packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!214 update master to v249

Browse Source 
From: @yangmingtaip 
Reviewed-by: @overweight 
Signed-off-by: @overweight
This commit is contained in:
openeuler-ci-bot 2022-02-22 01:38:42 +00:00 committed by Gitee
commit a3b7cc374e
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
24 changed files with 1263 additions and 446 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
0012-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
View File

@ -1,42 +0,0 @@
From f58c5ced373c2532b5cc44ba2e0c3a28b41472f2 Mon Sep 17 00:00:00 2001
From: Jan Synacek <jsynacek@redhat.com>
Date: Tue, 15 May 2018 09:24:20 +0200
Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's
will
Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather
adds an After relationship.
Resolves: #1578772
---
src/core/unit.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index 2b86fdedfd..2c804c8486 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -1090,13 +1090,14 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
}
if (c->private_tmp) {
- const char *p;
- FOREACH_STRING(p, "/tmp", "/var/tmp") {
- r = unit_require_mounts_for(u, p, UNIT_DEPENDENCY_FILE);
- if (r < 0)
- return r;
- }
+ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE);
+ if (r < 0)
+ return r;
+
+ r = unit_require_mounts_for(u, "/var/tmp", UNIT_DEPENDENCY_FILE);
+ if (r < 0)
+ return r;
r = unit_add_dependency_by_name(u, UNIT_AFTER, SPECIAL_TMPFILES_SETUP_SERVICE, true, UNIT_DEPENDENCY_FILE);
if (r < 0)
--
2.23.0

0
0013-sd-bus-properly-initialize-containers.patch → 0012-sd-bus-properly-initialize-containers.patch
View File

0
0014-Revert-core-one-step-back-again-for-nspawn-we-actual.patch → 0013-Revert-core-one-step-back-again-for-nspawn-we-actual.patch
View File

0
0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch → 0014-journal-don-t-enable-systemd-journald-audit.socket-b.patch
View File

0
0016-systemd-change-time-log-level.patch → 0015-systemd-change-time-log-level.patch
View File

0
0017-fix-capsh-drop-but-ping-success.patch → 0016-fix-capsh-drop-but-ping-success.patch
View File

18
0018-resolved-create-etc-resolv.conf-symlink-at-runtime.patch → 0017-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
View File

@ -14,7 +14,7 @@ don't touch it in that case either.
https://bugzilla.redhat.com/show_bug.cgi?id=1313085
---
src/resolve/resolved.c | 5 +++++
tmpfiles.d/etc.conf.m4 | 3 ---
tmpfiles.d/etc.conf.in | 3 ---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
@ -33,19 +33,19 @@ index 50989a6b0a..95a51a574a 100644
/* Drop privileges, but keep three caps. Note that we drop two of those too, later on (see below) */
r = drop_privileges(uid, gid,
(UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */
diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4
diff --git a/tmpfiles.d/etc.conf.in b/tmpfiles.d/etc.conf.in
index f82e0b82ce..66a777bdb2 100644
--- a/tmpfiles.d/etc.conf.m4
+++ b/tmpfiles.d/etc.conf.m4
--- a/tmpfiles.d/etc.conf.in
+++ b/tmpfiles.d/etc.conf.in
@@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts
m4_ifdef(`HAVE_SMACK_RUN_LABEL',
{% if HAVE_SMACK_RUN_LABEL %}
t /etc/mtab - - - - security.SMACK64=_
)m4_dnl
-m4_ifdef(`ENABLE_RESOLVE',
{% endif %}
-{% if ENABLE_RESOLVE %}
-L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf
-)m4_dnl
-{% endif %}
C! /etc/nsswitch.conf - - - -
m4_ifdef(`HAVE_PAM',
{% if HAVE_PAM %}
C! /etc/pam.d - - - -
--
2.23.0

53
0018-nop_job-of-a-unit-must-also-be-coldpluged-after-deserization.patch Normal file
View File

