOARD_LED_NUMLOCK=0
diff -Nru systemd-252.30/hwdb.d/60-sensor.hwdb systemd-252.31/hwdb.d/60-sensor.hwdb
--- systemd-252.30/hwdb.d/60-sensor.hwdb 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/hwdb.d/60-sensor.hwdb 2024-10-10 18:34:03.000000000 +0100
@@ -152,6 +152,7 @@
sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TA:*
sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TAF:*
sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TAM:*
+sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pnT100TAS:*
sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:pnT200TA:*
ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
@@ -163,6 +164,7 @@
sensor:modalias:acpi:INVN6500*:dmi:*svn*ASUSTeK*:*pn*TP300LD:*
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
+sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pn*Q551LB:*
sensor:modalias:acpi:INVN6500*:dmi:*svnASUSTeK*:*pn*Q551LN:*
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
diff -Nru systemd-252.30/man/org.freedesktop.systemd1.xml systemd-252.31/man/org.freedesktop.systemd1.xml
--- systemd-252.30/man/org.freedesktop.systemd1.xml 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/man/org.freedesktop.systemd1.xml 2024-10-10 18:34:03.000000000 +0100
@@ -2344,18 +2344,9 @@
was already active).</para>
<para><varname>ActiveState</varname> contains a state value that reflects whether the unit is currently
- active or not. The following states are currently defined: <literal>active</literal>,
- <literal>reloading</literal>, <literal>inactive</literal>, <literal>failed</literal>,
- <literal>activating</literal>, and <literal>deactivating</literal>. <literal>active</literal> indicates
- that unit is active (obviously...). <literal>reloading</literal> indicates that the unit is active and
- currently reloading its configuration. <literal>inactive</literal> indicates that it is inactive and
- the previous run was successful or no previous run has taken place yet. <literal>failed</literal>
- indicates that it is inactive and the previous run was not successful (more information about the
- reason for this is available on the unit type specific interfaces, for example for services in the
- <varname>Result</varname> property, see below). <literal>activating</literal> indicates that the unit
- has previously been inactive but is currently in the process of entering an active state. Conversely
- <literal>deactivating</literal> indicates that the unit is currently in the process of
- deactivation.</para>
+ active or not. The following states are currently defined:</para>
+
+ <xi:include href="unit-states.xml" xpointer="table"/>
<para><varname>SubState</varname> encodes states of the same state machine that
<varname>ActiveState</varname> covers, but knows more fine-grained states that are
diff -Nru systemd-252.30/man/sd_bus_message_append_array.xml systemd-252.31/man/sd_bus_message_append_array.xml
--- systemd-252.30/man/sd_bus_message_append_array.xml 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/man/sd_bus_message_append_array.xml 2024-10-10 18:34:03.000000000 +0100
@@ -34,7 +34,7 @@
<funcdef>int sd_bus_message_append_array</funcdef>
<paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
<paramdef>char <parameter>type</parameter></paramdef>
- <paramdef>void *<parameter>ptr</parameter></paramdef>
+ <paramdef>const void *<parameter>ptr</parameter></paramdef>
<paramdef>size_t <parameter>size</parameter></paramdef>
</funcprototype>
diff -Nru systemd-252.30/man/systemctl.xml systemd-252.31/man/systemctl.xml
--- systemd-252.30/man/systemctl.xml 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/man/systemctl.xml 2024-10-10 18:34:03.000000000 +0100
@@ -96,12 +96,15 @@
<para>The LOAD column shows the load state, one of <constant>loaded</constant>,
<constant>not-found</constant>, <constant>bad-setting</constant>, <constant>error</constant>,
- <constant>masked</constant>. The ACTIVE columns shows the general unit state, one of
- <constant>active</constant>, <constant>reloading</constant>, <constant>inactive</constant>,
- <constant>failed</constant>, <constant>activating</constant>, <constant>deactivating</constant>. The SUB
- column shows the unit-type-specific detailed state of the unit, possible values vary by unit type. The list
- of possible LOAD, ACTIVE, and SUB states is not constant and new systemd releases may both add and remove
- values. <programlisting>systemctl --state=help</programlisting> command maybe be used to display the
+ <constant>masked</constant>. The ACTIVE columns shows the general unit state, one of the
+ following:</para>
+
+ <xi:include href="unit-states.xml" xpointer="table"/>
+
+ <para>The SUB column shows the unit-type-specific detailed state of the unit, possible values
+ vary by unit type. The list of possible LOAD, ACTIVE, and SUB states is not constant and new
+ systemd releases may both add and remove values.
+ <programlisting>systemctl --state=help</programlisting> command may be used to display the
current set of possible values.</para>
<para>This is the default command.</para>
diff -Nru systemd-252.30/man/systemd.special.xml systemd-252.31/man/systemd.special.xml
--- systemd-252.30/man/systemd.special.xml 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/man/systemd.special.xml 2024-10-10 18:34:03.000000000 +0100
@@ -229,6 +229,11 @@
names like <varname>single</varname>, <varname>rescue</varname>, <varname>1</varname>,
<varname>3</varname>, <varname>5</varname>, …; see
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para>
+
+ <para>For typical unit files please set <literal>WantedBy=</literal> to a regular target (like
+ <filename>multi-user.target</filename> or <filename>graphical.target</filename>),
+ instead of <filename>default.target</filename>, since such a service will also be run on special
+ boots like on system update, emergency boot…</para>
</listitem>
</varlistentry>
<varlistentry>
diff -Nru systemd-252.30/man/systemd.xml systemd-252.31/man/systemd.xml
--- systemd-252.30/man/systemd.xml 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/man/systemd.xml 2024-10-10 18:34:03.000000000 +0100
@@ -74,21 +74,12 @@
configuration files, whose syntax and basic set of options is
described in
<citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- however some are created automatically from other configuration
- files, dynamically from system state or programmatically at runtime.
- Units may be "active" (meaning started, bound, plugged in, …,
- depending on the unit type, see below), or "inactive" (meaning
- stopped, unbound, unplugged, …), as well as in the process of
- being activated or deactivated, i.e. between the two states (these
- states are called "activating", "deactivating"). A special
- "failed" state is available as well, which is very similar to
- "inactive" and is entered when the service failed in some way
- (process returned error code on exit, or crashed, an operation
- timed out, or after too many restarts). If this state is entered,
- the cause will be logged, for later reference. Note that the
- various unit types may have a number of additional substates,
- which are mapped to the five generalized unit states described
- here.</para>
+ however some are created automatically from other configuration files, dynamically from system state or
+ programmatically at runtime. Units may be in a number of states, described in the following table. Note
+ that the various unit types may have a number of additional substates, which are mapped to the
+ generalized unit states described here.</para>
+
+ <xi:include href="unit-states.xml" xpointer="table"/>
<para>The following unit types are available:</para>
diff -Nru systemd-252.30/man/unit-states.xml systemd-252.31/man/unit-states.xml
--- systemd-252.30/man/unit-states.xml 1970-01-01 01:00:00.000000000 +0100
+++ systemd-252.31/man/unit-states.xml 2024-10-10 18:34:03.000000000 +0100
@@ -0,0 +1,56 @@
+<?xml version="1.0"?>
+<!DOCTYPE refsect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd";>
+
+<!--
+ SPDX-License-Identifier: LGPL-2.1-or-later
+-->
+
+<refsect1>
+ <title/>
+
+ <table id="table">
+ <title>Unit ACTIVE states</title>
+ <tgroup cols='2'>
+ <colspec colname='state'/>
+ <colspec colname='description'/>
+ <thead>
+ <row>
+ <entry>State</entry>
+ <entry>Description</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><varname>active</varname></entry>
+ <entry>Started, bound, plugged in, …, depending on the unit type.</entry>
+ </row>
+ <row>
+ <entry><varname>inactive</varname></entry>
+ <entry>Stopped, unbound, unplugged, …, depending on the unit type.</entry>
+ </row>
+ <row>
+ <entry><varname>failed</varname></entry>
+ <entry>Similar to <constant>inactive</constant>, but the unit failed in some way (process returned error code on exit, crashed, an operation timed out, or after too many restarts).
