IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
In make_credential_host_secret, the credential.secret file is generated
first as a temporary anonymous file that is later instantiated with
linkat(2). This system call requires CAP_DAC_READ_SEARCH capability
when the flag AT_EMPTY_PATH is used.
This patch check if the capability is effective, and if not uses the
alternative codepath for creating named temporary files.
Non-root users can now create per-user credentials with:
export SYSTEMD_CREDENTIAL_SECRET=$HOME/.config/systemd/credential.secret
systemd-creds setup
Signed-off-by: Alberto Planas <aplanas@suse.com>
(cherry picked from commit 1615578f2792fdeecaf65606861bd3db9eb949c3)
(cherry picked from commit 432ec5a654d5b8b123472ab64b29d9b5baf3cbf2)
(cherry picked from commit d7c8b1b7095b3e80b4e0dc354e1d69cb987c075e)
When these partitions are probed by gpt-auto,
they will always be hardened with such options.
See also: https://github.com/systemd/systemd/issues/25776#issuecomment-1364115711Closes#25776
(cherry picked from commit d708293d436516823e0e4bfb02c54365820fd8c6)
(cherry picked from commit 49804cfb71d3a79f433096e4cfb5616980171336)
(cherry picked from commit ebe67b6e885f2f8d0b9a9b72da9d7ce9b6f18b92)
Follow-up for f2f7785d7a47ffa48ac929648794e1288509ddd8.
Fixes#26033.
(cherry picked from commit 2cbb171d20a07ec0a25296f167b0385de102d74e)
(cherry picked from commit 89e86ad8df4b87092264e49bcfba8053eb74822d)
(cherry picked from commit abcd25b66e9f929572552f53337c65ddc16c24af)
CURLOPT_PROTOCOLS [0] was deprecated in libcurl 7.85.0 with
CURLOPT_PROTOCOLS_STR [1] as a replacement, causing build warnings/errors:
../build/src/import/curl-util.c: In function ‘curl_glue_make’:
../build/src/import/curl-util.c:255:9: error: ‘CURLOPT_PROTOCOLS’ is deprecated: since 7.85.0. Use CURLOPT_PROTOCOLS_STR [-Werror=deprecated-declarations]
255 | if (curl_easy_setopt(c, CURLOPT_PROTOCOLS, CURLPROTO_HTTP|CURLPROTO_HTTPS|CURLPROTO_FILE) != CURLE_OK)
| ^~
In file included from ../build/src/import/curl-util.h:4,
from ../build/src/import/curl-util.c:6:
/usr/include/curl/curl.h:1749:3: note: declared here
1749 | CURLOPTDEPRECATED(CURLOPT_PROTOCOLS, CURLOPTTYPE_LONG, 181,
| ^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Since there's no grace period between the two symbols, let's resort
to a light if-def-ery to resolve this.
[0] https://curl.se/libcurl/c/CURLOPT_PROTOCOLS.html
[1] https://curl.se/libcurl/c/CURLOPT_PROTOCOLS_STR.html
(cherry picked from commit e61a4c0b7c79eabbe4eb50ff2e663734fde769f0)
(cherry picked from commit 14f573175aa6a026c03fd09dea5952f3755b799a)
(cherry picked from commit 4768110a2e051edeb9432283d009d12da81b13fd)
CURLINFO_PROTOCOL has been deprecated in curl 7.85.0 causing compilation
warnings/errors:
../build/src/import/pull-job.c: In function ‘pull_job_curl_on_finished’:
../build/src/import/pull-job.c:142:9: error: ‘CURLINFO_PROTOCOL’ is deprecated: since 7.85.0. Use CURLINFO_SCHEME [-Werror=deprecated-declarations]
142 | code = curl_easy_getinfo(curl, CURLINFO_PROTOCOL, &protocol);
| ^~~~
In file included from ../build/src/import/curl-util.h:4,
from ../build/src/import/pull-job.h:6,
from ../build/src/import/pull-common.h:7,
from ../build/src/import/pull-job.c:16:
/usr/include/curl/curl.h:2896:3: note: declared here
2896 | CURLINFO_PROTOCOL CURL_DEPRECATED(7.85.0, "Use CURLINFO_SCHEME")
| ^~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
Since both CURLINFO_SCHEME and CURLINFO_PROTOCOL were introduced in
the same curl version (7.52.0 [0][1]) we don't have to worry about
backwards compatibility.
