IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Let's wait until the child is fully done with mounting it's own
instances of procfs/sysfs before we destroy our fully visible copies of
it.
This borrows heavily from Christian Brauners fix#29521, but splits the
place + sync into two steps so that the child payload is not started
before the parent has destroyed the procfs instance.
Alternative to: #29521Fixes: #28157
(cherry picked from commit 1a8d781495c91c3bf62bf87190af4470a44ba8a5)
(cherry picked from commit 99d80a28eeb9943d0386934217c865441cc26c04)
Prompted by #29500.
(cherry picked from commit 2b43c5cb7a7771feff9556685925de0adf9414f2)
(cherry picked from commit 3e60339229f4843c4facf08092c8eca795de1b7b)
It confuses users when they cannot find respective environment variables
with config that is supposes for (x)inetd activated service only.
Fix: #29670
(cherry picked from commit 788b7e7630669a47c54c6f3299af14db26ca7fe0)
(cherry picked from commit 136dc1c818aab93301032664931765f6285d0ba8)
The actual default is 2^15 and that is also 32b kernels default.
Fix the value, mention 32b and do not talk about default which may
depend on nr_cpus.
Fix: #29607
(cherry picked from commit 761791bcf83219f44fc799a2e4326121486817b4)
(cherry picked from commit 02eb3ed7059fb2ee1c7e45bbc62dedbc6cb805aa)
When running with --build-dir= we need to copy over udev rules from
$BUILD_DIR/udev.d/ and $SOURCE_TREE/udev.d/ to make stuff work as
expected.
(cherry picked from commit 33b0e0c09a438fd565b6c4d059bd14cc9651c40b)
(cherry picked from commit 359fed84eea82238a7ccdf5eb76d635afefdcaa4)
When testing the secureboot enroll feature, it can be hard to distinguish without
using the QMP API of QEMU whether we are in a hang situation of the UEFI firmware.
Making it clear that we reached the `ResetSystem` can be helpful towards that need.
(cherry picked from commit b9a0a13f7ad71896c8382968e492a94922b0d744)
(cherry picked from commit 2962ffd0b2a21c1603ccab266830f1fd402e806f)
The extra space was actually screwing up deserialization:
~# systemd-run --wait --pipe -p SocketBindAllow=any true
Running as unit: run-u167.service
Finished with result: exit-code
Main processes terminated with: code=exited/status=234
Service runtime: 1ms
CPU time consumed: 0
~# journalctl -b -p err
...
Oct 27 16:39:15 arch systemd-executor[5983]: Failed to deserialize: Invalid argument
Let's not do that by default and introduce a simple wrapper which
inserts the space after each item only when necessary.
(cherry picked from commit b0bb3be130e241178646df0b5c5f02ed661651d4)
(cherry picked from commit 14fbb396eecfcd120329e4cd74edc1bc009c1837)
After logind receives the SIGRTMIN signal from the kernel, it will execute
manager_vt_switch---session_leave_vt---session_device_pause_all,The device
permissions of the session are removed here;under normal circumstances, the
tty value read from /sys/class/tty/tty0/active changes and switchesto a new
session,give the new session resume device permissions.
But under abnormal circumstances (such as switching quickly on a device using
wayland; and sometimes the kernel will suddenly send a SIGRTMIN signal, but
nothing changes),In these cases, logind does not give session resume device
permission, causing the device to have a black screen and suspended animation.
(cherry picked from commit 2f1d1140101268e69204ec62dd9abb8ead4b48c8)
(cherry picked from commit ca4f72f46009ce249d6c265b2a0fba67e7b72ad8)
mcopy will set the modification time of created directories to the mtime
of the source directories but converts it to the timezone of the host.
This behavior is identical to Windows / DOS:
> The FAT file system stores time values based on the local time of the computer.
-- https://learn.microsoft.com/en-us/windows/win32/sysinfo/file-times
To achieve reproducible builds, mcopy should be invoked with TZ=UTC.