+ </entry>
+ </row>
+ <row>
+ <entry><varname>activating</varname></entry>
+ <entry>Changing from <constant>inactive</constant> to <constant>active</constant>.</entry>
+ </row>
+ <row>
+ <entry><varname>deactivating</varname></entry>
+ <entry>Changing from <constant>active</constant> to <constant>inactive</constant>.</entry>
+ </row>
+ <row>
+ <entry><varname>maintenance</varname></entry>
+ <entry>Unit is <constant>inactive</constant> and a maintenance operation is in progress.</entry>
+ </row>
+ <row>
+ <entry><varname>reloading</varname></entry>
+ <entry>Unit is <constant>active</constant> and it is reloading its configuration.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+</refsect1>
diff -Nru systemd-252.30/.semaphore/semaphore-runner.sh systemd-252.31/.semaphore/semaphore-runner.sh
--- systemd-252.30/.semaphore/semaphore-runner.sh 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/.semaphore/semaphore-runner.sh 2024-10-10 18:34:03.000000000 +0100
@@ -11,7 +11,8 @@
BRANCH="${BRANCH:-upstream-ci}"
ARCH="${ARCH:-amd64}"
CONTAINER="${RELEASE}-${ARCH}"
-CACHE_DIR="${SEMAPHORE_CACHE_DIR:-/tmp}"
+CACHE_DIR=/var/tmp
+TMPDIR=/var/tmp
AUTOPKGTEST_DIR="${CACHE_DIR}/autopkgtest"
# semaphore cannot expose these, but useful for interactive/local runs
ARTIFACTS_DIR=/tmp/artifacts
@@ -64,7 +65,7 @@
sudo apt-get install -y -t "$UBUNTU_RELEASE-backports" lxc
sudo apt-get install -y python3-debian git dpkg-dev fakeroot python3-jinja2
- [ -d "$AUTOPKGTEST_DIR" ] || git clone --quiet --branch=debian/5.32 --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR"
+ [ -d "$AUTOPKGTEST_DIR" ] || git clone --quiet --depth=1 https://salsa.debian.org/ci-team/autopkgtest.git "$AUTOPKGTEST_DIR"
create_container
;;
@@ -91,7 +92,7 @@
# disable autopkgtests which are not for upstream
sed -i '/# NOUPSTREAM/ q' debian/tests/control
# enable more unit tests
- sed -i '/^CONFFLAGS =/ s/=/= --werror -Dtests=unsafe -Dsplit-usr=true -Dslow-tests=true -Dfuzz-tests=true -Dman=true /' debian/rules
+ sed -i '/^CONFFLAGS =/ s/=/= --werror -Dsplit-usr=true /' debian/rules
# no orig tarball
echo '1.0' > debian/source/format
@@ -101,8 +102,11 @@
# now build the package and run the tests
rm -rf "$ARTIFACTS_DIR"
# autopkgtest exits with 2 for "some tests skipped", accept that
- sudo "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS=noudeb \
- --env TEST_UPSTREAM=1 ../systemd_*.dsc \
+ sudo TMPDIR=/var/tmp "$AUTOPKGTEST_DIR/runner/autopkgtest" --env DEB_BUILD_OPTIONS="noudeb nostrip nodoc optimize=-lto" \
+ --env DPKG_DEB_COMPRESSOR_TYPE="none" \
+ --env DEB_BUILD_PROFILES="noudeb nodoc" \
+ --env TEST_UPSTREAM=1 \
+ ../systemd_*.dsc \
-o "$ARTIFACTS_DIR" \
-- lxc -s "$CONTAINER" \
|| [ $? -eq 2 ]
diff -Nru systemd-252.30/src/basic/audit-util.c systemd-252.31/src/basic/audit-util.c
--- systemd-252.30/src/basic/audit-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/basic/audit-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -101,7 +101,7 @@
n = recvmsg_safe(fd, &mh, 0);
if (n < 0)
- return -errno;
+ return n;
if (n != NLMSG_LENGTH(sizeof(struct nlmsgerr)))
return -EIO;
diff -Nru systemd-252.30/src/basic/missing_loop.h systemd-252.31/src/basic/missing_loop.h
--- systemd-252.30/src/basic/missing_loop.h 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/basic/missing_loop.h 2024-10-10 18:34:03.000000000 +0100
@@ -22,3 +22,7 @@
#ifndef LOOP_SET_STATUS_SETTABLE_FLAGS
#define LOOP_SET_STATUS_SETTABLE_FLAGS (LO_FLAGS_AUTOCLEAR | LO_FLAGS_PARTSCAN)
#endif
+
+#ifndef LOOP_SET_BLOCK_SIZE
+# define LOOP_SET_BLOCK_SIZE 0x4C09
+#endif
diff -Nru systemd-252.30/src/basic/os-util.c systemd-252.31/src/basic/os-util.c
--- systemd-252.30/src/basic/os-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/basic/os-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -44,8 +44,9 @@
/* Does the path exist at all? If not, generate an error immediately. This is useful so that a missing root dir
* always results in -ENOENT, and we can properly distinguish the case where the whole root doesn't exist from
* the case where just the os-release file is missing. */
- if (laccess(path, F_OK) < 0)
- return -errno;
+ r = laccess(path, F_OK);
+ if (r < 0)
+ return r;
/* We use /usr/lib/extension-release.d/extension-release[.NAME] as flag for something being a system extension,
* and {/etc|/usr/lib}/os-release as a flag for something being an OS (when not an extension). */
diff -Nru systemd-252.30/src/basic/path-lookup.c systemd-252.31/src/basic/path-lookup.c
--- systemd-252.30/src/basic/path-lookup.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/basic/path-lookup.c 2024-10-10 18:34:03.000000000 +0100
@@ -881,6 +881,7 @@
int find_portable_profile(const char *name, const char *unit, char **ret_path) {
const char *p, *dot;
+ int r;
assert(name);
assert(ret_path);
@@ -894,13 +895,13 @@
if (!joined)
return -ENOMEM;
- if (laccess(joined, F_OK) >= 0) {
+ r = laccess(joined, F_OK);
+ if (r >= 0) {
*ret_path = TAKE_PTR(joined);
return 0;
}
-
- if (errno != ENOENT)
- return -errno;
+ if (r != -ENOENT)
+ return r;
}
return -ENOENT;
diff -Nru systemd-252.30/src/basic/unit-def.c systemd-252.31/src/basic/unit-def.c
--- systemd-252.30/src/basic/unit-def.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/basic/unit-def.c 2024-10-10 18:34:03.000000000 +0100
@@ -96,6 +96,7 @@
DEFINE_STRING_TABLE_LOOKUP(unit_load_state, UnitLoadState);
+/* Keep in sync with man/unit-states.xml */
static const char* const unit_active_state_table[_UNIT_ACTIVE_STATE_MAX] = {
[UNIT_ACTIVE] = "active",
[UNIT_RELOADING] = "reloading",
diff -Nru systemd-252.30/src/boot/efi/boot.c systemd-252.31/src/boot/efi/boot.c
--- systemd-252.30/src/boot/efi/boot.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/boot/efi/boot.c 2024-10-10 18:34:03.000000000 +0100
@@ -1506,7 +1506,7 @@
if (streq8(key, "architecture")) {
/* do not add an entry for an EFI image of architecture not matching with that of the image */
- if (!streq8(value, EFI_MACHINE_TYPE_NAME)) {
+ if (!strcaseeq8(value, EFI_MACHINE_TYPE_NAME)) {
entry->type = LOADER_UNDEFINED;
break;
}
diff -Nru systemd-252.30/src/core/dbus-cgroup.c systemd-252.31/src/core/dbus-cgroup.c
--- systemd-252.30/src/core/dbus-cgroup.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/core/dbus-cgroup.c 2024-10-10 18:34:03.000000000 +0100
@@ -1259,7 +1259,7 @@
for (type = 0; type < _CGROUP_IO_LIMIT_TYPE_MAX; type++)
a->limits[type] = cgroup_io_limit_defaults[type];
- LIST_PREPEND(device_limits, c->io_device_limits, a);
+ LIST_APPEND(device_limits, c->io_device_limits, a);
}
a->limits[iol_type] = u64;
@@ -1338,7 +1338,7 @@
free(a);
return -ENOMEM;
}
- LIST_PREPEND(device_weights, c->io_device_weights, a);
+ LIST_APPEND(device_weights, c->io_device_weights, a);
}
a->weight = weight;
@@ -1411,7 +1411,7 @@
free(a);
return -ENOMEM;
}
- LIST_PREPEND(device_latencies, c->io_device_latencies, a);
+ LIST_APPEND(device_latencies, c->io_device_latencies, a);
}
a->target_usec = target;
@@ -1491,7 +1491,7 @@
return -ENOMEM;
}
- LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, a);
+ LIST_APPEND(device_bandwidths, c->blockio_device_bandwidths, a);
}
if (read)
@@ -1585,7 +1585,7 @@
free(a);
return -ENOMEM;
}
- LIST_PREPEND(device_weights, c->blockio_device_weights, a);
+ LIST_APPEND(device_weights, c->blockio_device_weights, a);
}
a->weight = weight;
diff -Nru systemd-252.30/src/core/load-fragment.c systemd-252.31/src/core/load-fragment.c
--- systemd-252.30/src/core/load-fragment.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/core/load-fragment.c 2024-10-10 18:34:03.000000000 +0100
@@ -4237,7 +4237,7 @@
w->path = TAKE_PTR(resolved);
w->weight = u;
- LIST_PREPEND(device_weights, c->io_device_weights, w);
+ LIST_APPEND(device_weights, c->io_device_weights, w);
return 0;
}
@@ -4308,7 +4308,7 @@
l->path = TAKE_PTR(resolved);
l->target_usec = usec;