[0] https://curl.se/libcurl/c/CURLINFO_SCHEME.html
[1] https://curl.se/libcurl/c/CURLINFO_PROTOCOL.html
(cherry picked from commit 2285c462ebb0b5d9a7043719a4f0d684a5dc37c2)
(cherry picked from commit 4ab37502b35c76441b7be656b67ef53024af8a9f)
(cherry picked from commit c2be553868972c3bfe4033f2e0c90592608c7033)
Inspired by #25957 there's one other place where we don't guard
acl_free() calls with a NULL check.
Fix that.
(cherry picked from commit 34680637e838415204850f77c93ca6ca219abaf1)
(cherry picked from commit 4dabf90526d4573144a51bdd87c1203b25265b33)
(cherry picked from commit d8b4ac7a1783a29435cb3dfee3dfdee37c1b1ac8)
When built with ACL support, we might be processing a tmpfiles
entry where there's no cause for us to call parse_acls_from_arg,
then we get to the end of parse_line without having ever populated
i.{acl_access, acl_default}.
Then we pass a null pointer into acl_free().
From UBSAN w/ GCC 13.0.0_pre20230101:
```
$ systemd-tmpfiles --clean
/var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer
#0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44
#1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855
#2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158
#3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897
#4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985
#5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157
#6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218
#7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289)
#8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
#9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900)
```
(cherry picked from commit 9f804ab04d566ff745849e1c4ced680a0447cf76)
(cherry picked from commit a11a949c43def70ec5d3f57f561884c3f652603e)
(cherry picked from commit 455193605d22a171c0f9b599a105be9ac18f433f)
Let's pass USEC_INFINITY from sd_event_source_set_time_relative() to
sd_event_source_set_time() instead of raising EOVERFLOW.
We should raise EOVERFLOW only if your addition fails, but not if the
input already is USEC_INFINITY, since it's an entirely valid operation
to have an infinite time-out, and we should support that.
(cherry picked from commit ef8591951aefccb668201f24aa481aa6cda834da)
(cherry picked from commit 9769d84fe51573b4f2d5cb8f76664e886c7daf88)
(cherry picked from commit 5fe49d0fb88b779d5096713627ce54757bff70b2)
(cherry picked from commit dd003f1621967f114a6a808bb1f729386dc3a154)
(cherry picked from commit 8ec0142c1345d86e2b169ebb80ae49f40610a778)
(cherry picked from commit 04d29e1c903cba5bfbf9b326e7927e44e8b2d782)
The second argument to dump_list() actually ends up in a TABLE_FIELD
cell now, where we implicitly append a ":". Hence drop it from the
strings.
Follow-up for: 37a50123fac050c7ccde4afcf3f37ee77aad012c
(cherry picked from commit ef503f1cec53f654780591adee6e3e223b575f56)
(cherry picked from commit c01cdcfb8a38e8e0eadf6feab71fe6547b1acc1d)
(cherry picked from commit 2ac8824885ebbcea89a0e90e2bd9ae00e3580b28)
Previously, if a client disconnected after sending a lookup request but
before waiting for the reply we'd log at LOG_ERR level. That's
confusing, since it's entirely OK for the client to lose interest.
Hence, let's downgrade to debug level.
