IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This fixes a minor bug introduced by 10af8bb24b39a815079f6bf31b449c6e5aaa2adf.
Before the commit, the interface group was set only when Group= is explicitly
specified, otherwise the interface group was kept. However, after the commit,
we need to specify Group= with an empty string to keep the current interface
group.
(cherry picked from commit cee683394328ae271348fad93c3474b5784bcc78)
../src/journal-remote/microhttpd-util.c: In function ‘check_permissions’:
../src/journal-remote/microhttpd-util.c:301:5: error: function might be candidate for attribute ‘noreturn’ [-Werror=suggest-attribute=noreturn]
301 | int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
| ^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Fixes#23630.
(cherry picked from commit b547241728487c0dca22780241b04964f2eb37af)
(cherry picked from commit ad74be8f3746dcca066860cbb23befada4af84c6)
Sometimes we want to suppress strerror() message because the are providing
something better. But in those cases, it seems it was just forgotten.
(cherry picked from commit 2e09b2235a27df3ada3542a2402b6e1727fc2c6c)
(cherry picked from commit b9f0194aabcce280121fb2f657e38e12f1f0a5b9)
$ build/test-socket-bind
...
libbpf: load bpf program failed: Operation not permitted
libbpf: failed to load program 'sd_bind4'
libbpf: failed to load object 'socket_bind_bpf'
libbpf: failed to load BPF skeleton 'socket_bind_bpf': -1
Failed to load BPF object: Operation not permitted
Now all lines with "libbpf:" are at debug level and will be hidden by
default.
Partially fixes https://bugzilla.redhat.com/show_bug.cgi?id=2084955#c14
(i.e. the error that was exposed when the initial error was fixed.)
(cherry picked from commit 44005a5778ca66848bf7e8dfe4c51ae62919bd69)
(cherry picked from commit eceaa72f8786f378a63df442d1466b46afd3cb7b)
DnsPacket.ifindex=1 (loopback) is normalized to 0 whenever a message is
received on the loopback iface, so for both listeners, 127.0.0.53 and
127.0.0.54, the ifindex will be set to 0 by manager_recv() for queries
that have a local origin.
Replies to such local messages need to set a proper ifindex in any
case, as the supplied source-address would otherwise be ignored in
manager_ipv4_send() (CMSG generation is skipped due to ifindex > 0 check).
Note that this change only forces `ifindex` to loopback if it was actually
normalized to `0` before (due to a loopback detection) in order to keep the
nat-to-127.0.0.54-from-another-interface usecase that was described in
a8d09063447568d87288a8e868fe386c1da7ce09 intact.
Also note that nat is not supported for the main stub 127.0.0.53 which is
why forcing LOOPBACK_IFINDEX was/is fine for that case.
Fixes#23495
(cherry picked from commit dfa14e2859418593b2f9bfae8936d780148c4e6a)
(cherry picked from commit 7ee5cde34348fb5f75577d2fdfa000f33ea7876c)
After sending a SIGKILL to a process, the process might disappear from
`cgroup.threads` but still show up in `cgroup.procs` and still remains in the
cgroup and cause migrating new processes to `Delegate=yes` cgroups to fail with
`-EBUSY`. This is especially likely for heavyweight processes that consume more
kernel CPU time to clean up.
Fix this by only returning 0 when both `cgroup.threads` and
`cgroup.procs` are empty.
(cherry picked from commit 37f0289bf5f2283c187032f83c33ea955b75f119)
(cherry picked from commit 1961d84ab55c18cfd908a3a80d60455aea96f369)
Include this header to fix errors when including hwdb-internal.h:
../src/libsystemd/sd-hwdb/hwdb-internal.h:16:21: error: field ‘st’ has incomplete type
16 | struct stat st;
(cherry picked from commit 9745b51c73c78a63003b4cb6e0714829144d297c)
(cherry picked from commit f00716615d54711f0fd584568f04615e4a206c05)
Fixes#22966. Since there are competing conventions, let's not
change our code, but make the docs match what is implemented.
(cherry picked from commit b72308d34440530df3bb8b6b3d272dfc303d1d37)
(cherry picked from commit cfd6a14c7d21fc4e4b0d8a5b684127b69231fa96)
shmat() requires the CAP_IPC_OWNER capability. When running test-seccomp
in environments with root + CAP_SYS_ADMIN, but not CAP_IPC_OWNER,
memory_deny_write_execute_shmat would fail. This fixes it.
(cherry picked from commit 7e46a5c093e9e0d2e1ec734058e0caf1725ff37e)
(cherry picked from commit d4ca019870e9c31026c75633be12b5893ffa4ecf)
(cherry picked from commit 9a50c7c1499cb84b068552c503b9139c9e3a2e17)
This fixes a spurious warning from the manager running in user mode:
systemd[1668]: Reached target sockets.target.
systemd[1669]: Failed to create BPF map: Operation not permitted
systemd[1669]: Finished systemd-tmpfiles-setup.service.
systemd[1669]: Listening on dbus.socket.
systemd[1669]: Reached target sockets.target.
systemd[1669]: Reached target basic.target.
systemd[1]: Started user@6.service.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2084955.
