IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
crypt_init_data_device() replaces the crypt_device struct with a
new allocation, losing the old one, which we get from crypt_init().
Use crypt_set_data_device() instead.
Enhance the test to cover this option too.
(cherry picked from commit 872f9da4d8b67b012f1b1b227416d0c99bcdf43c)
(cherry picked from commit a27b69445384ec190503ec957cb9f81b1a382694)
The llvm bpf compiler appears to place const volatile variables in
a non-standard section which creates an incompatibility with the gcc
bpf compiler.
To fix this force GCC to also use the rodata section.
Note this does emit an assembler warning:
Generating src/core/bpf/restrict_ifaces/restrict-ifaces.bpf.unstripped.o with a custom command
/tmp/ccM2b7jP.s: Assembler messages:
/tmp/ccM2b7jP.s:87: Warning: setting incorrect section attributes for .rodata
See:
https://github.com/llvm/llvm-project/issues/56468
Fixes:
../src/core/restrict-ifaces.c:45:14: error: ‘struct
restrict_ifaces_bpf’ has no member named ‘rodata’; did you mean
‘data’?
45 | obj->rodata->is_allow_list = is_allow_list;
| ^~~~~~
| data
(cherry picked from commit e8b1e9cf1095f9d6d0f1e2dce2503e25fec2e6c5)
(cherry picked from commit cdd3f180b0777e3f94dd1666a7a07a494277beed)
According to the C++ ISO standard, a conformant compiler is allowed to
define this macro to any value for any reason as it is implementation
defined: https://timsong-cpp.github.io/cppwp/cpp.predefined#2.3
This mean that it cannot be assumed that it is not defined in a C++.
Change the condition to reflect that.
(cherry picked from commit 00852912edc69e652f4932fa536da60528f08ed3)
(cherry picked from commit 45faf77d4d0e349d7a7b84c46f943504d8f3b4cf)
And point people to "journalctl --unit=" for information of prior runs.
Inspired by: #24159
(cherry picked from commit 157cb4337b83359267050bff43c1ad39b0303f10)
(cherry picked from commit 0cfe2d7e88e197795209dbf7442fc05f814468ad)
Via the "backing_fd" variable we intend to pin the backing inode through
our entire code. So far we typically created the fd via F_DUPFD_CLOEXEC,
and thus any BSD lock taken one the original fd is shared with our
backing_fd reference. And if the origina fd is closed but our backing_fd
is not, we'll keep the BSD lock open, even if we then reopen the block
device through the backing_fd. If hit, this results in a deadlock.
Let's fix that by creating the backing_fd via fd_reopen(), so that the
locks are no longer shared, and if the original fd is closed all BSD
locks on it that are in effect are auto-released.
(Note the deadlock is only triggered if multiple operations on the same
backing inode are executed, i.e. factory reset, resize and applying of
partitions.)
Replaces: #24181
(cherry picked from commit 38f81e937426993cfc899aa09298f69f00935852)
(cherry picked from commit d3e84e47035753b3c24a27ebab6ae2a7db87b71d)
Current docs claim this must be done before gcry_check_version.
(cherry picked from commit 91375fb9cf38aca397a6d50e3f22dfb7a4aa1b98)
(cherry picked from commit 695eb673222cbf35c3afce0892fedcc7d08fb4af)
Everywhere else that `conf.get('ENABLE_*')` is used as a boolean key for
something (for example in if statements) it always checks if == 1, but
in this one case it neglects to do so. This is important because
conf.get yields the same int that was stored, but if statements require
booleans.
So does executable's "install" kwarg, at least according to the
documentation. In actuality, it accepts all types without sanity
checking, then uses python "if bool(var)", so you can actually do
`install: 'do not'` and that's treated identical to `true`. This is a
type-checking bug which Meson will eventually fix.
muon fails on the same code, today.
(cherry picked from commit 9e4a50bcdf7a275766e4f5c7af012c32bc22128d)
(cherry picked from commit 3a382bf86bd2da98cdb9094165e4da0aaee68c9c)
by default, gcrypt defaults to an userspace RNG, this is
the wrong thing (tm) to do on linux.
Switch to the SYSTEM rng instead.