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
(cherry picked from commit b2942c76adc5bb6a3e073aa5cee57834ee3a9813)
(cherry picked from commit a79a2997ecfdd271d8845c762764469bb553519f)
Co-authored-by: Paul Meyer <49727155+katexochen@users.noreply.github.com>
(cherry picked from commit 4947de275a5553399854cc748f4f13e4ae2ba069)
(cherry picked from commit 6b9297be80c4d98f014cf8d2d2fb3db644b16d5e)
The systemd-tmpfiles binary will report a fatal error if /tmp is not owned
either by root, or by the current user:
Detected unsafe path transition /tmp (owned by nobody) →
/tmp/test-systemd-tmpfiles.a8qc6n18 (owned by berrange)
during canonicalization of
tmp/test-systemd-tmpfiles.a8qc6n18/test-content.7chd7rdi
When doing development inside a 'toolbox' container (which is required
on a Fedora SilverBlue distro), /tmp is owned by 'nobody', because it
has been passed through from the host and host UID 0 gets mapped to
UID 65536 by usernamespaces. This triggers the unsafe path transition
error message.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 8473ece90e53040931c880bcbff623f1a5c037cd)
(cherry picked from commit c7482035e3cefbfae2a1cc4b4529ebb705d67531)
On rpm-ostree distributions like Fedora SilverBlue /home (and various
other well known locations) are symlinks to somewhere beneath /var.
The path_is_encrypted() method uses O_NOFOLLOW and as a result will
return ELOOP on /home. This causes test-blockdev-util to abort.
Add ELOOP to the ignorable set of errnos for testing.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit 6aa77f9284070229f73063e15cb4b4aa59cb6020)
(cherry picked from commit 1fcf8b5c8d217621d080fb41005f49e0608fa014)
Hopefully fixes many Coverity issues.
(cherry picked from commit 9e15e24bdbc695fe4fb65155b4e3bf73db34152b)
(cherry picked from commit c63cd5d55ed95bdda1512baf67d549d8a5d7d91f)
So we don't crash on invalid options:
$ build/systemd-random-seed --foo
Segmentation fault (core dumped)
(cherry picked from commit dd741b8893f28ec75fae9648c9e26c2fc887a781)
(cherry picked from commit b83e9fdf7cc8c925c5c7dcfd44ae8b2d6ace9bc8)
This seems to be the only place where rm_rf_children() is called with a
possibly used fd, which is then passed through to rm_rf_children_impl().
This also fixes#29606.
(Tested on Fedora rawhide with kernel 6.5.6-300.fc39.x86_64.)
(cherry picked from commit e3b84b105e632731352776fd619bbbea4d223b35)
(cherry picked from commit 02b14e74b79cff5f37a8b9984215829bb2837b21)
modprobe treats "-" and "_" interchangeably, thereby avoiding frequent
errors because some module names contain dashes and others underscores.
Because modprobe@.service unescapes the instance name, an attempt to
start "modprobe@dm-crypt.service" will run "modprobe -abq dm/crypt",
which is doomed to fail. "modprobe@dm_crypt.service" will work as
expected. Thus unescaping the instance name has surprising side effects.
Use "%i" instead.
(cherry picked from commit bf25cf6c49253e922524dfa0e7960f554838f18b)
(cherry picked from commit c98d0130dc8efd826cd85020337353cdbe644bb4)
Currently needed by test-dhcp-server unit test, af_packet is not built-in on
openSUSE distributions.
(cherry picked from commit a1af99df8e29ffb55b0c698eeda2c9bf795fc0e1)
(cherry picked from commit db2193609e554732c0288ccf27d5e58083f9219c)
We have a test where we compare the results from nftw() and our own
resurce_dit_at(). nftw() skips a dangling symlink when running under mkosi and
the test fails. I don't understand why nftw() does that, but in our code we
don't need to test and care about the details of nftw(), which we don't use,
outside of the one test, so let's just skip symlinks in the test.
Closes#29603.
(cherry picked from commit 974959e6f6352b76355b76ab550c0e729b2a8c21)
(cherry picked from commit 7db0b4c8df422fafa245f7ab0833b0ec764174ad)
We read properties of the unit, hence it shouldn't be GC'ed as long as
we run. Hence, let's just set AddRef unconditionally for the units we
create.
(cherry picked from commit 49a510eba29c78f4b7dc1c39391314a48eb8833b)
(cherry picked from commit 8326f9e378333ae01f686086bb1fd4d300d7c99b)
As systemd-journal-upload deals mostly with remote servers, add
some failsafes to its unit to restart on failures.
```
[Service]
Restart=on-failure
RestartSteps=10
RestartMaxDelaySec=60
```
(cherry picked from commit c08bec1587e102dd0435969e422288d69431e92c)
(cherry picked from commit fe0bf9f61913d70739359268134cbd10e375fe93)
When DHCP server is not running, sending force-renew command triggers
assertion.
(cherry picked from commit d311f5e277ae3609e661415b6c429fe3cd25e40b)
(cherry picked from commit 2cd9de1bbd76fc8a4f8cc0b10ea7cbb78fe0db1d)
We already do in the same way for sd-dhcp-client and friends.