- LIST_PREPEND(device_latencies, c->io_device_latencies, l);
+ LIST_APPEND(device_latencies, c->io_device_latencies, l);
return 0;
}
@@ -4396,7 +4396,7 @@
for (ttype = 0; ttype < _CGROUP_IO_LIMIT_TYPE_MAX; ttype++)
l->limits[ttype] = cgroup_io_limit_defaults[ttype];
- LIST_PREPEND(device_limits, c->io_device_limits, l);
+ LIST_APPEND(device_limits, c->io_device_limits, l);
}
l->limits[type] = num;
@@ -4477,7 +4477,7 @@
w->path = TAKE_PTR(resolved);
w->weight = u;
- LIST_PREPEND(device_weights, c->blockio_device_weights, w);
+ LIST_APPEND(device_weights, c->blockio_device_weights, w);
return 0;
}
@@ -4564,7 +4564,7 @@
b->rbps = CGROUP_LIMIT_MAX;
b->wbps = CGROUP_LIMIT_MAX;
- LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, b);
+ LIST_APPEND(device_bandwidths, c->blockio_device_bandwidths, b);
}
if (read)
diff -Nru systemd-252.30/src/home/homework-luks.c systemd-252.31/src/home/homework-luks.c
--- systemd-252.30/src/home/homework-luks.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/home/homework-luks.c 2024-10-10 18:34:03.000000000 +0100
@@ -1986,11 +1986,11 @@
_cleanup_free_ char *dn = NULL;
usec_t w;
- if (laccess(path, F_OK) < 0) {
- if (errno != ENOENT)
- return log_error_errno(errno, "Failed to determine whether %s exists: %m", path);
- } else
+ r = laccess(path, F_OK);
+ if (r >= 0)
return 0; /* Found it */
+ if (r != -ENOENT)
+ return log_error_errno(r, "Failed to determine whether %s exists: %m", path);
if (inotify_fd < 0) {
/* We need to wait for the device symlink to show up, let's create an inotify watch for it */
diff -Nru systemd-252.30/src/journal/journald.conf systemd-252.31/src/journal/journald.conf
--- systemd-252.30/src/journal/journald.conf 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/journal/journald.conf 2024-10-10 18:34:03.000000000 +0100
@@ -30,7 +30,7 @@
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
-#MaxRetentionSec=0
+#MaxRetentionSec=
#MaxFileSec=1month
#ForwardToSyslog=no
#ForwardToKMsg=no
diff -Nru systemd-252.30/src/libsystemd/sd-daemon/sd-daemon.c systemd-252.31/src/libsystemd/sd-daemon/sd-daemon.c
--- systemd-252.30/src/libsystemd/sd-daemon/sd-daemon.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/libsystemd/sd-daemon/sd-daemon.c 2024-10-10 18:34:03.000000000 +0100
@@ -616,17 +616,18 @@
}
_public_ int sd_booted(void) {
- /* We test whether the runtime unit file directory has been
- * created. This takes place in mount-setup.c, so is
- * guaranteed to happen very early during boot. */
+ int r;
- if (laccess("/run/systemd/system/", F_OK) >= 0)
- return true;
+ /* We test whether the runtime unit file directory has been created. This takes place in mount-setup.c,
+ * so is guaranteed to happen very early during boot. */
- if (errno == ENOENT)
+ r = laccess("/run/systemd/system/", F_OK);
+ if (r >= 0)
+ return true;
+ if (r == -ENOENT)
return false;
- return -errno;
+ return r;
}
_public_ int sd_watchdog_enabled(int unset_environment, uint64_t *usec) {
diff -Nru systemd-252.30/src/libsystemd/sd-netlink/test-netlink.c systemd-252.31/src/libsystemd/sd-netlink/test-netlink.c
--- systemd-252.30/src/libsystemd/sd-netlink/test-netlink.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/libsystemd/sd-netlink/test-netlink.c 2024-10-10 18:34:03.000000000 +0100
@@ -95,18 +95,24 @@
struct in_addr in_data;
struct ifa_cacheinfo cache;
const char *label;
+ int ret;
log_debug("/* %s */", __func__);
assert_se(sd_rtnl_message_new_addr(rtnl, &m, RTM_GETADDR, ifindex, AF_INET) >= 0);
assert_se(m);
assert_se(sd_netlink_message_set_request_dump(m, true) >= 0);
- assert_se(sd_netlink_call(rtnl, m, -1, &r) == 1);
- assert_se(sd_netlink_message_read_in_addr(r, IFA_LOCAL, &in_data) == 0);
- assert_se(sd_netlink_message_read_in_addr(r, IFA_ADDRESS, &in_data) == 0);
- assert_se(sd_netlink_message_read_string(r, IFA_LABEL, &label) == 0);
- assert_se(sd_netlink_message_read_cache_info(r, IFA_CACHEINFO, &cache) == 0);
+ ret = sd_netlink_call(rtnl, m, -1, &r);
+ assert_se(ret >= 0);
+
+ /* If the loopback device is down we won't get any results. */
+ if (ret > 0) {
+ assert_se(sd_netlink_message_read_in_addr(r, IFA_LOCAL, &in_data) == 0);
+ assert_se(sd_netlink_message_read_in_addr(r, IFA_ADDRESS, &in_data) == 0);
+ assert_se(sd_netlink_message_read_string(r, IFA_LABEL, &label) == 0);
+ assert_se(sd_netlink_message_read_cache_info(r, IFA_CACHEINFO, &cache) == 0);
+ }
}
static void test_route(sd_netlink *rtnl) {
diff -Nru systemd-252.30/src/libsystemd-network/sd-ipv4acd.c systemd-252.31/src/libsystemd-network/sd-ipv4acd.c
--- systemd-252.30/src/libsystemd-network/sd-ipv4acd.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/libsystemd-network/sd-ipv4acd.c 2024-10-10 18:34:03.000000000 +0100
@@ -396,6 +396,7 @@
}
break;
+ case IPV4ACD_STATE_STARTED:
case IPV4ACD_STATE_WAITING_PROBE:
case IPV4ACD_STATE_PROBING:
case IPV4ACD_STATE_WAITING_ANNOUNCE:
diff -Nru systemd-252.30/src/libsystemd-network/test-dhcp-server.c systemd-252.31/src/libsystemd-network/test-dhcp-server.c
--- systemd-252.30/src/libsystemd-network/test-dhcp-server.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/libsystemd-network/test-dhcp-server.c 2024-10-10 18:34:03.000000000 +0100
@@ -119,6 +119,7 @@
.s_addr = htobe32(INADDR_LOOPBACK + 42),
};
static uint8_t static_lease_client_id[7] = {0x01, 'A', 'B', 'C', 'D', 'E', 'G' };
+ int r;
log_debug("/* %s */", __func__);
@@ -129,7 +130,10 @@
assert_se(sd_dhcp_server_attach_event(server, NULL, 0) >= 0);
assert_se(sd_dhcp_server_start(server) >= 0);
- assert_se(dhcp_server_handle_message(server, (DHCPMessage*)&test, sizeof(test)) == DHCP_OFFER);
+ r = dhcp_server_handle_message(server, (DHCPMessage*)&test, sizeof(test));
+ if (r == -ENETDOWN)
+ return (void) log_tests_skipped("Network is not available");
+ assert_se(r == DHCP_OFFER);
test.end = 0;
/* TODO, shouldn't this fail? */
diff -Nru systemd-252.30/src/nspawn/nspawn.c systemd-252.31/src/nspawn/nspawn.c
--- systemd-252.30/src/nspawn/nspawn.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/nspawn/nspawn.c 2024-10-10 18:34:03.000000000 +0100
@@ -2264,7 +2264,7 @@
/* Explicitly warn the user when /dev is already populated. */
if (errno == EEXIST)
log_notice("%s/dev is pre-mounted and pre-populated. If a pre-mounted /dev is provided it needs to be an unpopulated file system.", dest);
- if (errno != EPERM)
+ if (errno != EPERM || arg_uid_shift != 0)
return log_error_errno(errno, "mknod(%s) failed: %m", to);
/* Some systems abusively restrict mknod but allow bind mounts. */
@@ -2274,12 +2274,12 @@
r = mount_nofollow_verbose(LOG_DEBUG, from, to, NULL, MS_BIND, NULL);
if (r < 0)
return log_error_errno(r, "Both mknod and bind mount (%s) failed: %m", to);
+ } else {
+ r = userns_lchown(to, 0, 0);
+ if (r < 0)
+ return log_error_errno(r, "chown() of device node %s failed: %m", to);
}
- r = userns_lchown(to, 0, 0);
- if (r < 0)
- return log_error_errno(r, "chown() of device node %s failed: %m", to);
-
dn = path_join("/dev", S_ISCHR(st.st_mode) ? "char" : "block");
if (!dn)
return log_oom();
diff -Nru systemd-252.30/src/partition/repart.c systemd-252.31/src/partition/repart.c
--- systemd-252.30/src/partition/repart.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/partition/repart.c 2024-10-10 18:34:03.000000000 +0100
@@ -3291,13 +3291,13 @@
sfd, ".",
pfd, fn,
UID_INVALID, GID_INVALID,
- COPY_REFLINK|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS);
+ COPY_REFLINK|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS|COPY_RESTORE_DIRECTORY_TIMESTAMPS);
} else
r = copy_tree_at(
sfd, ".",
tfd, ".",
UID_INVALID, GID_INVALID,
- COPY_REFLINK|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS);
+ COPY_REFLINK|COPY_MERGE|COPY_REPLACE|COPY_SIGINT|COPY_HARDLINKS|COPY_ALL_XATTRS|COPY_RESTORE_DIRECTORY_TIMESTAMPS);
if (r < 0)