(cherry picked from commit 80f967311ac53ae43b5a26332f32cc6665661338)
(cherry picked from commit ca0ed3a78cc2414706a59384d50b9048e1f00357)
Kubevirt is currently technically based on KVM (but not xen yet[1]).
The systemd-detect-virt command, used to differentiate the current
virtualization environment, works fine on x86 relying on CPUID, while
fails to get the correct value (none instead of kvm) on aarch64.
Let's fix this by adding a new 'vendor[KubeVirt] = kvm' classification
considering the sys_vendor is always KubeVirt.
[1] https://groups.google.com/g/kubevirt-dev/c/C6cUgzTOsVg
Signed-off-by: Fei Li <lifei.shirley@bytedance.com>
(cherry picked from commit c15d1ac2c4e8ce46c6d07621f7d5531cbc2160a8)
(cherry picked from commit e7d635f0b92dcd205802b459e25843de461022fe)
Known-Answer list whose remaining TTL is less than half of their original TTL
(cherry picked from commit f941c124273ac1b3bce0029f69f9664ba6f01f7f)
(cherry picked from commit ef6c37908904f27e1322a03b1859c66ead4b629d)
Fixes the following assertion:
---
Assertion 'r > 0' failed at src/resolve/resolved-mdns.c:180, function mdns_do_tiebreak(). Aborting.
---
(cherry picked from commit f2605af1f2e770818bbc6bad2561acdbd25a38ad)
(cherry picked from commit 0070302b3cdc1350bf7bfd5d032dbea420f4ed40)
Also, this makes mDNS regular queries sent without delay (except for
one caused by the default accuracy of sd-event).
Note, RFC 6762 Section 5.2 is about continuous mDNS query, which is not
implemented yet.
(cherry picked from commit 765647ba805727e93ac8607e38c7b60da2aab2dd)
(cherry picked from commit 41810cb16653058c529d123412ed78064406b34e)
Fixes#23843 and #23873.
(cherry picked from commit d50a58e7252b763043485aa79a61094bfae9d7ff)
(cherry picked from commit e832a277ead1b1a4ec0d4757d24c44dfee8889e2)
When running on images you don't want to modify the /tmp
directory even if it's writable, and often it will just
be read-only. Set PrivateTmp=yes.
Fixes https://github.com/systemd/systemd/issues/23592
(cherry picked from commit f2d26cd89b195e53f184387f1a5b97a98512c82a)
(cherry picked from commit 6e111d2811b12e67879e66fc9fdf39cc96977681)
This reverts commit e4de58c8231e47509ffeb3aa47620ca42f22d7f6.
If mkdir() fails and the path does exist, then the later mount
command fails anyway. Hence, it is not necessary to fail here.
Fixes#24120.
(cherry picked from commit e5e6b7c225987551ebda14d2d7feadb66a64fb3c)
(cherry picked from commit b1e494d64ded9b1f4927d41d0165420bf1def996)
We ignore xattr copy failures on all other cases, and we should do so
here too.
Fixes: #24106
(cherry picked from commit d3efe29452aeddc395865469b776fe7a1eb45eae)
(cherry picked from commit 200cbc299bddd6f0c896167be8a8be6475d76f20)
The variable `inst` was set to NULL by TAKE_PTR().
This fixes the following log message:
```
systemd[1]: Unit getty@tty2.service has alias (null).
```
(cherry picked from commit 7c35b78a0b96085e3d634542212c5521bc2a2f21)
(cherry picked from commit 9ac0ad80fe97c22ec3dc4670e859abaae9a1f8bf)
For the system manager, /run/systemd/private is publicly accessible, because
/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager,
/run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This
does not directly cause any security issue because we check the sender in
bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()).
But it makes sense to limit access to the socket to avoid wasting time in PID1.
Somebody could send messages there that'd we'd reject anyway. It also makes
things more explicit.
(cherry picked from commit df1cbd1adf26071aab41d96e054452a3d66103a4)
(cherry picked from commit dc3333bcc992003607582e4a05ca8699ee9317aa)
Just a minor cleanup to fix unparseable wording
(cherry picked from commit 729d2df8065ac90ac606e1fff91dc2d588b2795d)
(cherry picked from commit 110d49d15138ff6de17c7d964cd20ac124697c3e)
since in this specific case (r == 0) `errno` is irrelevant and most likely
set to zero, leading up to a confusing message:
```
[ 120.595085] H systemd[1]: session-5.scope: No PIDs left to attach to the scope's control group, refusing: Success
[ 120.595144] H systemd[1]: session-5.scope: Failed with result 'resources'.