Fixes: #25892
(cherry picked from commit 40557509be084f27d48bc5fc51286a664b96942e)
(cherry picked from commit a3ceaf0f1d844b27c2b11704b43e9da59a0ef39d)
(cherry picked from commit 51d6ffb854dc14de463c291ceffe093221972707)
cannot pass false as argument because function wants a pointer to bool
instead, use NULL instead
(cherry picked from commit 2cc697d7400446a7ea823bc38061501cd85b046a)
(cherry picked from commit e78a1489a8c2b398ad30a8d868754601876ba3d2)
(cherry picked from commit d857665a54cb8a959d19786c198acf2426563381)
GCC-13 -std=gnu2x FTBS with:
error: incompatible type for argument 3 of ‘_hashmap_free’
(cherry picked from commit a4a1569ff1e9ab62996f8b42dcc14a09f91b5715)
(cherry picked from commit 921bff2f856762c4c98912394f1b6b54ed063bbd)
(cherry picked from commit db147b6d2b6ab3b2983ddd8cd0c7b2fa3513f8ab)
../src/basic/cgroup-util.c: In function ‘skip_session’:
../src/basic/cgroup-util.c:1241:32: error: incompatible types when returning type ‘_Bool’ but ‘const char *’ was expected
1241 | return false;
(cherry picked from commit db8e720984269a050a7a78aeb503a7402ef567f7)
(cherry picked from commit ad647734c7cffeab0f44b12411f0e123083e9db1)
(cherry picked from commit 9ca9f95122c8bf31e95095afa2d9468d3f4bd5b1)
(cherry picked from commit 0941ccae3cf28d84db87fb9d50cc10750bc1c962)
(cherry picked from commit addeb4699353636a5f48442dedb624602c370d69)
(cherry picked from commit 3fe7a6534c11706390a096cb6e7a1c00e7f80028)
(cherry picked from commit 8b23242989b7048b2a4439068c4804e457bbd7a8)
(cherry picked from commit ec82fdc645b0c9689167764f6627189cf0cf2495)
(cherry picked from commit 688bc823e2ba9b928d2a02a89e6941fee38f70b4)
We treat any negative value as "invalid fd", but signalfd only
accepts -1.
(cherry picked from commit cbff793ffb280d9d11e5d7b1dc3964276491bee8)
(cherry picked from commit 54c840ea58c578060e941f754a4fed2931483820)
(cherry picked from commit 4178457f0ec07452f856894988e5490bbc91cc36)
If the page size of a swap space doesn't match the page size of the
currently running kernel, swapon will fail. Let's instruct it to
reinitialize the swap space instead.
(cherry picked from commit cc137d53e36da5e57b060be5e621864f572b2cac)
(cherry picked from commit a0ac79bce9255cf33b0f208b18d888f0f700133c)
(cherry picked from commit 8be5a12c7170ed7e7b4303c16573e463ef997e23)
(cherry picked from commit 5e5fce3e918ebba5d0cbf0b64bb97f0eaeae70a3)
(cherry picked from commit 613994c10b19f02c0764aa1d5865730f3af99267)
(cherry picked from commit 46a7e30cb9f274763657d40193c2a03a02c687ab)
This ensures that services with `RemainAfterExit` but without any
process running won't cause failure during freeze.
(cherry picked from commit fcb0878f7563df9701a4d066378995c0b7ec32be)
(cherry picked from commit 2eb040f36f65c316c0d015d024faf9d27db10821)
(cherry picked from commit 9a0bd2ff7004fbc3c801430ec48054a48ae77b59)
Explicitly set __attribute__ ((noinline)) so that the compiler does not
attempt to inline expand_to_usable, even with LTO.
(cherry picked from commit 4f79f545b3c46c358666c9f5f2b384fe50aac4b4)
(cherry picked from commit e998c9d7c1a52ab02ff6e9c363c1cfe0b76cd6f4)
(cherry picked from commit 40146884585707fb5e84055d4882f735caac469b)
systemd uses malloc_usable_size() everywhere to use memory blocks
obtained through malloc, but that is abuse since the
malloc_usable_size() interface isn't meant for this kind of use, it is
for diagnostics only. This is also why systemd behaviour is flaky when
built with _FORTIFY_SOURCE.
One way to make this more standard (and hence safer) is to, at every
malloc_usable_size() call, also 'reallocate' the block so that the
compiler can see the larger size. This is done through a dummy
reallocator whose only purpose is to tell the compiler about the larger
usable size, it doesn't do any actual reallocation.
Florian Weimer pointed out that this doesn't solve the problem of an
allocator potentially growing usable size at will, which will break the
implicit assumption in systemd use that the value returned remains
constant as long as the object is valid. The safest way to fix that is
for systemd to step away from using malloc_usable_size() like this.
Resolves#22801.
(cherry picked from commit 7929e180aa47a2692ad4f053afac2857d7198758)
(cherry picked from commit 34b9eddfc12936917fab000b780a451d6277c2b4)
(cherry picked from commit 70653ebeb6aa09ca6e3bad5aacf8ff950bf6d001)
gcc 13 -Wenum-int-mismatch reminds us that enum != int
(cherry picked from commit e14afe31c3e8380496dc85b57103b2f648bc7d43)
(cherry picked from commit ba5f7915d25a400f0651bc9e8546a3ec6a738eaa)
(cherry picked from commit 85ad47e172dcba386234a93103cb6b9f3a77fefc)
Fixes gcc 13 -Wenum-int-mismatch which are enabled by default.