return log_error_errno(r, "Failed to copy '%s' to '%s%s': %m", *source, strempty(arg_root), *target);
} else {
@@ -5862,6 +5862,10 @@
if (!context)
return log_oom();
+ r = context_read_seed(context, arg_root);
+ if (r < 0)
+ return r;
+
strv_uniq(arg_definitions);
r = context_read_definitions(context, arg_definitions, arg_root);
@@ -5926,10 +5930,6 @@
putchar('\n');
#endif
- r = context_read_seed(context, arg_root);
- if (r < 0)
- return r;
-
/* Open all files to copy blocks from now, since we want to take their size into consideration */
r = context_open_copy_block_paths(
context,
diff -Nru systemd-252.30/src/portable/portable.c systemd-252.31/src/portable/portable.c
--- systemd-252.30/src/portable/portable.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/portable/portable.c 2024-10-10 18:34:03.000000000 +0100
@@ -1083,8 +1083,12 @@
return -ENOMEM;
if (flags & PORTABLE_PREFER_COPY) {
+ CopyFlags copy_flags = COPY_REFLINK|COPY_FSYNC;
- r = copy_file_atomic(from, dropin, 0644, 0, 0, COPY_REFLINK|COPY_FSYNC);
+ if (flags & PORTABLE_FORCE_ATTACH)
+ copy_flags |= COPY_REPLACE;
+
+ r = copy_file_atomic(from, dropin, 0644, 0, 0, copy_flags);
if (r < 0)
return log_debug_errno(r, "Failed to copy %s %s %s: %m", from, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), dropin);
@@ -1092,8 +1096,12 @@
} else {
- if (symlink(from, dropin) < 0)
- return log_debug_errno(errno, "Failed to link %s %s %s: %m", from, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), dropin);
+ if (flags & PORTABLE_FORCE_ATTACH)
+ r = symlink_atomic(from, dropin);
+ else
+ r = RET_NERRNO(symlink(from, dropin));
+ if (r < 0)
+ return log_debug_errno(r, "Failed to link %s %s %s: %m", from, special_glyph(SPECIAL_GLYPH_ARROW_RIGHT), dropin);
(void) portable_changes_add(changes, n_changes, PORTABLE_SYMLINK, dropin, from);
}
@@ -1177,8 +1185,12 @@
if ((flags & PORTABLE_PREFER_SYMLINK) && m->source) {
- if (symlink(m->source, path) < 0)
- return log_debug_errno(errno, "Failed to symlink unit file '%s': %m", path);
+ if (flags & PORTABLE_FORCE_ATTACH)
+ r = symlink_atomic(m->source, path);
+ else
+ r = RET_NERRNO(symlink(m->source, path));
+ if (r < 0)
+ return log_debug_errno(r, "Failed to symlink unit file '%s': %m", path);
(void) portable_changes_add(changes, n_changes, PORTABLE_SYMLINK, path, m->source);
@@ -1200,6 +1212,9 @@
if (fchmod(fd, 0644) < 0)
return log_debug_errno(errno, "Failed to change unit file access mode for '%s': %m", path);
+ if (flags & PORTABLE_FORCE_ATTACH)
+ (void) unlink(path);
+
r = link_tmpfile(fd, tmp, path);
if (r < 0)
return log_debug_errno(r, "Failed to install unit file '%s': %m", path);
diff -Nru systemd-252.30/src/resolve/resolved-dns-packet.h systemd-252.31/src/resolve/resolved-dns-packet.h
--- systemd-252.30/src/resolve/resolved-dns-packet.h 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/resolve/resolved-dns-packet.h 2024-10-10 18:34:03.000000000 +0100
@@ -111,6 +111,7 @@
#define DNS_PACKET_AD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 5) & 1)
#define DNS_PACKET_CD(p) ((be16toh(DNS_PACKET_HEADER(p)->flags) >> 4) & 1)
+#define DNS_PACKET_FLAG_AD (UINT16_C(1) << 5)
#define DNS_PACKET_FLAG_TC (UINT16_C(1) << 9)
static inline uint16_t DNS_PACKET_RCODE(DnsPacket *p) {
diff -Nru systemd-252.30/src/resolve/resolved-dns-stub.c systemd-252.31/src/resolve/resolved-dns-stub.c
--- systemd-252.30/src/resolve/resolved-dns-stub.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/resolve/resolved-dns-stub.c 2024-10-10 18:34:03.000000000 +0100
@@ -685,7 +685,8 @@
static int dns_stub_patch_bypass_reply_packet(
DnsPacket **ret, /* Where to place the patched packet */
DnsPacket *original, /* The packet to patch */
- DnsPacket *request) { /* The packet the patched packet shall look like a reply to */
+ DnsPacket *request, /* The packet the patched packet shall look like a reply to */
+ bool authenticated) {
_cleanup_(dns_packet_unrefp) DnsPacket *c = NULL;
int r;
@@ -725,6 +726,10 @@
DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) | DNS_PACKET_FLAG_TC);
}
+ /* Ensure we don't pass along an untrusted ad flag for bypass packets */
+ if (!authenticated)
+ DNS_PACKET_HEADER(c)->flags = htobe16(be16toh(DNS_PACKET_HEADER(c)->flags) & ~DNS_PACKET_FLAG_AD);
+
*ret = TAKE_PTR(c);
return 0;
}
@@ -745,7 +750,8 @@
q->answer_full_packet->protocol == DNS_PROTOCOL_DNS) {
_cleanup_(dns_packet_unrefp) DnsPacket *reply = NULL;
- r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet);
+ r = dns_stub_patch_bypass_reply_packet(&reply, q->answer_full_packet, q->request_packet,
+ FLAGS_SET(q->answer_query_flags, SD_RESOLVED_AUTHENTICATED));
if (r < 0)
log_debug_errno(r, "Failed to patch bypass reply packet: %m");
else
diff -Nru systemd-252.30/src/shared/bpf-dlopen.c systemd-252.31/src/shared/bpf-dlopen.c
--- systemd-252.30/src/shared/bpf-dlopen.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/bpf-dlopen.c 2024-10-10 18:34:03.000000000 +0100
@@ -49,13 +49,13 @@
void *dl;
int r;
- dl = dlopen("libbpf.so.1", RTLD_LAZY);
+ dl = dlopen("libbpf.so.1", RTLD_NOW|RTLD_NODELETE);
if (!dl) {
/* libbpf < 1.0.0 (we rely on 0.1.0+) provide most symbols we care about, but
* unfortunately not all until 0.7.0. See bpf-compat.h for more details.
* Once we consider we can assume 0.7+ is present we can just use the same symbol
* list for both files, and when we assume 1.0+ is present we can remove this dlopen */
- dl = dlopen("libbpf.so.0", RTLD_LAZY);
+ dl = dlopen("libbpf.so.0", RTLD_NOW|RTLD_NODELETE);
if (!dl)
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"neither libbpf.so.1 nor libbpf.so.0 are installed: %s", dlerror());
diff -Nru systemd-252.30/src/shared/condition.c systemd-252.31/src/shared/condition.c
--- systemd-252.30/src/shared/condition.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/condition.c 2024-10-10 18:34:03.000000000 +0100
@@ -172,10 +172,11 @@
if (!j)
return -ENOMEM;
- if (laccess(j, F_OK) >= 0)
+ r = laccess(j, F_OK);
+ if (r >= 0)
return true; /* yay! */
- if (errno != ENOENT)
- return -errno;
+ if (r != -ENOENT)
+ return r;
/* not found in this dir */
}
diff -Nru systemd-252.30/src/shared/copy.c systemd-252.31/src/shared/copy.c
--- systemd-252.30/src/shared/copy.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/copy.c 2024-10-10 18:34:03.000000000 +0100
@@ -908,6 +908,7 @@
_cleanup_close_ int fdf = -1, fdt = -1;
_cleanup_closedir_ DIR *d = NULL;
+ struct stat dt_st;
bool exists, created;
int r;
@@ -966,6 +967,9 @@
if (fdt < 0)
return -errno;
+ if (exists && FLAGS_SET(copy_flags, COPY_RESTORE_DIRECTORY_TIMESTAMPS) && fstat(fdt, &dt_st) < 0)
+ return -errno;
+
r = 0;
FOREACH_DIRENT_ALL(de, d, return -errno) {
@@ -1050,7 +1054,9 @@
(void) copy_xattr(dirfd(d), fdt, copy_flags);
(void) futimens(fdt, (struct timespec[]) { st->st_atim, st->st_mtim });
- }
+ } else if (FLAGS_SET(copy_flags, COPY_RESTORE_DIRECTORY_TIMESTAMPS))
+ /* If the directory already exists, make sure the timestamps stay the same as before. */
+ (void) futimens(fdt, (struct timespec[]) { dt_st.st_atim, dt_st.st_mtim });
if (copy_flags & COPY_FSYNC_FULL) {
if (fsync(fdt) < 0)
diff -Nru systemd-252.30/src/shared/copy.h systemd-252.31/src/shared/copy.h
--- systemd-252.30/src/shared/copy.h 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/copy.h 2024-10-10 18:34:03.000000000 +0100
@@ -25,6 +25,7 @@
COPY_SYNCFS = 1 << 12, /* syncfs() the *top-level* dir after we are done */
COPY_ALL_XATTRS = 1 << 13, /* Preserve all xattrs when copying, not just those in the user namespace */
COPY_HOLES = 1 << 14, /* Copy holes */
+ COPY_RESTORE_DIRECTORY_TIMESTAMPS = 1 << 15, /* Make sure existing directory timestamps don't change during copying. */
} CopyFlags;
typedef int (*copy_progress_bytes_t)(uint64_t n_bytes, void *userdata);
diff -Nru systemd-252.30/src/shared/dlfcn-util.c systemd-252.31/src/shared/dlfcn-util.c