(cherry picked from commit ba187c9c9ce9c0d16e09aca8c3d3c38975ce05a9)
This backports the same fix from 6e9165397faa1b546d367bdfc28dd4377a8f1d0a
in systemd upstream that we can't backport directly because that commit
introduces a new feature.
(cherry picked from commit eb76587f33a08c91f025d4c7fa685c44f7b2d332)
3970 e = object_path_startswith(path, prefix);
(gdb) p path
$1 = 0x55c5a166f768 "/org/freedesktop/portable1/image"
(gdb) p prefix
$2 = 0x55c59ffc2928 "/org/freedesktop/portable1/image"
(gdb) p e
$1 = 0x5581a1675788 ""
This can be a bit confusing in certain cases, so add a comment and a
test to make the behaviour clearer and explicit.
(cherry picked from commit 54cd2d6869d20f0df3d8264168e17c31893dc0ca)
I took inspiration from pid1:
bus_unit_find()
→ find_unit()
→ manager_load_unit_from_dbus_path()
→ unit_name_from_dbus_path()
→ !startswith(path, "/org/freedesktop/systemd1/unit/")
→ return -EINVAL
←
←
←
← if (r < 0) return 0
← 0
←
i.e. we return 0 when queried for "/org/freedesktop/systemd1/unit".
Fixes#23445.
(cherry picked from commit 4313e2b69fe1bcddd7b551e171f1fa3554155968)
We always require at least ID to be set in os-release, reject
and propagate error to the caller instead of asserting later
(cherry picked from commit 7b2e763242e7736ef941f275977aa0c30d832c63)
Fixes#23433
matches is plumbed through until it finally gets used in unit_match()
which can deal with NULL matches so the assert() is unnecessary and
can be removed.
The two call sites of extract_image_and_extensions() also don't
assert() on matches either.
(cherry picked from commit 1751d8c80cef40777b782c737947b4e86d99e7d6)
Otherwise, dns_transaction_requires_nsec() may not find no required
transaction, and return true. That sets
`answer_dnssec_result = DNSSEC_NO_SIGNATURE`, and the entire transaction fails.
Fixes#21414.
(cherry picked from commit 26b23d11870185b2ddab51bb1684d6761e8aa553)
rpms can be installed in two different modes: into a chroot, where the system
is not running, and onto a live system. In the first mode, where should create
all changes that are "permanent", and in the second mode, all changes which are
"permanent" but also those which only affect the running system. Thus, changes
like new modprobe rules, tmpfiles rules, binfmt rules, udev rules, etc., are
guarded by 'test -d "/run/systemd/system"' which is the official way to check
if systemd is running, so that they are *not* executed when installed into a
chroot. But the same logic does not apply to sysusers, hwdb, and the journal
catalog: all those files can and should result in changes being performed
immediately to the system. This makes the creation of immutable images possible
(because there are no permanent changes to executed after a reboot), and allows
other packages to depend on the the effect of those changes.
Thus, the guard to check if we're not in a chroot is dropped from triggers for
sysusers, hwdb, and the journal catalog. This means that those triggers will
execute, and no subsequent work is needed. systemd-sysusers.service,
systemd-journal-catalog-update.service, and systemd-hwdb-update.service.in all
have ConditionNeedsUpdate= so they they generally won't be invoked after a
reboot. (systemd.rpm does not touch /usr to trigger the condition, because the
%transfiletriggers make that unnecessary.)
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085481
(cherry picked from commit 2fd7ecd2da699d2fece777062e408b62162768f6)
When `exist->rr` and `rr` point to the same object, then it may be freed by
the `dns_resource_record_unref()`.
(cherry picked from commit 4ce30e4de05971ea93bc727695000d0025eb1591)
This is trivially exploitable (in the sense of causing a crash from SEGV) e.g.
by 'shutdown now "Message %s %s %n"'. The message is settable through polkit,
but is limited to auth_admin:
<action id="org.freedesktop.login1.set-wall-message">
<description gettext-domain="systemd">Set a wall message</description>
<message gettext-domain="systemd">Authentication is required to set a wall message</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
Bug introduced in 9ef15026c0e7e6600372056c43442c99ec53746e
('logind/systemctl: introduce SetWallMessage and --message', 2015-09-15).
Based on 0cb09bcb825ab86ba4ca70be4e6322eaf9baee95.
test-execute checks that only /var/lib/private/waldo is writable, but there are
some filesystems that are always writable and excluded. Add /sys/devices/system/cpu
which is created by lxcfs.
Fixes https://github.com/systemd/systemd/issues/23263
(cherry picked from commit 646cba5c4208c28c56dbe52d676ab1a176c69b7f)