(cherry picked from commit aa70dd624bff6280ab6f2871f62d313bdb1e1bcc)
(cherry picked from commit b1b7667a44c4e8635b6d8dc070fb2446187fcdc5)
(cherry picked from commit ecb0b018d25fa7489c2535f32660a882fc44d3b7)
This reverts commit 64f0e5385139a86f2df7f78fa67ade2075726db5.
On Wed, Dec 21, 2022 at 06:19:08PM +0100, Marius Schwarz wrote:
> That patch made things worse and is disfunctional for both, usb drive and
> password.
>
> No idea if more patches are needed, but this build does not unlock a drive
> at all, if usb is configured.
(cherry picked from commit 253cc95c6439f348bbc39c1fa663880387054d6b)
This function does not expect a password, but a key file path. The
cryptsetup helper binary even calls it that.
No Code changes.
Follow up on: 6e41f4dd916293f35d7d35cea7eed1807d7ea771
Fixes: https://github.com/systemd/systemd/security/code-scanning/81
(cherry picked from commit b7de9651db7bdbb42befa653791980daa50448bb)
In both cases, the json string is short, so we can print it, which is useful
for diagnosing invalid data in packages. But we need escape non-printable
characters.
https://bugzilla.redhat.com/show_bug.cgi?id=2152685
I went over the rest of the codebase, and it seems that other calls to
json_parse() don't have this problem.
(cherry picked from commit c5966ab5bf43b4fb45998760beaffa6c7f9e8a9e)
(cherry picked from commit 57ab4e2d47dd7c03113b66b78175242a597bd0dc)
(cherry picked from commit 6208326afb592e901d5fc8cf1b09fb764e1fdb6b)
When the user starts a program which elevates its permissions via setuid,
setgid, or capabilities set on the file, it may access additional information
which would then be visible in the coredump. We shouldn't make the the coredump
visible to the user in such cases.
Reported-by: Matthias Gerstner <mgerstner@suse.de>
This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
PROC_AUXV. Before the coredump is submitted, it is parsed and if either
at_secure was set (which the kernel will do for processes that are setuid,
setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
is not made accessible to the user. If we can't access this data, we assume the
file should not be made accessible either. In principle we could also access
the auxv data from a note in the core file, but that is much more complex and
it seems better to use the stand-alone file that is provided by the kernel.
Attaching auxv is both convient for this patch (because this way it's passed
between the stages along with other fields), but I think it makes sense to save
it in general.
We use the information early in the core file to figure out if the program was
32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
whether the format of the auxv structure. This test might reject some cases on
fringe architecutes. But the impact would be limited: we just won't grant the
user permissions to view the coredump file. If people report that we're missing
some cases, we can always enhance this to support more architectures.
I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
ppc64el, but not the whole coredump handling.
(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03)
(cherry picked from commit 9b75a3d0502d6741c8ecb7175794345f8eb3827c)
(cherry picked from commit efca5283dc791a07171f80eef84e14fdb58fad57)
(cherry picked from commit 510a146634f3e095b34e2a26023b1b1f99dcb8c0)
(cherry picked from commit cc2eb7a9b5fd6d9dd8ea35fb045ce6e5e16e1187)
(cherry picked from commit cb044d734c44cd3c05a6e438b5b995b2a9cfa73c)
If udevd broadcasts a processed device with huge amount of properties,
then clients cannot receive the device.
Fixes#24987.
(cherry picked from commit efbd4b3ca84c0426b6ff98d6352f82f3b7c090b2)
(cherry picked from commit cf21555d6df5d9eed0bf5699262deb6e9388b63b)
Previously, interfaces are partially reconfigured in a spurious way.
Let's use the same way as `networkctl reconfigure`.
Hopefully fixes#14987 and #24997.