--- systemd-252.30/src/shared/dlfcn-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/dlfcn-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -44,7 +44,7 @@
if (*dlp)
return 0; /* Already loaded */
- dl = dlopen(filename, RTLD_LAZY);
+ dl = dlopen(filename, RTLD_NOW|RTLD_NODELETE);
if (!dl)
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"%s is not installed: %s", filename, dlerror());
diff -Nru systemd-252.30/src/shared/idn-util.c systemd-252.31/src/shared/idn-util.c
--- systemd-252.30/src/shared/idn-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/idn-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -42,11 +42,11 @@
if (idn_dl)
return 0; /* Already loaded */
- dl = dlopen("libidn.so.12", RTLD_LAZY);
+ dl = dlopen("libidn.so.12", RTLD_NOW|RTLD_NODELETE);
if (!dl) {
/* libidn broke ABI in 1.34, but not in a way we care about (a new field got added to an
* open-coded struct we do not use), hence support both versions. */
- dl = dlopen("libidn.so.11", RTLD_LAZY);
+ dl = dlopen("libidn.so.11", RTLD_NOW|RTLD_NODELETE);
if (!dl)
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
"libidn support is not installed: %s", dlerror());
@@ -54,7 +54,6 @@
} else
log_debug("Loaded 'libidn.so.12' via dlopen()");
-
r = dlsym_many_or_warn(
dl,
LOG_DEBUG,
diff -Nru systemd-252.30/src/shared/mount-util.c systemd-252.31/src/shared/mount-util.c
--- systemd-252.30/src/shared/mount-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/mount-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -446,8 +446,9 @@
fs = mnt_table_find_target(table, path, MNT_ITER_FORWARD);
if (!fs) {
- if (laccess(path, F_OK) < 0) /* Hmm, it's not in the mount table, but does it exist at all? */
- return -errno;
+ r = laccess(path, F_OK); /* Hmm, it's not in the mount table, but does it exist at all? */
+ if (r < 0)
+ return r;
return -EINVAL; /* Not a mount point we recognize */
}
diff -Nru systemd-252.30/src/shared/seccomp-util.c systemd-252.31/src/shared/seccomp-util.c
--- systemd-252.30/src/shared/seccomp-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/seccomp-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -854,6 +854,7 @@
.name = "@sync",
.help = "Synchronize files and memory to storage",
.value =
+ /* Please also update the list in seccomp_suppress_sync(). */
"fdatasync\0"
"fsync\0"
"msync\0"
@@ -2331,8 +2332,10 @@
uint32_t arch;
int r;
- /* This is mostly identical to SystemCallFilter=~@sync:0, but simpler to use, and separately
- * manageable, and also masks O_SYNC/O_DSYNC */
+ /* This behaves slightly differently from SystemCallFilter=~@sync:0, in that negative fds (which
+ * we can determine to be invalid) are still refused with EBADF. See #34478.
+ *
+ * Additionally, O_SYNC/O_DSYNC are masked. */
SECCOMP_FOREACH_LOCAL_ARCH(arch) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
@@ -2351,11 +2354,21 @@
continue;
}
- r = seccomp_rule_add_exact(
- seccomp,
- SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
- id,
- 0);
+ if (STR_IN_SET(c, "fdatasync", "fsync", "sync_file_range", "sync_file_range2", "syncfs"))
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
+ id,
+ 1,
+ SCMP_A0(SCMP_CMP_LE, INT_MAX)); /* The rule handles arguments in unsigned. Hence, this
+ * means non-negative fd matches the rule, and the negative
+ * fd passed to the syscall (then it fails with EBADF). */
+ else
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(0), /* success → we want this to be a NOP after all */
+ id,
+ 0);
if (r < 0)
log_debug_errno(r, "Failed to add filter for system call %s, ignoring: %m", c);
}
diff -Nru systemd-252.30/src/shared/tests.c systemd-252.31/src/shared/tests.c
--- systemd-252.30/src/shared/tests.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/tests.c 2024-10-10 18:34:03.000000000 +0100
@@ -35,6 +35,7 @@
#include "strv.h"
#include "tests.h"
#include "tmpfile-util.h"
+#include "uid-range.h"
char* setup_fake_runtime_dir(void) {
char t[] = "/tmp/fake-xdg-runtime-XXXXXX", *p;
@@ -172,6 +173,20 @@
assert_not_reached();
}
+bool userns_has_single_user(void) {
+ _cleanup_(uid_range_freep) UidRange *uidrange = NULL;
+
+ /* Check if we're in a user namespace with only a single user mapped in. We special case this
+ * scenario in a few tests because it's the only kind of namespace that can be created unprivileged
+ * and as such happens more often than not, so we make sure to deal with it so that all tests pass
+ * in such environments. */
+
+ if (uid_range_load_userns(&uidrange, NULL) < 0)
+ return false;
+
+ return uidrange->n_entries == 1 && uidrange->entries[0].nr == 1;
+}
+
bool can_memlock(void) {
/* Let's see if we can mlock() a larger blob of memory. BPF programs are charged against
* RLIMIT_MEMLOCK, hence let's first make sure we can lock memory at all, and skip the test if we
diff -Nru systemd-252.30/src/shared/tests.h systemd-252.31/src/shared/tests.h
--- systemd-252.30/src/shared/tests.h 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/tests.h 2024-10-10 18:34:03.000000000 +0100
@@ -48,6 +48,7 @@
int write_tmpfile(char *pattern, const char *contents);
bool have_namespaces(void);
+bool userns_has_single_user(void);
/* We use the small but non-trivial limit here */
#define CAN_MEMLOCK_SIZE (512 * 1024U)
diff -Nru systemd-252.30/src/shared/tpm2-util.c systemd-252.31/src/shared/tpm2-util.c
--- systemd-252.30/src/shared/tpm2-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/tpm2-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -195,7 +195,7 @@
if (!filename_is_valid(fn))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "TPM2 driver name '%s' not valid, refusing.", driver);
- dl = dlopen(fn, RTLD_NOW);
+ dl = dlopen(fn, RTLD_NOW|RTLD_NODELETE);
if (!dl)
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to load %s: %s", fn, dlerror());
diff -Nru systemd-252.30/src/shared/userdb.c systemd-252.31/src/shared/userdb.c
--- systemd-252.30/src/shared/userdb.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/shared/userdb.c 2024-10-10 18:34:03.000000000 +0100
@@ -1454,7 +1454,7 @@
/* Note that we might be called from libnss_systemd.so.2 itself, but that should be fine, really. */
- dl = dlopen(ROOTLIBDIR "/libnss_systemd.so.2", RTLD_LAZY|RTLD_NODELETE);
+ dl = dlopen(ROOTLIBDIR "/libnss_systemd.so.2", RTLD_NOW|RTLD_NODELETE);
if (!dl) {
/* If the file isn't installed, don't complain loudly */
log_debug("Failed to dlopen(libnss_systemd.so.2), ignoring: %s", dlerror());
diff -Nru systemd-252.30/src/sysext/sysext.c systemd-252.31/src/sysext/sysext.c
--- systemd-252.30/src/sysext/sysext.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/sysext/sysext.c 2024-10-10 18:34:03.000000000 +0100
@@ -676,13 +676,11 @@
if (!p)
return log_oom();
- if (laccess(p, F_OK) < 0) {
- if (errno != ENOENT)
- return log_error_errno(errno, "Failed to check if '%s' exists: %m", p);
-
- /* Hierarchy apparently was empty in all extensions, and wasn't mounted, ignoring. */
+ r = laccess(p, F_OK);
+ if (r == -ENOENT) /* Hierarchy apparently was empty in all extensions, and wasn't mounted, ignoring. */
continue;
- }
+ if (r < 0)
+ return log_error_errno(r, "Failed to check if '%s' exists: %m", p);
r = chase_symlinks(*h, arg_root, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &resolved, NULL);
if (r < 0)
diff -Nru systemd-252.30/src/systemctl/systemctl-show.c systemd-252.31/src/systemctl/systemctl-show.c
--- systemd-252.30/src/systemctl/systemctl-show.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/systemctl/systemctl-show.c 2024-10-10 18:34:03.000000000 +0100
@@ -1645,6 +1645,29 @@
bus_print_property_value(name, expected_value, flags, affinity);
return 1;
+
+ } else if (streq(name, "RootImageOptions")) {
+ const char *a, *p;
+
+ /* In config files, the syntax allows the partition name to be omitted. Here, we
+ * always print the partition name, also because we have no way of knowing if it was
