IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
semaphore CI runs are always very close to the limit of 1hr, and often
time out when it's particularly oversubscribed.
Skip some low-value test cases to shorten the runtime.
(cherry picked from commit e19cae12ff)
(cherry picked from commit e768cf55b1)
In the example from systemd-measure(1), do not bind to PCR 7 in
addition to the PCR policy.
As long as this is still done by default, see #35280.
(cherry picked from commit 693038fce4)
(cherry picked from commit 926f5ab6bf)
Otherwise it doesn't hold that VLANs 100-400 are allowed (because 201-299 are disallowed).
(cherry picked from commit ae2f3af639)
(cherry picked from commit 9fad72cc52)
Document the fact that read-only properties may not have the flag
SD_BUS_VTABLE_UNPRIVILEGED as that is not obvious especially given the
flag is accepted for writable properties.
Based on the check in `add_object_vtable_internal` called by
`sd_bus_add_object_vtable` (as of the current tip of the main branch
f7f5ba0192):
case _SD_BUS_VTABLE_PROPERTY: {
[...]
if ([...] ||
[...]
(v->flags & SD_BUS_VTABLE_UNPRIVILEGED && v->type == _SD_BUS_VTABLE_PROPERTY)) {
r = -EINVAL;
goto fail;
}
(where `_SD_BUS_VTABLE_PROPERTY` means read-only property whereas
`_SD_BUS_VTABLE_WRITABLE_PROPERTY` maps to writable property).
This was implemented in the commit
adacb9575a ("bus: introduce "trusted" bus
concept and encode access control in object vtables") where
`SD_BUS_VTABLE_UNPRIVILEGED` was introduced:
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED
and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them.
Note however that read access is unrestricted, as PropertiesChanged
messages might send out the values anyway as an unrestricted
broadcast.
(cherry picked from commit 3ca09aa4dd)
(cherry picked from commit cd727031a4)
In Arch the hostname binary is in a different package
Follow-up for cf48bde7ae
(cherry picked from commit 446d737cba)
(cherry picked from commit e1659133e7)
To reproduce, as an unprivileged user start a docker container and build
and run the unit tests inside it:
$ docker run --rm -ti debian:bookworm bash
...
/* test_close_all_fds */
Successfully forked off '(caf-plain)' as PID 10496.
Skipping PR_SET_MM, as we don't have privileges.
(caf-plain) succeeded.
Failed to fork off '(caf-noproc)': Operation not permitted
Assertion 'r >= 0' failed at src/test/test-fd-util.c:392, function test_close_all_fds(). Aborting.
Partially fixes#35552
(cherry picked from commit 630a2e7ee1)
(cherry picked from commit 5573ac7d9c)
have ambient caps: yes
Capabilities:cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep
Failed to drop auxiliary groups list: Operation not permitted
Failed to change group ID: Operation not permitted
Capabilities:cap_dac_override,cap_net_raw=ep
Capabilities:cap_dac_override=ep
Successfully forked off '(getambient)' as PID 12505.
Skipping PR_SET_MM, as we don't have privileges.
Ambient capability cap_linux_immutable requested but missing from bounding set, suppressing automatically.
Assertion 'x < 0 || FLAGS_SET(c, UINT64_C(1) << CAP_LINUX_IMMUTABLE)' failed at src/test/test-capability.c:273, function test_capability_get_ambient(). Aborting.
(getambient) terminated by signal ABRT.
src/test/test-capability.c:258: Assertion failed: expected "r" to succeed, but got error: Protocol error
Partially fixes#35552
(cherry picked from commit 058a07635f)
(cherry picked from commit d80ab6aed6)
TEST-75-RESOLVED fails on Ubuntu autopkgtest due to this warning from
knot:
notice: config, policy 'auto_rollover_nsec3' depends on default nsec3-salt-length=8, since version 3.5 the default becomes 0
Explicitly set nsec3-salt-length=8 to silence.
(cherry picked from commit 59e5108fb4)
(cherry picked from commit 1b945fb1a7)
I forgot to do this before tagging. Let's still do this, for two reasons:
- packagers can easily include the patch if they haven't built yet,
- doing the bump reduces the chances of somebody doing an off-by-one bump
for the next release.