```
(cherry picked from commit e99b9285cb289115a64d775c768e6e831e39f12e)
(cherry picked from commit 5c822e33c90bd7f15c44e7375fd0c83ccec54918)
Whitespace inside of the <varname> field was propagated to the displayed form,
causing strange indentation.
(cherry picked from commit 9cfc294fe0e2637d96f8e5c29143c10e2173daa3)
(cherry picked from commit b7c5530a1f6874650628cc4771cb99ae353c2495)
Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect the permitted and effective sets
which are important for the manager itself to operate.
(cherry picked from commit 963b6b906e5666876f5c90b47600b13ae94d5e4c)
(cherry picked from commit c88309d5cd69d9997cfb74a77e340783a7ac63a9)
Inspired by https://github.com/systemd/systemd/pull/24024 this is
another user mode helper, where this might be an issue. hence let's
rather be safe than sorry, and also connect stdin/stdout/stderr
explicitly with /dev/null.
(cherry picked from commit 50492ce81589773df2d82b4fc8047778e86c6edf)
(cherry picked from commit 689487785f776815e71642f89685ff01f0bc4fde)
When invoked as the coredump handler by the kernel, systemd-coredump's
stdout and stderr streams are closed. This is dangerous as this means
the fd's can get reallocated, leading to hard to debug errors such as
log messages ending up being appended to a compressed coredump file.
To avoid such issues in the future, let's bind stdout/stderr to
/dev/null so the file descriptors can't get used for anything else.
(cherry picked from commit 1f9d2a8199c261593aa6a11df9cce5d31e23c714)
(cherry picked from commit fba50bc0fc5a69e5573ceadb5d6224f365d3c3f5)
Let's not allow anyone to look into /root/ if we create it via the
base-filesystem logic. i.e. change 0755 → 0750 as default access mode
for /root/, in case we create it if it happens to be missing.
(cherry picked from commit 93cbc9ca12043a13a2a80087a00012e009216f13)
(cherry picked from commit 64be8d8a345424021d837e922679816595d4b9ee)
This current code checks the wrong directory. This was broken in
4c39d899ff00e90b7290e4985696f321d7f2726f which converted the previous
code incorrectly.
(cherry picked from commit 92631578fff1568fa8e99f96de05baae5b258ffe)
(cherry picked from commit 625472b219a4b1ac64534d38cf6e64b51ab22bbb)
This new call can execute both of the old operations, but also do
generic fstatat() like behaviour.
(cherry picked from commit a586dc791ca465f4087473d2ad6794b7776aee2d)
(cherry picked from commit 9255fa3a15c5c7dea9ddb2ce5399d3b675f8368b)
This allows growfs to expand the filesystem even when the underlying
block device cannot be expanded. This has been useful for example on
LUKS devices that have already been expanded using systemd-repart.
This works around the following error:
```
root@mobian:/home/mobian# /usr/lib/systemd/systemd-growfs /
crypt_resize() of /dev/block/179:2 failed: Operation not permitted
```
(cherry picked from commit e9a28b8ccd3352da3e0a75a18fc1185e52476a80)
(cherry picked from commit 378e187ed49d28fed2adfb4848f89aa438854f28)
This causes systemd-growfs to exit before resizing the partition when
`--dry-run` is passed. Resizing during a dry run of a change breaks the
users expectations.
(cherry picked from commit d26c0f7243a709cfa7b8bdc87e8131746bb0e2d0)
(cherry picked from commit 00c6c62845c560ef09f845aeedabdc9027be5678)
Also change the title to describe the module more comprehensively.
Follow-up for 90bc309aa2c1430941f4c50f73e681ab3e488bd3. Suggested
in https://bugzilla.redhat.com/show_bug.cgi?id=2085485#c5.
(cherry picked from commit 9e6df034128936895df2d6348eefce61317ebcc2)
(cherry picked from commit a4af8592c66900734d2561b2f6809baaefdbcce8)