(cherry picked from commit 39ba10f19e7d384ad48aaad9ff6c0b3c3e6bbef1)
(cherry picked from commit a7117e29f59fa6a81eb7025ec446b95c6b35f91a)
Follow-up for fc35a9f8d1632c4e7a279228f869bfc77d8f5b9c.
Fixes the issue https://github.com/systemd/systemd/pull/29472#issuecomment-1759092138.
(cherry picked from commit 9bd91e34aaf7c759617d4763853e55f419c06ffe)
(cherry picked from commit f453cbc5162eca42c415b8dc2325a7d734aca3e5)
There's really no point in logging about one of the most common cases we
have: that no BPF-LSM policy was installed for a specific unit.
(cherry picked from commit 58f1bd9b4ab889d0378a236d759649d4b45395f9)
(cherry picked from commit 86a85cb2b56f582c3a1e09d17a7f544bad0c23a7)
Let's show which fds are closed as part of the left-over fd set logic on
daemon reload/reexec cycles.
This is useful to debug accidentally unclaimed fds.
(cherry picked from commit 91a6447607635802ac2278b7997cde687e2549a4)
(cherry picked from commit b4cdf320554f122700e9d12c81dccf2c7565860b)
We have the "tasks.max" cgroup attribute only if we run in a cgroup
namespace, but not on the host. Hence let's handle ENODATA silently
simply to reduce the debug noise generated.
(cherry picked from commit bde7e12255a82f9b714fb3e44c291a79f7647cc9)
(cherry picked from commit d3a5c9f0bc030d8ba0ef8abb190afacb9cd06682)
According to the respective change in the DPS:
<https://github.com/uapi-group/specifications/pull/86>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
(cherry picked from commit 7c6dd200468f88c189d042c7ee25547032e296cd)
(cherry picked from commit 9f415a6347f6dbe725da5ef632b33e422a2845e8)
The device-mapper driver can return a wild variety of errors when trying
to activate the same dm-verity volume concurrently, as it might happen
with an image. There is a fallback logic in place, but the original
return code was clobbered when userspace signature check was added.
Add it back.
Follow-up for c2fa92e7e8907d9
(cherry picked from commit ace07128ac014d5e7d7d1664beb58e5f3700d59c)
(cherry picked from commit c2155c19c06dfe5dd086f7b62c30762e3e5aad92)
I am seeing some failures and I don't know what is failing and why even
with debug logs, so add more details
(cherry picked from commit 15461b7f19272d39e59e4c6d87dfe9d48f4d1f99)
(cherry picked from commit 31f64d0bc81d5e40a03478206c7d805ce8595366)
When verifying seals produced with forward secure sealing, the verification
currently does not check that old entries are only sealed with the key for
their epoch and not a more recent one. This missing check allows an attacker
to remove seals, and create new ones with the currently available key, and
verify will claim everything is in order, although all entries could have
been modified.
This resolves CVE-2023-31439.
Co-authored-by: Felix Dörre <felix.doerre@kit.edu>
(cherry picked from commit 3846d3aa292a6daa1916f667bdd79ebee9cb4ac4)
(cherry picked from commit ea67d4755b5d81a42a9013d6ce72c9cf7adb56b9)
Grepping around showed a few extra entries that are not listed in the
remove_loader_variables() function. Namely:
- BootNext
- OsIndications
- LoaderConfigConsoleMode
- LoaderEntryLastBooted
Of which the latter two are systemd specific, even though they are
undocumented. Ensure they're removed - follow-up commits will add
documentation references.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
(cherry picked from commit 976904bf26957e75dbed467334592badf108beee)
(cherry picked from commit c6540a35ab6913ccdc57720d2a9d4e3d86e9178e)
Currently some of the code base check for the variable presence before
removing it, and some do not.
More so, in all cases (being updated) we're dealing with non-volatile
variables where changing those attribute to NVRAM wear out.
From what information I could find, there is no definitive answer if the
UEFI implementation will write to the NVRAM even when the variable is
missing.
So add a simple helper that checks for the variable presence before
removing it. While also having a bit cleaner API than the current
efivar_set(..., NULL, ...);
efivar_unset() follows the design from efivar_set*() where it returns an
EFI_STATUS even though its (presently) unused.
v2:
- add inline comment, use early return
v3:
- typos? typos!
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
(cherry picked from commit 5ee3c914a4e904567e66654177b07777dde0d100)
(cherry picked from commit 917569e3c1e1361d2c7bac584b99e075a4cb0b0d)