This tmpfiles.d wants to write to sysfs, which is read-only in containers,
so systemd-tmpfiles --create fails in TEST-22-TMPFILES when ran in nspawn
if the selinux policy package is instealled. Mask it, as it's not our
config file, we don't need it in the test.
(cherry picked from commit 6fd3496cfd)
Add the `arm_fadvise64_64` syscall to the allow_list, in addition
to the existing `fadvise64` and `fadvise64_64` syscalls, as this is
the syscall actually defined for `arm` architecture. Adding it fixes
the syscall being rejected in arm32 containers.
Fixes#35194
(cherry picked from commit 7fd70a5326)
We usually want to use "extended booleans" for cases like this, i.e.
that "off", "no" and "0" can be used interchangably for turning
something off.
(cherry picked from commit 62f3e2f84a)
Otherwise the root inode will typically have what mkdtemp sets up, which
is something like 0700, which is weird and somewhat broken when trying
to look into containers from unpriv users.
(cherry picked from commit c18a102464)
When registering we condition this on "arg_register". Let's do the same
when unregistering, otherwise we might end up trying to unregister a
machine we never registered.
(cherry picked from commit 0790f4e45f)
When determining the poll events to wait for we need to take the queue
of pending messages that carry fds into account. Otherwise we might end
up not waking up if such an fd-carrying message is enqueued
asynchronously (i.e. not from a dispatch callback).
(cherry picked from commit 7b4b3a8f7b)
This page contains many short example codes. I do not think we should
add SPDX-License-Identifier for all codes.
Closes#35356.
(cherry picked from commit 6046cc3660)
This partially reverts the commit 405be62f05
"tree-wide: refuse enumerated device with ID_PROCESSING=1".
Otherwise, when systemd-udev-trigger.service is (re)started just before
daemon-reexec, which can be easily happen on systemd package update, then
udev database files for many devices may have ID_PROCESSING=1 property,
thus devices may not be enumerated on daemon-reexec. That causes many
units especially mount units being deactivated after daemon-reexec.
Fixes#35329.
(cherry picked from commit c4fc22c4de)
Those are historical names, but there is nothing wrong with them. The files on
/ (/fastboot, /forcefsck, and /forcequotacheck) are problematic because they
require a modification of the root file system. But the commandline params work
fine. They have the obvious advantage compared to our "modern" option that they
are much easier to type without looking up the spelling in the docs. Undeprecate
them to avoid unnecessary churn.
(cherry picked from commit 5598454a3f)
"nsenter -a" doesn't migrate the specified process into the target
cgroup (it really should). Thus the cgroup will remain in a cgroup
that is (due to cgroup ns) outside our visibility. The kernel will
report the cgroup path of such cgroups as starting with "/../". Detect
that and print a reasonably error message instead of trying to resolve
that.
(cherry picked from commit f6793bbcf0)
Currently, get_fixed_user() employs USER_CREDS_SUPPRESS_PLACEHOLDER,
meaning home path is set to NULL if it's empty or root. However,
the path is also used for applying WorkingDirectory=~, and we'd
spuriously use the invoking user's home as fallback even if
User= is changed in that case.
Let's instead delegate such suppression to build_environment(),
so that home is proper initialized for usage at other steps.
shell doesn't actually suffer from such problem, but it's changed
too for consistency.
Alternative to #34789
(cherry picked from commit b718b86e1b)
systemd-sysext has the same check, but it was forgotten for confexts.
Needed to activate confexts from the ESP in the initrd.
(cherry picked from commit fe077a1a58)
```
$ systemd-cryptenroll /dev/vda3
SLOT TYPE
0 password
$ systemd-cryptenroll --wipe-slot 1 /dev/vda3
Failed to wipe slot 1, continuing: No such file or directory
```
(cherry picked from commit 2b251491de)
"systemctl status systemd-logind" otherwise looks a bit weird, since the
tasks and the fdstore lines are so close to each other but formatted
quite differently when it comes to coloring.
(cherry picked from commit 54646b1ca9)