@ -0,0 +1,53 @@
From 07e13151c566588b5f679e2576d3dfc2125c6e7c Mon Sep 17 00:00:00 2001
From: huangkaibin <huangkaibin@huawei.com>
Date: Sun, 22 Apr 2018 18:49:19 +0800
Subject: [PATCH] systemd-core: nop_job of a unit must also be coldpluged
after deserization.
When a unit is not in-active, and systemctl try-restart is executed for
this unit,
systemd will do nothing for it and just accept it as a nop_job for the
unit.
When then nop-job is still in the running queue, then daemon-reload is
performed, this nop job
will be dropped from the unit since it is not coldpluged in the
unit_coldplug function.
After then, the systemctl try-restart command will hang forever since no
JOB_DONE dbus signal will be sent
to it from systemd.
This patch fix this problem by do coldplug for the nop_job in
unit_coldplug function.
---
src/core/unit.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index 0a2f3c8..b9bd102 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3601,11 +3601,17 @@ int unit_coldplug(Unit *u) {
r = q;
}
- uj = u->job ?: u->nop_job;
- if (uj) {
- q = job_coldplug(uj);
- if (q < 0 && r >= 0)
- r = q;
+ if (u->job || u->nop_job) {
+ if (u->job) {
+ q = job_coldplug(u->job);
+ if (q < 0 && r >= 0)
+ r = q;
+ }
+ if (u->nop_job) {
+ q = job_coldplug(u->nop_job);
+ if (q < 0 && r >= 0)
+ r = q;
+ }
}
return r;
--
2.27.0

99
0019-core-serialize-u-pids-until-the-processes-have-been-.patch
View File

@ -1,99 +0,0 @@
From 428a9f6f1d0396b9eacde2b38d667cbe3f15eb55 Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Mon, 16 Nov 2020 15:12:21 +0100
Subject: [PATCH] core: serialize u->pids until the processes have been moved
to the scope cgroup
Otherwise if a daemon-reload happens somewhere between the enqueue of the job
start for the scope unit and scope_start() then u->pids might be lost and none
of the processes specified by "PIDs=" will be moved into the scope cgroup.
---
src/core/scope.c | 37 +++++++++++++++++++++++++++++++++++--
1 file changed, 35 insertions(+), 2 deletions(-)
diff --git a/src/core/scope.c b/src/core/scope.c
index a4db272f93..a372f8d726 100644
--- a/src/core/scope.c
+++ b/src/core/scope.c
@@ -8,6 +8,7 @@
#include "dbus-unit.h"
#include "load-dropin.h"
#include "log.h"
+#include "process-util.h"
#include "scope.h"
#include "serialize.h"
#include "special.h"
@@ -235,8 +236,18 @@ static int scope_coldplug(Unit *u) {
if (r < 0)
return r;
- if (!IN_SET(s->deserialized_state, SCOPE_DEAD, SCOPE_FAILED))
- (void) unit_enqueue_rewatch_pids(u);
+ if (!IN_SET(s->deserialized_state, SCOPE_DEAD, SCOPE_FAILED)) {
+ if (u->pids) {
+ void *pidp;
+
+ SET_FOREACH(pidp, u->pids) {
+ r = unit_watch_pid(u, PTR_TO_PID(pidp), false);
+ if (r < 0 && r != -EEXIST)
+ return r;
+ }
+ } else
+ (void) unit_enqueue_rewatch_pids(u);
+ }
bus_scope_track_controller(s);
@@ -366,6 +377,10 @@ static int scope_start(Unit *u) {
return r;
}
+ /* Now u->pids have been moved into the scope cgroup, it's not needed
+ * anymore. */
+ u->pids = set_free(u->pids);
+
s->result = SCOPE_SUCCESS;
scope_set_state(s, SCOPE_RUNNING);
@@ -427,6 +442,7 @@ static int scope_get_timeout(Unit *u, usec_t *timeout) {
static int scope_serialize(Unit *u, FILE *f, FDSet *fds) {
Scope *s = SCOPE(u);
+ void *pidp;
assert(s);
assert(f);
@@ -438,6 +454,9 @@ static int scope_serialize(Unit *u, FILE *f, FDSet *fds) {
if (s->controller)
(void) serialize_item(f, "controller", s->controller);
+ SET_FOREACH(pidp, u->pids)
+ serialize_item_format(f, "pids", PID_FMT, PTR_TO_PID(pidp));
+
return 0;
}
@@ -473,6 +492,20 @@ static int scope_deserialize_item(Unit *u, const char *key, const char *value, F
if (r < 0)
return log_oom();
+ } else if (streq(key, "pids")) {
+ pid_t pid;
+
+ if (parse_pid(value, &pid) < 0)
+ log_unit_debug(u, "Failed to parse pids value: %s", value);
+ else {
+ r = set_ensure_allocated(&u->pids, NULL);
+ if (r < 0)
+ return r;
+
+ r = set_put(u->pids, PID_TO_PTR(pid));
+ if (r < 0)
+ return r;
+ }
} else
log_unit_debug(u, "Unknown serialization key: %s", key);
--
2.23.0

