IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
shmat() requires the CAP_IPC_OWNER capability. When running test-seccomp
in environments with root + CAP_SYS_ADMIN, but not CAP_IPC_OWNER,
memory_deny_write_execute_shmat would fail. This fixes it.
(cherry picked from commit 7e46a5c093e9e0d2e1ec734058e0caf1725ff37e)
(cherry picked from commit d4ca019870e9c31026c75633be12b5893ffa4ecf)
(cherry picked from commit 9a50c7c1499cb84b068552c503b9139c9e3a2e17)
This fixes a spurious warning from the manager running in user mode:
systemd[1668]: Reached target sockets.target.
systemd[1669]: Failed to create BPF map: Operation not permitted
systemd[1669]: Finished systemd-tmpfiles-setup.service.
systemd[1669]: Listening on dbus.socket.
systemd[1669]: Reached target sockets.target.
systemd[1669]: Reached target basic.target.
systemd[1]: Started user@6.service.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2084955.
(cherry picked from commit ba187c9c9ce9c0d16e09aca8c3d3c38975ce05a9)
This backports the same fix from 6e9165397faa1b546d367bdfc28dd4377a8f1d0a
in systemd upstream that we can't backport directly because that commit
introduces a new feature.
(cherry picked from commit eb76587f33a08c91f025d4c7fa685c44f7b2d332)
3970 e = object_path_startswith(path, prefix);
(gdb) p path
$1 = 0x55c5a166f768 "/org/freedesktop/portable1/image"
(gdb) p prefix
$2 = 0x55c59ffc2928 "/org/freedesktop/portable1/image"
(gdb) p e
$1 = 0x5581a1675788 ""
This can be a bit confusing in certain cases, so add a comment and a
test to make the behaviour clearer and explicit.
(cherry picked from commit 54cd2d6869d20f0df3d8264168e17c31893dc0ca)
I took inspiration from pid1:
bus_unit_find()
→ find_unit()
→ manager_load_unit_from_dbus_path()
→ unit_name_from_dbus_path()
→ !startswith(path, "/org/freedesktop/systemd1/unit/")
→ return -EINVAL
←
←
←
← if (r < 0) return 0
← 0
←
i.e. we return 0 when queried for "/org/freedesktop/systemd1/unit".
Fixes#23445.
(cherry picked from commit 4313e2b69fe1bcddd7b551e171f1fa3554155968)
We always require at least ID to be set in os-release, reject
and propagate error to the caller instead of asserting later
(cherry picked from commit 7b2e763242e7736ef941f275977aa0c30d832c63)
Fixes#23433
matches is plumbed through until it finally gets used in unit_match()
which can deal with NULL matches so the assert() is unnecessary and
can be removed.
The two call sites of extract_image_and_extensions() also don't
assert() on matches either.
(cherry picked from commit 1751d8c80cef40777b782c737947b4e86d99e7d6)
Otherwise, dns_transaction_requires_nsec() may not find no required
transaction, and return true. That sets
`answer_dnssec_result = DNSSEC_NO_SIGNATURE`, and the entire transaction fails.
Fixes#21414.
(cherry picked from commit 26b23d11870185b2ddab51bb1684d6761e8aa553)
rpms can be installed in two different modes: into a chroot, where the system
is not running, and onto a live system. In the first mode, where should create
all changes that are "permanent", and in the second mode, all changes which are
"permanent" but also those which only affect the running system. Thus, changes
like new modprobe rules, tmpfiles rules, binfmt rules, udev rules, etc., are
guarded by 'test -d "/run/systemd/system"' which is the official way to check
if systemd is running, so that they are *not* executed when installed into a
chroot. But the same logic does not apply to sysusers, hwdb, and the journal
catalog: all those files can and should result in changes being performed
immediately to the system. This makes the creation of immutable images possible
(because there are no permanent changes to executed after a reboot), and allows
other packages to depend on the the effect of those changes.