+ * originally omitted or not. We also print the partitions on separate lines. */
+
+ r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(ss)");
+ if (r < 0)
+ return bus_log_parse_error(r);
+
+ while ((r = sd_bus_message_read(m, "(ss)", &a, &p)) > 0)
+ bus_print_property_valuef(name, expected_value, flags, "%s:%s", a, p);
+ if (r < 0)
+ return bus_log_parse_error(r);
+
+ r = sd_bus_message_exit_container(m);
+ if (r < 0)
+ return bus_log_parse_error(r);
+
+ return 1;
+
} else if (streq(name, "MountImages")) {
_cleanup_free_ char *paths = NULL;
diff -Nru systemd-252.30/src/system-update-generator/system-update-generator.c systemd-252.31/src/system-update-generator/system-update-generator.c
--- systemd-252.30/src/system-update-generator/system-update-generator.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/system-update-generator/system-update-generator.c 2024-10-10 18:34:03.000000000 +0100
@@ -20,12 +20,14 @@
static int generate_symlink(void) {
const char *p = NULL;
+ int r;
- if (laccess("/system-update", F_OK) < 0) {
- if (errno == ENOENT)
+ r = laccess("/system-update", F_OK);
+ if (r < 0) {
+ if (r == -ENOENT)
return 0;
- log_error_errno(errno, "Failed to check for system update: %m");
+ log_error_errno(r, "Failed to check for system update: %m");
return -EINVAL;
}
diff -Nru systemd-252.30/src/test/test-acl-util.c systemd-252.31/src/test/test-acl-util.c
--- systemd-252.30/src/test/test-acl-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-acl-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -34,7 +34,7 @@
cmd = strjoina("getfacl -p ", fn);
assert_se(system(cmd) == 0);
- if (getuid() == 0) {
+ if (getuid() == 0 && !userns_has_single_user()) {
const char *nobody = NOBODY_USER_NAME;
r = get_user_creds(&nobody, &uid, NULL, NULL, NULL, 0);
if (r < 0)
diff -Nru systemd-252.30/src/test/test-capability.c systemd-252.31/src/test/test-capability.c
--- systemd-252.30/src/test/test-capability.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-capability.c 2024-10-10 18:34:03.000000000 +0100
@@ -267,10 +267,13 @@
show_capabilities();
- test_drop_privileges();
+ if (!userns_has_single_user())
+ test_drop_privileges();
+
test_update_inherited_set();
- fork_test(test_have_effective_cap);
+ if (!userns_has_single_user())
+ fork_test(test_have_effective_cap);
if (run_ambient)
fork_test(test_apply_ambient_caps);
diff -Nru systemd-252.30/src/test/test-chown-rec.c systemd-252.31/src/test/test-chown-rec.c
--- systemd-252.30/src/test/test-chown-rec.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-chown-rec.c 2024-10-10 18:34:03.000000000 +0100
@@ -153,8 +153,8 @@
}
static int intro(void) {
- if (geteuid() != 0)
- return log_tests_skipped("not running as root");
+ if (geteuid() != 0 || userns_has_single_user())
+ return log_tests_skipped("not running as root or in userns with single user");
return EXIT_SUCCESS;
}
diff -Nru systemd-252.30/src/test/test-condition.c systemd-252.31/src/test/test-condition.c
--- systemd-252.30/src/test/test-condition.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-condition.c 2024-10-10 18:34:03.000000000 +0100
@@ -995,6 +995,13 @@
condition_free(condition);
free(gid);
+ /* In an unprivileged user namespace with the current user mapped to root, all the auxiliary groups
+ * of the user will be mapped to the nobody group, which means the user in the user namespace is in
+ * both the root and the nobody group, meaning the next test can't work, so let's skip it in that
+ * case. */
+ if (in_group(NOBODY_GROUP_NAME) && in_group("root"))
+ return (void) log_tests_skipped("user is in both root and nobody group");
+
groupname = (char*)(getegid() == 0 ? NOBODY_GROUP_NAME : "root");
condition = condition_new(CONDITION_GROUP, groupname, false, false);
assert_se(condition);
diff -Nru systemd-252.30/src/test/test-dlopen.c systemd-252.31/src/test/test-dlopen.c
--- systemd-252.30/src/test/test-dlopen.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-dlopen.c 2024-10-10 18:34:03.000000000 +0100
@@ -10,7 +10,7 @@
int i;
for (i = 0; i < argc - 1; i++)
- assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW));
+ assert_se(handles[i] = dlopen(argv[i + 1], RTLD_NOW|RTLD_NODELETE));
for (i--; i >= 0; i--)
assert_se(dlclose(handles[i]) == 0);
diff -Nru systemd-252.30/src/test/test-fs-util.c systemd-252.31/src/test/test-fs-util.c
--- systemd-252.30/src/test/test-fs-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-fs-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -775,8 +775,8 @@
struct stat st;
const char *p;
- if (geteuid() != 0)
- return;
+ if (geteuid() != 0 || userns_has_single_user())
+ return (void) log_tests_skipped("not running as root or in userns with single user");
BLOCK_WITH_UMASK(0000);
diff -Nru systemd-252.30/src/test/test-nss-hosts.c systemd-252.31/src/test/test-nss-hosts.c
--- systemd-252.30/src/test/test-nss-hosts.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-nss-hosts.c 2024-10-10 18:34:03.000000000 +0100
@@ -380,7 +380,7 @@
log_info("======== %s ========", module);
- _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE);
+ _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE);
if (!handle)
return -EINVAL;
diff -Nru systemd-252.30/src/test/test-nss-users.c systemd-252.31/src/test/test-nss-users.c
--- systemd-252.30/src/test/test-nss-users.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-nss-users.c 2024-10-10 18:34:03.000000000 +0100
@@ -166,7 +166,7 @@
log_info("======== %s ========", module);
- _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_LAZY|RTLD_NODELETE);
+ _cleanup_(dlclosep) void *handle = nss_open_handle(dir, module, RTLD_NOW|RTLD_NODELETE);
if (!handle)
return -EINVAL;
diff -Nru systemd-252.30/src/test/test-rm-rf.c systemd-252.31/src/test/test-rm-rf.c
--- systemd-252.30/src/test/test-rm-rf.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-rm-rf.c 2024-10-10 18:34:03.000000000 +0100
@@ -89,6 +89,9 @@
TEST(rm_rf_chmod) {
int r;
+ if (getuid() == 0 && userns_has_single_user())
+ return (void) log_tests_skipped("running as root or in userns with single user");
+
if (getuid() == 0) {
/* This test only works unpriv (as only then the access mask for the owning user matters),
* hence drop privs here */
diff -Nru systemd-252.30/src/test/test-seccomp.c systemd-252.31/src/test/test-seccomp.c
--- systemd-252.30/src/test/test-seccomp.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-seccomp.c 2024-10-10 18:34:03.000000000 +0100
@@ -18,6 +18,7 @@
#include "capability-util.h"
#include "fd-util.h"
#include "fileio.h"
+#include "fs-util.h"
#include "macro.h"
#include "memory-util.h"
#include "missing_sched.h"
@@ -1227,4 +1228,55 @@
assert_se(wait_for_terminate_and_check("suidsgidseccomp", pid, WAIT_LOG) == EXIT_SUCCESS);
}
+static void test_seccomp_suppress_sync_child(void) {
+ _cleanup_(unlink_and_freep) char *path = NULL;
+ _cleanup_close_ int fd = -EBADF;
+
+ assert_se(tempfn_random("/tmp/seccomp_suppress_sync", NULL, &path) >= 0);
+ assert_se((fd = open(path, O_RDWR | O_CREAT | O_SYNC | O_CLOEXEC, 0666)) >= 0);
+ fd = safe_close(fd);
+
+ assert_se(fdatasync(-1) < 0 && errno == EBADF);
+ assert_se(fsync(-1) < 0 && errno == EBADF);
+ assert_se(syncfs(-1) < 0 && errno == EBADF);
+
+ assert_se(fdatasync(INT_MAX) < 0 && errno == EBADF);
+ assert_se(fsync(INT_MAX) < 0 && errno == EBADF);
+ assert_se(syncfs(INT_MAX) < 0 && errno == EBADF);
+
+ assert_se(seccomp_suppress_sync() >= 0);
+
+ assert_se((fd = open(path, O_RDWR | O_CREAT | O_SYNC | O_CLOEXEC, 0666)) < 0 && errno == EINVAL);
+
+ assert_se(fdatasync(INT_MAX) >= 0);
+ assert_se(fsync(INT_MAX) >= 0);
+ assert_se(syncfs(INT_MAX) >= 0);
+
+ assert_se(fdatasync(-1) < 0 && errno == EBADF);
+ assert_se(fsync(-1) < 0 && errno == EBADF);
+ assert_se(syncfs(-1) < 0 && errno == EBADF);
+}
+
+TEST(seccomp_suppress_sync) {
+ pid_t pid;
+
+ if (!is_seccomp_available()) {