108
0019-journald-enforce-longer-line-length-limit-during-set.patch
View File

@ -1,108 +0,0 @@
From 80e9720616df0eeaba75874fd86fbfbe8b7a03a7 Mon Sep 17 00:00:00 2001
From: Yangyang Shen <shenyangyang4@huawei.com>
Date: Wed, 24 Mar 2021 21:23:01 +0800
Subject: [PATCH] journald: enforce longer line length limit during "setup"
phase of stream protocol
This PR made modification on Lennart Poettering's basis. Fix the LineMax's function failure problem.
Signed-off-by: Yangyang Shen <shenyangyang4@huawei.com>
---
src/journal/journald-stream.c | 35 ++++++++++++++++++++++++++++-------
1 file changed, 28 insertions(+), 7 deletions(-)
diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
index 385dc4b..85723f5 100644
--- a/src/journal/journald-stream.c
+++ b/src/journal/journald-stream.c
@@ -39,6 +39,12 @@
#define STDOUT_STREAMS_MAX 4096
+/* During the "setup" protocol phase of the stream logic let's define a different maximum line length than
+ * during the actual operational phase. We want to allow users to specify very short line lengths after all,
+ * but the unit name we embed in the setup protocol might be longer than that. Hence, during the setup phase
+ * let's enforce a line length matching the maximum unit name length (255) */
+#define STDOUT_STREAM_SETUP_PROTOCOL_LINE_MAX (UNIT_NAME_MAX-1U)
+
typedef enum StdoutStreamState {
STDOUT_STREAM_IDENTIFIER,
STDOUT_STREAM_UNIT_ID,
@@ -47,7 +53,7 @@ typedef enum StdoutStreamState {
STDOUT_STREAM_FORWARD_TO_SYSLOG,
STDOUT_STREAM_FORWARD_TO_KMSG,
STDOUT_STREAM_FORWARD_TO_CONSOLE,
- STDOUT_STREAM_RUNNING
+ STDOUT_STREAM_RUNNING,
} StdoutStreamState;
/* The different types of log record terminators: a real \n was read, a NUL character was read, the maximum line length
@@ -468,6 +474,18 @@ static int stdout_stream_found(
return r;
}
+static size_t stdout_stream_line_max(StdoutStream *s) {
+ assert(s);
+
+ /* During the "setup" phase of our protocol, let's ensure we use a line length where a full unit name
+ * can fit in */
+ if (s->state != STDOUT_STREAM_RUNNING)
+ return STDOUT_STREAM_SETUP_PROTOCOL_LINE_MAX;
+
+ /* After the protocol's "setup" phase is complete, let's use whatever the user configured */
+ return s->server->line_max;
+}
+
static int stdout_stream_scan(
StdoutStream *s,
char *p,
@@ -475,19 +493,22 @@ static int stdout_stream_scan(
LineBreak force_flush,
size_t *ret_consumed) {
- size_t consumed = 0;
+ size_t consumed = 0, line_max;
int r;
assert(s);
assert(p);
+ line_max = stdout_stream_line_max(s);
+
for (;;) {
LineBreak line_break;
size_t skip, found;
char *end1, *end2;
+ size_t tmp_remaining = MIN(remaining, line_max);
- end1 = memchr(p, '\n', remaining);
- end2 = memchr(p, 0, end1 ? (size_t) (end1 - p) : remaining);
+ end1 = memchr(p, '\n', tmp_remaining);
+ end2 = memchr(p, 0, end1 ? (size_t) (end1 - p) : tmp_remaining);
if (end2) {
/* We found a NUL terminator */
@@ -499,9 +520,9 @@ static int stdout_stream_scan(
found = end1 - p;
skip = found + 1;
line_break = LINE_BREAK_NEWLINE;
- } else if (remaining >= s->server->line_max) {
+ } else if (remaining >= line_max) {
/* Force a line break after the maximum line length */
- found = skip = s->server->line_max;
+ found = skip = line_max;
line_break = LINE_BREAK_LINE_MAX;
} else
break;
@@ -563,7 +584,7 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents,
/* Try to make use of the allocated buffer in full, but never read more than the configured line size. Also,
* always leave room for a terminating NUL we might need to add. */
- limit = MIN(s->allocated - 1, s->server->line_max);
+ limit = MIN(s->allocated - 1, MAX(s->server->line_max, STDOUT_STREAM_SETUP_PROTOCOL_LINE_MAX));
assert(s->length <= limit);
iovec = IOVEC_MAKE(s->buffer + s->length, limit - s->length);
--
1.8.3.1