Thus, the guard to check if we're not in a chroot is dropped from triggers for
sysusers, hwdb, and the journal catalog. This means that those triggers will
execute, and no subsequent work is needed. systemd-sysusers.service,
systemd-journal-catalog-update.service, and systemd-hwdb-update.service.in all
have ConditionNeedsUpdate= so they they generally won't be invoked after a
reboot. (systemd.rpm does not touch /usr to trigger the condition, because the
%transfiletriggers make that unnecessary.)
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=2085481
(cherry picked from commit 2fd7ecd2da699d2fece777062e408b62162768f6)
When `exist->rr` and `rr` point to the same object, then it may be freed by
the `dns_resource_record_unref()`.
(cherry picked from commit 4ce30e4de05971ea93bc727695000d0025eb1591)
This is trivially exploitable (in the sense of causing a crash from SEGV) e.g.
by 'shutdown now "Message %s %s %n"'. The message is settable through polkit,
but is limited to auth_admin:
<action id="org.freedesktop.login1.set-wall-message">
<description gettext-domain="systemd">Set a wall message</description>
<message gettext-domain="systemd">Authentication is required to set a wall message</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>auth_admin_keep</allow_active>
</defaults>
</action>
Bug introduced in 9ef15026c0e7e6600372056c43442c99ec53746e
('logind/systemctl: introduce SetWallMessage and --message', 2015-09-15).
Based on 0cb09bcb825ab86ba4ca70be4e6322eaf9baee95.
test-execute checks that only /var/lib/private/waldo is writable, but there are
some filesystems that are always writable and excluded. Add /sys/devices/system/cpu
which is created by lxcfs.
Fixes https://github.com/systemd/systemd/issues/23263
(cherry picked from commit 646cba5c4208c28c56dbe52d676ab1a176c69b7f)
This normally wouldn't happen, but if some of those places were called
with lhs and rhs being the same object, we could unref the last ref first,
and then try to take the ref again. It's easier to be safe, and with the
helper we save some lines too.
(cherry picked from commit ce913e0ec4c97651c7c1509b72fb81ee61d80c6a)
We'd connect to the bus twice: the first time to check networkd namespace,
and then the second time to do the deed we were asked to do. It's nicer
to open the bus just once, for efficience and also to avoid the open call
in all functions.
An ASSERT_PTR helper is added:
- sd_bus *bus = userdata;
...
- assert(bus);
+ sd_bus *bus = ASSERT_PTR(userdata);
...
It can be used in other place too, but I'm leaving that for a later
refactoring.
(cherry picked from commit d821e40ca96d2b14216f7a18e4512364bfb83628)
We need to increase the counter immediately after taking the ref,
otherwise we may not unref it properly if we fail before incrementing.
(cherry picked from commit 7e4be6a5845f983a299932d4ccb2c4349cf8dd52)
We canonicalize repeats that cover the whole range: "0:0:0/1" → "0:0:*". But
we'd also do "0:0:0/1,0" → "0:0:*,0", which we then refuse to parse. Thus,
first go throug the whole chain, and print a '*' and nothing else if any of the
components covers the whole range.
(cherry picked from commit 8e1e59b9ade5b737e24a76bae1944ce84acf564c)
0..3 is not the same as 0..infinity, we need to check both ends of the range.
This logic was added in 3215e35c405278491f55fb486d349f132e93f516, and back then
the field was called .value. .stop was added later and apparently wasn't taken
into account here.
(cherry picked from commit 3aff2ae9d5427498f673bcb086d3439d2047e6c9)
Let's avoid ambigituies here. (Interesting that the current users
compiled at all, in fact)
(cherry picked from commit b501e42e7137fc890e02f18046edb2262df643f9)
Follow-up for 337712e777bff389f53e26d5b378d2ceba7d98a8, aka "the great
un-long-double-ification of 2021".
(cherry picked from commit f9a1fd2a3b2d8212ba84ef1c3b55657ced34475e)