+ log_notice("Seccomp not available, skipping %s", __func__);
+ return;
+ }
+ if (!have_seccomp_privs()) {
+ log_notice("Not privileged, skipping %s", __func__);
+ return;
+ }
+
+ assert_se((pid = fork()) >= 0);
+
+ if (pid == 0) {
+ test_seccomp_suppress_sync_child();
+ _exit(EXIT_SUCCESS);
+ }
+
+ assert_se(wait_for_terminate_and_check("seccomp_suppress_sync", pid, WAIT_LOG) == EXIT_SUCCESS);
+}
+
DEFINE_TEST_MAIN(LOG_DEBUG);
diff -Nru systemd-252.30/src/test/test-socket-util.c systemd-252.31/src/test/test-socket-util.c
--- systemd-252.30/src/test/test-socket-util.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/test/test-socket-util.c 2024-10-10 18:34:03.000000000 +0100
@@ -170,7 +170,7 @@
struct ucred ucred;
int pair[2];
- if (geteuid() == 0) {
+ if (geteuid() == 0 && !userns_has_single_user()) {
test_uid = 1;
test_gid = 2;
test_gids = (gid_t*) gids;
diff -Nru systemd-252.30/src/udev/cdrom_id/cdrom_id.c systemd-252.31/src/udev/cdrom_id/cdrom_id.c
--- systemd-252.30/src/udev/cdrom_id/cdrom_id.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/udev/cdrom_id/cdrom_id.c 2024-10-10 18:34:03.000000000 +0100
@@ -476,7 +476,7 @@
switch (feature) {
case 0x00:
- log_debug("GET CONFIGURATION: feature 'profiles', with %u entries", features[i + 3] / 4);
+ log_debug("GET CONFIGURATION: feature 'profiles', with %u entries", features[i + 3] / 4U);
feature_profiles(c, features + i + 4, MIN(features[i + 3], len - i - 4));
break;
default:
diff -Nru systemd-252.30/src/udev/dmi_memory_id/dmi_memory_id.c systemd-252.31/src/udev/dmi_memory_id/dmi_memory_id.c
--- systemd-252.30/src/udev/dmi_memory_id/dmi_memory_id.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/udev/dmi_memory_id/dmi_memory_id.c 2024-10-10 18:34:03.000000000 +0100
@@ -399,7 +399,7 @@
/* LSB is 7-bit Odd Parity number of continuation codes */
if (code != 0)
printf("MEMORY_DEVICE_%u_%s=Bank %d, Hex 0x%02X\n", slot_num, attr_suffix,
- (code & 0x7F) + 1, code >> 8);
+ (code & 0x7F) + 1, (uint16_t) (code >> 8));
}
static void dmi_memory_device_product_id(
diff -Nru systemd-252.30/src/udev/udev-node.c systemd-252.31/src/udev/udev-node.c
--- systemd-252.30/src/udev/udev-node.c 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/src/udev/udev-node.c 2024-10-10 18:34:03.000000000 +0100
@@ -385,6 +385,87 @@
return 0;
}
+static int link_update_diskseq(sd_device *dev, const char *slink, bool add) {
+ _cleanup_free_ char *buf = NULL;
+ const char *fname, *diskseq, *subsystem = NULL, *devtype = NULL;
+ int r;
+
+ assert(dev);
+ assert(slink);
+
+ (void) sd_device_get_subsystem(dev, &subsystem);
+ if (!streq_ptr(subsystem, "block"))
+ return 0;
+
+ fname = path_startswith(slink, "/dev/disk/by-diskseq");
+ if (isempty(fname))
+ return 0;
+
+ (void) sd_device_get_devtype(dev, &devtype);
+ if (streq_ptr(devtype, "partition")) {
+ _cleanup_free_ char *suffix = NULL;
+ const char *partn, *p;
+
+ /* Check if the symlink has an expected suffix "-part%n". See 60-persistent-storage.rules. */
+
+ r = sd_device_get_sysnum(dev, &partn);
+ if (r < 0) {
+ /* Cannot verify the symlink is owned by this device. Let's create the stack directory for the symlink. */
+ log_device_debug_errno(dev, r, "Failed to get sysnum, but symlink '%s' is requested, ignoring: %m", slink);
+ return 0;
+ }
+
+ suffix = strjoin("-part", partn);
+ if (!suffix)
+ return -ENOMEM;
+
+ p = endswith(fname, suffix);
+ if (!p) {
+ log_device_debug(dev, "Unexpected by-diskseq symlink '%s' is requested, proceeding anyway.", slink);
+ return 0;
+ }
+
+ buf = strndup(fname, p - fname);
+ if (!buf)
+ return -ENOMEM;
+
+ fname = buf;
+ }
+
+ /* Check if the diskseq part of the symlink is in digits. */
+ if (!in_charset(fname, DIGITS)) {
+ log_device_debug(dev, "Unexpected by-diskseq symlink '%s' is requested, proceeding anyway.", slink);
+ return 0; /* unexpected by-diskseq symlink */
+ }
+
+ /* On removal, we cannot verify the diskseq. Skipping further check below. */
+ if (!add) {
+ if (unlink(slink) < 0 && errno != ENOENT)
+ return log_device_debug_errno(dev, errno, "Failed to remove '%s': %m", slink);
+
+ (void) rmdir_parents(slink, "/dev");
+ return 1; /* done */
+ }
+
+ /* Check if the diskseq matches with the DISKSEQ property. */
+ r = sd_device_get_property_value(dev, "DISKSEQ", &diskseq);
+ if (r < 0) {
+ log_device_debug_errno(dev, r, "Failed to get DISKSEQ property, but symlink '%s' is requested, ignoring: %m", slink);
+ return 0;
+ }
+
+ if (!streq(fname, diskseq)) {
+ log_device_debug(dev, "Unexpected by-diskseq symlink '%s' is requested (DISKSEQ=%s), proceeding anyway.", slink, diskseq);
+ return 0;
+ }
+
+ r = node_symlink(dev, /* devnode = */ NULL, slink);
+ if (r < 0)
+ return r;
+
+ return 1; /* done */
+}
+
static int link_update(sd_device *dev, const char *slink, bool add) {
_cleanup_free_ char *dirname = NULL, *devnode = NULL;
_cleanup_close_ int dirfd = -1, lockfd = -1;
@@ -393,6 +474,10 @@
assert(dev);
assert(slink);
+ r = link_update_diskseq(dev, slink, add);
+ if (r != 0)
+ return r;
+
r = stack_directory_get_name(slink, &dirname);
if (r < 0)
return log_device_debug_errno(dev, r, "Failed to build stack directory name for '%s': %m", slink);
diff -Nru systemd-252.30/test/TEST-64-UDEV-STORAGE/test.sh systemd-252.31/test/TEST-64-UDEV-STORAGE/test.sh
--- systemd-252.30/test/TEST-64-UDEV-STORAGE/test.sh 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/test/TEST-64-UDEV-STORAGE/test.sh 2024-10-10 18:34:03.000000000 +0100
@@ -474,7 +474,7 @@
qemu_opts+=("-device pci-bridge,id=pci_bridge$brid,bus=pci_bridge$((brid-1)),chassis_nr=$((64+brid))")
done
- qemu_opts+=("-device virtio-blk-pci,drive=drive0,scsi=off,bus=pci_bridge$brid")
+ qemu_opts+=("-device virtio-blk-pci,drive=drive0,bus=pci_bridge$brid")
KERNEL_APPEND="systemd.setenv=TEST_FUNCTION_NAME=${FUNCNAME[0]} ${USER_KERNEL_APPEND:-}"
QEMU_OPTIONS="${qemu_opts[*]} ${USER_QEMU_OPTIONS:-}"
diff -Nru systemd-252.30/test/test-functions systemd-252.31/test/test-functions
--- systemd-252.30/test/test-functions 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/test/test-functions 2024-10-10 18:34:03.000000000 +0100
@@ -1826,13 +1826,9 @@
}
create_rc_local() {
- dinfo "Create rc.local"
- mkdir -p "${initdir:?}/etc/rc.d"
- cat >"$initdir/etc/rc.d/rc.local" <<EOF
-#!/usr/bin/env bash
-exit 0
-EOF
- chmod 0755 "$initdir/etc/rc.d/rc.local"
+ dinfo "Mask rc.local generator"
+ mkdir -p "${initdir:?}/etc/systemd/system-generators/"
+ ln -s /dev/null "$initdir/etc/systemd/system-generators/systemd-rc-local-generator"
}
install_execs() {
diff -Nru systemd-252.30/test/units/testsuite-17.14.sh systemd-252.31/test/units/testsuite-17.14.sh
--- systemd-252.30/test/units/testsuite-17.14.sh 1970-01-01 01:00:00.000000000 +0100
+++ systemd-252.31/test/units/testsuite-17.14.sh 2024-10-10 18:34:03.000000000 +0100
@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+# shellcheck disable=SC2010
+# shellcheck disable=SC2317
+set -ex
+set -o pipefail
+
+# shellcheck source=test/units/assert.sh
+. "$(dirname "$0")"/assert.sh
+
+# This is a test case for issue #34637.
+
+at_exit() (
+ set +e
+
+ systemctl stop test-diskseq.service || :
+ rm -f /run/systemd/system/test-diskseq.service
+ systemctl daemon-reload
+
+ [[ -d "$TMPDIR" ]] && rm -rf "$TMPDIR"
+
+ udevadm control --log-level=info
+)
+
+trap at_exit EXIT
+
+udevadm control --log-level=debug
+
+TMPDIR="$(mktemp -d)"
+truncate -s 16M "$TMPDIR"/foo.raw
+mkfs.ext4 -L foo "$TMPDIR"/foo.raw
+
+mkdir -p /run/systemd/system/
+cat >/run/systemd/system/test-diskseq.service <<EOF
+[Unit]
+StartLimitIntervalSec=0
+[Service]
+ExecStart=false
+Restart=on-failure
+MountImages=$TMPDIR/foo.raw:/var
+EOF
+systemctl daemon-reload
+
+udevadm settle
+
+# If an initrd from the host is used, stack directories for by-diskseq symlinks
+# may already exist. Save the number of the directories here.