(cherry picked from commit a39a9ac8065c29330207838b70fe388bde2bc254)
(cherry picked from commit 7eefd2fbb718fde3a03456d7468f72bb86043816)
As reported by @holtmann
(cherry picked from commit 6032283b2fcc4ff6713eb84433a170a71ff84641)
(cherry picked from commit d94f19781816a03178e67b24f4d8d879e7ebcb6d)
Previously, ata_id might not be able to retrieve attributes correctly,
and properties from usb_id were used as a fallback. See issue #24921
and PR #24923. To keep backward compatibility, still we need to create
symlinks based on USB serial.
Fixes#25179.
(cherry picked from commit 479da1107a0d4e2f7ef5cd938512b87a0e45f180)
(cherry picked from commit b61fcaca1b4243f3adac7eb6b6dc39585f1c03a4)
Note that -O0 is deliberately filtered out as we have to compile with at
least -O1 due to #24202.
Fixes: #24323
(cherry picked from commit 7aa4762ce274a1c9a59902b972fa4fdee1b22715)
(cherry picked from commit 23d66a03dec8640e8f8603686c6d0a739084a823)
In https://github.com/containers/podman/issues/16107, starting of a transient
slice unit fails because there's a "global" drop-in
/usr/lib/systemd/user/slice.d/10-oomd-per-slice-defaults.conf (provided by
systemd-oomd-defaults package to install some default oomd policy). This means
that the unit_is_pristine() check fails and starting of the unit is forbidden.
It seems pretty clear to me that dropins at any other level then the unit
should be ignored in this check: we now have multiple layers of drop-ins
(for each level of the cgroup path, and also "global" ones for a specific
unit type). If we install a "global" drop-in, we wouldn't be able to start
any transient units of that type, which seems undesired.
In principle we could reject dropins at the unit level, but I don't think that
is useful. The whole reason for drop-ins is that they are "add ons", and there
isn't any particular reason to disallow them for transient units. It would also
make things harder to implement and describe: one place for drop-ins is good,
but another is bad. (And as a corner case: for instanciated units, a drop-in
in the template would be acceptable, but a instance-specific drop-in bad?)
Thus, $subject.
While at it, adjust the message. All the conditions in unit_is_pristine()
essentially mean that it wasn't loaded (e.g. it might be in an error state),
and that it doesn't have a fragment path (now that drop-ins are acceptable).
If there's a job for it, it necessarilly must have been loaded. If it is
merged into another unit, it also was loaded and found to be an alias.
Based on the discussion in the bugs, it seems that the current message
is far from obvious ;)
Fixes https://github.com/containers/podman/issues/16107,
https://bugzilla.redhat.com/show_bug.cgi?id=2133792.
(cherry picked from commit 1f83244641f13a9cb28fdac7e3c17c5446242dfb)
(cherry picked from commit 98a45608c4bf5aa1ba9b603ac2e5730f13659d88)
Not not IN_SET(…) is just too much for my poor brain. Let's invert
the expression to make it easier to undertand.
(cherry picked from commit b146a7345b69de16e88347acadb3783ffeeaad9d)
(cherry picked from commit 228cd82d2cc9c24d42b2f025c24bfd29e1ce10c3)
We would deadlock when passing the data back from the forked-off process that
was doing backtrace generation back to the coredump parent. This is because we
fork the child and wait for it to exit. The child tries to write too much data
to the output pipe, and and after the first 64k blocks on the parent because
the pipe is full. The bug surfaced in Fedora because of a combination of four
factors:
- 87707784c70dc9894ec613df0a6e75e732a362a3 was backported to v251.5, which
allowed coredump processing to be successful.
- 1a0281a3ebf4f8c16d40aa9e63103f16cd23bb2a was NOT backported, so the output
was very verbose.
- Fedora has the ELF package metadata available, so a lot of output can be
generated. Most other distros just don't have the information.
- gnome-calendar crashes and has a bazillion modules and 69596 bytes of output
are generated for it.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2135778.
The code is changed to try to write data opportunistically. If we get partial
information, that is still logged. In is generally better to log partial
backtrace information than nothing at all.
(cherry picked from commit 076b807be472630692c5348c60d0c2b7b28ad437)
(cherry picked from commit 087cbfd9362d15eaa389060baa64bc40d1d7fbd0)
It is useful to distinguish if json_parse_file() got no input or invalid input.
Use different return codes for the two cases.
(cherry picked from commit 87a16eb8b54002a49f12944fc09ce45d0cbadf45)
(cherry picked from commit ab587aaf8e104202e2f5d215950e8f494ce08629)