49
0020-scope-on-unified-make-sure-to-unwatch-all-PIDs-once-.patch
View File

@ -1,49 +0,0 @@
From e9eec8b5d2c106c5dd51382a155e6045c7c17c1a Mon Sep 17 00:00:00 2001
From: Franck Bui <fbui@suse.com>
Date: Mon, 30 Nov 2020 15:26:15 +0100
Subject: [PATCH] scope: on unified, make sure to unwatch all PIDs once they've
been moved to the cgroup scope
Commit 428a9f6f1d0396b9eacde2b38d667cbe3f15eb55 freed u->pids which is
problematic since the references to this unit in m->watch_pids were no more
removed when the unit was freed.
This patch makes sure to clean all this refs up before freeing u->pids by
calling unit_unwatch_all_pids().
---
src/core/scope.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/src/core/scope.c b/src/core/scope.c
index 654702ca3b..a247da206f 100644
--- a/src/core/scope.c
+++ b/src/core/scope.c
@@ -375,10 +375,6 @@ static int scope_start(Unit *u) {
return r;
}
- /* Now u->pids have been moved into the scope cgroup, it's not needed
- * anymore. */
- u->pids = set_free(u->pids);
-
s->result = SCOPE_SUCCESS;
scope_set_state(s, SCOPE_RUNNING);
@@ -386,7 +382,13 @@ static int scope_start(Unit *u) {
/* Set the maximum runtime timeout. */
scope_arm_timer(s, usec_add(UNIT(s)->active_enter_timestamp.monotonic, s->runtime_max_usec));
- /* Start watching the PIDs currently in the scope */
+ /* On unified we use proper notifications hence we can unwatch the PIDs
+ * we just attached to the scope. This can also be done on legacy as
+ * we're going to update the list of the processes we watch with the
+ * PIDs currently in the scope anyway. */
+ unit_unwatch_all_pids(u);
+
+ /* Start watching the PIDs currently in the scope (legacy hierarchy only) */
(void) unit_enqueue_rewatch_pids(u);
return 1;
}
--
2.23.0