+NUM_DISKSEQ_EXPECTED=$(ls /run/udev/links | grep -c by-diskseq || :)
+
+systemctl start --no-block test-diskseq.service
+
+for _ in {0..100}; do
+ sleep .1
+ assert_eq "$(ls /run/udev/links | grep -c by-diskseq || :)" "$NUM_DISKSEQ_EXPECTED"
+done
+
+exit 0
diff -Nru systemd-252.30/test/units/testsuite-19.keyed-properties.sh systemd-252.31/test/units/testsuite-19.keyed-properties.sh
--- systemd-252.30/test/units/testsuite-19.keyed-properties.sh 1970-01-01 01:00:00.000000000 +0100
+++ systemd-252.31/test/units/testsuite-19.keyed-properties.sh 2024-10-10 18:34:03.000000000 +0100
@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+# SPDX-License-Identifier: LGPL-2.1-or-later
+set -ex
+set -o pipefail
+
+# shellcheck source=test/units/test-control.sh
+. "$(dirname "$0")"/test-control.sh
+# shellcheck source=test/units/util.sh
+. "$(dirname "$0")"/util.sh
+
+if [[ "$(get_cgroup_hierarchy)" != unified ]]; then
+ echo "Skipping $0 as we're not running with the unified cgroup hierarchy"
+ exit 0
+fi
+
+testcase_iodevice_dbus () {
+ # Test that per-device properties are applied in configured order even for different devices (because
+ # they may resolve to same underlying device in the end
+ # Note: if device does not exist cgroup attribute write fails but systemd should still track the
+ # configured properties
+ systemd-run --unit=test0.service \
+ --property="IOAccounting=yes" \
+ sleep inf
+
+ systemctl set-property test0.service \
+ IOReadBandwidthMax="/dev/sda1 1M" \
+ IOReadBandwidthMax="/dev/sda2 2M" \
+ IOReadBandwidthMax="/dev/sda3 4M"
+
+ local output
+ output=$(mktemp)
+ trap 'rm -f "$output"' RETURN
+ systemctl show -P IOReadBandwidthMax test0.service >"$output"
+ diff -u "$output" - <<EOF
+/dev/sda1 1000000
+/dev/sda2 2000000
+/dev/sda3 4000000
+EOF
+
+ systemctl stop test0.service
+}
+
+testcase_iodevice_unitfile () {
+ cat >/run/systemd/system/test1.service <<EOF
+[Service]
+ExecStart=/usr/bin/sleep inf
+IOReadBandwidthMax=/dev/sda1 1M
+IOReadBandwidthMax=/dev/sda2 2M
+IOReadBandwidthMax=/dev/sda3 4M
+EOF
+ systemctl daemon-reload
+
+ local output
+ output=$(mktemp)
+ trap 'rm -f "$output"' RETURN
+ systemctl show -P IOReadBandwidthMax test1.service >"$output"
+ diff -u "$output" - <<EOF
+/dev/sda1 1000000
+/dev/sda2 2000000
+/dev/sda3 4000000
+EOF
+ rm -f /run/systemd/system/test1.service
+}
+
+run_testcases
diff -Nru systemd-252.30/test/units/testsuite-29.sh systemd-252.31/test/units/testsuite-29.sh
--- systemd-252.30/test/units/testsuite-29.sh 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/test/units/testsuite-29.sh 2024-10-10 18:34:03.000000000 +0100
@@ -71,6 +71,21 @@
# Ensure we don't regress (again) when using --force
+mkdir -p /run/systemd/system.attached/minimal-app0.service.d/
+cat <<EOF >/run/systemd/system.attached/minimal-app0.service
+[Unit]
+Description=Minimal App 0
+EOF
+cat <<EOF >/run/systemd/system.attached/minimal-app0.service.d/10-profile.conf
+[Unit]
+Description=Minimal App 0
+EOF
+cat <<EOF >/run/systemd/system.attached/minimal-app0.service.d/20-portable.conf
+[Unit]
+Description=Minimal App 0
+EOF
+systemctl daemon-reload
+
portablectl "${ARGS[@]}" attach --force --now --runtime /usr/share/minimal_0.raw minimal-app0
portablectl is-attached --force minimal-app0
@@ -208,6 +223,28 @@
systemctl is-active app1.service
+portablectl detach --now --runtime overlay app1
+
+# Ensure --force works also when symlinking
+mkdir -p /run/systemd/system.attached/app1.service.d
+cat <<EOF >/run/systemd/system.attached/app1.service
+[Unit]
+Description=App 1
+EOF
+cat <<EOF >/run/systemd/system.attached/app1.service.d/10-profile.conf
+[Unit]
+Description=App 1
+EOF
+cat <<EOF >/run/systemd/system.attached/app1.service.d/20-portable.conf
+[Unit]
+Description=App 1
+EOF
+systemctl daemon-reload
+
+portablectl "${ARGS[@]}" attach --force --copy=symlink --now --runtime /tmp/overlay app1
+
+systemctl is-active app1.service
+
portablectl detach --now --runtime overlay app1
umount /tmp/overlay
diff -Nru systemd-252.30/test/units/testsuite-58.sh systemd-252.31/test/units/testsuite-58.sh
--- systemd-252.30/test/units/testsuite-58.sh 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/test/units/testsuite-58.sh 2024-10-10 18:34:03.000000000 +0100
@@ -914,6 +914,47 @@
assert_in "${loop}p3 : start= *${start}, size= *${size}, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=DB081670-07AE-48CA-9F5E-813D5E40B976, name=\"linux-generic-2\"" "$output"
}
+testcase_random_seed() {
+ local defs imgs output
+
+ # For issue #34257
+
+ defs="$(mktemp --directory "/tmp/test-repart.defs.XXXXXXXXXX")"
+ imgs="$(mktemp --directory "/var/tmp/test-repart.imgs.XXXXXXXXXX")"
+ # shellcheck disable=SC2064
+ trap "rm -rf '$defs' '$imgs'" RETURN
+ chmod 0755 "$defs"
+
+ tee "$defs/root.conf" <<EOF
+[Partition]
+Type=root
+EOF
+
+ tee "$defs/home.conf" <<EOF
+[Partition]
+Type=home
+Label=home-first
+EOF
+
+ tee "$defs/swap.conf" <<EOF
+[Partition]
+Type=swap
+SizeMaxBytes=64M
+PaddingMinBytes=92M
+EOF
+
+ systemd-repart --definitions="$defs" \
+ --empty=create \
+ --size=1G \
+ --dry-run=no \
+ --seed=random \
+ --json=pretty \
+ "$imgs/zzz"
+
+ sfdisk -d "$imgs/zzz"
+ [[ "$(sfdisk -d "$imgs/zzz" | grep -F 'uuid=' | awk '{ print $8 }' | sort -u | wc -l)" == "3" ]]
+}
+
test_basic
test_dropin
test_multiple_definitions
@@ -923,6 +964,7 @@
test_issue_24553
test_zero_uuid
test_verity
+testcase_random_seed
# Valid block sizes on the Linux block layer are >= 512 and <= PAGE_SIZE, and
# must be powers of 2. Which leaves exactly four different ones to test on
diff -Nru systemd-252.30/test/units/testsuite-75.sh systemd-252.31/test/units/testsuite-75.sh
--- systemd-252.30/test/units/testsuite-75.sh 2024-08-19 21:25:31.000000000 +0100
+++ systemd-252.31/test/units/testsuite-75.sh 2024-10-10 18:34:03.000000000 +0100
@@ -16,6 +16,12 @@
"$@" |& tee "$RUN_OUT"
}
+run_delv() {
+ # Since [0] delv no longer loads /etc/(bind/)bind.keys by default, so we
+ # have to do that explicitly for each invocation
+ run delv -a /etc/bind.keys "$@"
+}
+
monitor_check_rr() (
set +x
set +o pipefail
@@ -214,9 +220,9 @@
# Check the trust chain (with and without systemd-resolved in between
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 signed.test
+run_delv @10.0.0.1 signed.test
grep -qF "; fully validated" "$RUN_OUT"
-run delv signed.test
+run_delv signed.test
grep -qF "; fully validated" "$RUN_OUT"
run dig +short signed.test
@@ -239,9 +245,9 @@
# DNSSEC validation with multiple records of the same type for the same name
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 dupe.signed.test
+run_delv @10.0.0.1 dupe.signed.test
grep -qF "; fully validated" "$RUN_OUT"
-run delv dupe.signed.test
+run_delv dupe.signed.test
grep -qF "; fully validated" "$RUN_OUT"
# Test resolution of CNAME chains
@@ -266,9 +272,9 @@
# Check the trust chain (with and without systemd-resolved in between
# Issue: https://github.com/systemd/systemd/issues/22002
# PR: https://github.com/systemd/systemd/pull/23289
-run delv @10.0.0.1 sub.onlinesign.test
+run_delv @10.0.0.1 sub.onlinesign.test
grep -qF "; fully validated" "$RUN_OUT"
-run delv sub.onlinesign.test
+run_delv sub.onlinesign.test
grep -qF "; fully validated" "$RUN_OUT"
run dig +short sub.onlinesign.test