40
backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch Normal file
View File

@ -0,0 +1,40 @@
From 2426beacca09d84091759be45b25c88116302184 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 5 Oct 2021 10:32:56 +0200
Subject: [PATCH 2/6] rm-rf: optionally fsync() after removing directory tree
(cherry picked from commit bdfe7ada0d4d66e6d6e65f2822acbb1ec230f9c2)
---
src/shared/rm-rf.c | 3 +++
src/shared/rm-rf.h | 1 +
2 files changed, 4 insertions(+)
diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index dffb9cf6ee..5ef7c662dd 100644
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -250,6 +250,9 @@ int rm_rf_children(
ret = r;
}
+ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0)
+ ret = -errno;
+
return ret;
}
diff --git a/src/shared/rm-rf.h b/src/shared/rm-rf.h
index 577a2795e0..24fd9a2aa2 100644
--- a/src/shared/rm-rf.h
+++ b/src/shared/rm-rf.h
@@ -14,6 +14,7 @@ typedef enum RemoveFlags {
REMOVE_MISSING_OK = 1 << 4, /* If the top-level directory is missing, ignore the ENOENT for it */
REMOVE_CHMOD = 1 << 5, /* chmod() for write access if we cannot delete or access something */
REMOVE_CHMOD_RESTORE = 1 << 6, /* Restore the old mode before returning */
+ REMOVE_SYNCFS = 1 << 7, /* syncfs() the root of the specified directory after removing everything in it */
} RemoveFlags;
int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags);
--
2.27.0

321
backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch Normal file
View File

@ -0,0 +1,321 @@
From ca4a0e7d41f0b2a1fe2f99dbc3763187c16cf7ab Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 26 Jan 2021 16:30:06 +0100
Subject: [PATCH 1/6] rm-rf: refactor rm_rf_children(), split out body of
directory iteration loop
This splits out rm_rf_children_inner() as body of the loop. We can use
that to implement rm_rf_child() for deleting one specific entry in a
directory.
(cherry picked from commit 1f0fb7d544711248cba34615e43c5a76bc902d74)
---
src/shared/rm-rf.c | 223 ++++++++++++++++++++++++++-------------------
src/shared/rm-rf.h | 3 +-
2 files changed, 131 insertions(+), 95 deletions(-)
diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index 900a7fb5ff..dffb9cf6ee 100644
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -19,6 +19,9 @@
#include "stat-util.h"
#include "string-util.h"
+/* We treat tmpfs/ramfs + cgroupfs as non-physical file sytems. cgroupfs is similar to tmpfs in a way after
+ * all: we can create arbitrary directory hierarchies in it, and hence can also use rm_rf() on it to remove
+ * those again. */
static bool is_physical_fs(const struct statfs *sfs) {
return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs);
}
@@ -113,133 +116,145 @@ int fstatat_harder(int dfd,
return 0;
}
-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
- _cleanup_closedir_ DIR *d = NULL;
- struct dirent *de;
- int ret = 0, r;
- struct statfs sfs;
+static int rm_rf_children_inner(
+ int fd,
+ const char *fname,
+ int is_dir,
+ RemoveFlags flags,
+ const struct stat *root_dev) {
- assert(fd >= 0);
+ struct stat st;
+ int r;
- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
- * fd, in all cases, including on failure.. */
+ assert(fd >= 0);
+ assert(fname);
- if (!(flags & REMOVE_PHYSICAL)) {
+ if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
- r = fstatfs(fd, &sfs);
- if (r < 0) {
- safe_close(fd);
- return -errno;
- }
+ r = fstatat_harder(fd, fname, &st, AT_SYMLINK_NOFOLLOW, flags);
+ if (r < 0)
+ return r;
- if (is_physical_fs(&sfs)) {
- /* We refuse to clean physical file systems with this call,
- * unless explicitly requested. This is extra paranoia just
- * to be sure we never ever remove non-state data. */
- _cleanup_free_ char *path = NULL;
+ is_dir = S_ISDIR(st.st_mode);
+ }
- (void) fd_get_path(fd, &path);
- log_error("Attempted to remove disk file system under \"%s\", and we can't allow that.",
- strna(path));
+ if (is_dir) {
+ _cleanup_close_ int subdir_fd = -1;
+ int q;
- safe_close(fd);
- return -EPERM;
- }
- }
+ /* if root_dev is set, remove subdirectories only if device is same */
+ if (root_dev && st.st_dev != root_dev->st_dev)
+ return 0;
- d = fdopendir(fd);
- if (!d) {
- safe_close(fd);
- return errno == ENOENT ? 0 : -errno;
- }
+ /* Stop at mount points */
+ r = fd_is_mount_point(fd, fname, 0);
+ if (r < 0)
+ return r;
+ if (r > 0)
+ return 0;
- FOREACH_DIRENT_ALL(de, d, return -errno) {
- bool is_dir;
- struct stat st;
+ if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) {
- if (dot_or_dot_dot(de->d_name))
- continue;
+ /* This could be a subvolume, try to remove it */
- if (de->d_type == DT_UNKNOWN ||
- (de->d_type == DT_DIR && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
- r = fstatat_harder(fd, de->d_name, &st, AT_SYMLINK_NOFOLLOW, flags);
+ r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
if (r < 0) {
- if (ret == 0 && r != -ENOENT)
- ret = r;
- continue;
- }
+ if (!IN_SET(r, -ENOTTY, -EINVAL))
+ return r;
- is_dir = S_ISDIR(st.st_mode);
- } else
- is_dir = de->d_type == DT_DIR;
+ /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */
+ } else
+ /* It was a subvolume, done. */
+ return 1;
+ }
- if (is_dir) {
- _cleanup_close_ int subdir_fd = -1;
+ subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+ if (subdir_fd < 0)
+ return -errno;
- /* if root_dev is set, remove subdirectories only if device is same */
- if (root_dev && st.st_dev != root_dev->st_dev)
- continue;
+ /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type
+ * again for each directory */
+ q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
- subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
- if (subdir_fd < 0) {
- if (ret == 0 && errno != ENOENT)
- ret = -errno;
- continue;
- }
+ r = unlinkat_harder(fd, fname, AT_REMOVEDIR, flags);
+ if (r < 0)
+ return r;
+ if (q < 0)
+ return q;
- /* Stop at mount points */
- r = fd_is_mount_point(fd, de->d_name, 0);
- if (r < 0) {
- if (ret == 0 && r != -ENOENT)
- ret = r;
+ return 1;
- continue;
- }
- if (r > 0)
- continue;
+ } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
+ r = unlinkat_harder(fd, fname, 0, flags);
+ if (r < 0)
+ return r;
- if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) {
+ return 1;
+ }
- /* This could be a subvolume, try to remove it */
+ return 0;
+}
- r = btrfs_subvol_remove_fd(fd, de->d_name, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
- if (r < 0) {
- if (!IN_SET(r, -ENOTTY, -EINVAL)) {
- if (ret == 0)
- ret = r;
+int rm_rf_children(
+ int fd,
+ RemoveFlags flags,
+ const struct stat *root_dev) {
- continue;
- }
+ _cleanup_closedir_ DIR *d = NULL;
+ struct dirent *de;
+ int ret = 0, r;
- /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */
- } else
- /* It was a subvolume, continue. */
- continue;
- }
+ assert(fd >= 0);
+
+ /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
+ * fd, in all cases, including on failure. */
+
+ d = fdopendir(fd);
+ if (!d) {
+ safe_close(fd);
+ return -errno;
+ }
- /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file
- * system type again for each directory */
- r = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
- if (r < 0 && ret == 0)
- ret = r;
+ if (!(flags & REMOVE_PHYSICAL)) {
+ struct statfs sfs;
- r = unlinkat_harder(fd, de->d_name, AT_REMOVEDIR, flags);
- if (r < 0 && r != -ENOENT && ret == 0)
- ret = r;
+ if (fstatfs(dirfd(d), &sfs) < 0)
+ return -errno;
+
+ if (is_physical_fs(&sfs)) {
+ /* We refuse to clean physical file systems with this call, unless explicitly
+ * requested. This is extra paranoia just to be sure we never ever remove non-state
+ * data. */
- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
+ _cleanup_free_ char *path = NULL;
- r = unlinkat_harder(fd, de->d_name, 0, flags);
- if (r < 0 && r != -ENOENT && ret == 0)
- ret = r;
+ (void) fd_get_path(fd, &path);
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ "Attempted to remove disk file system under \"%s\", and we can't allow that.",
+ strna(path));
}
}
+
+ FOREACH_DIRENT_ALL(de, d, return -errno) {
+ int is_dir;
+
+ if (dot_or_dot_dot(de->d_name))
+ continue;
+
+ is_dir =
+ de->d_type == DT_UNKNOWN ? -1 :
+ de->d_type == DT_DIR;
+
+ r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev);
+ if (r < 0 && r != -ENOENT && ret == 0)
+ ret = r;
+ }
+
return ret;
}
int rm_rf(const char *path, RemoveFlags flags) {
int fd, r;
- struct statfs s;
assert(path);
@@ -284,9 +299,10 @@ int rm_rf(const char *path, RemoveFlags flags) {
if (FLAGS_SET(flags, REMOVE_ROOT)) {
if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
+ struct statfs s;
+
if (statfs(path, &s) < 0)
return -errno;
-
if (is_physical_fs(&s))
return log_error_errno(SYNTHETIC_ERRNO(EPERM),
"Attempted to remove files from a disk file system under \"%s\", refusing.",
@@ -314,3 +330,22 @@ int rm_rf(const char *path, RemoveFlags flags) {
return r;
}
+
+int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
+
+ /* Removes one specific child of the specified directory */
+
+ if (fd < 0)
+ return -EBADF;
+
+ if (!filename_is_valid(name))
+ return -EINVAL;
+
+ if ((flags & (REMOVE_ROOT|REMOVE_MISSING_OK)) != 0) /* Doesn't really make sense here, we are not supposed to remove 'fd' anyway */
+ return -EINVAL;
+
+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME))
+ return -EINVAL;
+
+ return rm_rf_children_inner(fd, name, -1, flags, NULL);
+}
diff --git a/src/shared/rm-rf.h b/src/shared/rm-rf.h
index 40f0894c96..577a2795e0 100644
--- a/src/shared/rm-rf.h
+++ b/src/shared/rm-rf.h
@@ -23,7 +23,8 @@ int fstatat_harder(int dfd,
int fstatat_flags,
RemoveFlags remove_flags);
-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev);
+int rm_rf_children(int fd, RemoveFlags flags, const struct stat *root_dev);
+int rm_rf_child(int fd, const char *name, RemoveFlags flags);
int rm_rf(const char *path, RemoveFlags flags);
/* Useful for usage with _cleanup_(), destroys a directory and frees the pointer */
--
2.27.0

273
backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch Normal file
View File

@ -0,0 +1,273 @@
From 6a28f8b55904c818b25e4db2e1511faac79fd471 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 30 Nov 2021 22:29:05 +0100
Subject: [PATCH 6/6] shared/rm-rf: loop over nested directories instead of
instead of recursing
To remove directory structures, we need to remove the innermost items first,
and then recursively remove higher-level directories. We would recursively
descend into directories and invoke rm_rf_children and rm_rm_children_inner.
This is problematic when too many directories are nested.
Instead, let's create a "TODO" queue. In the the queue, for each level we
hold the DIR* object we were working on, and the name of the directory. This
allows us to leave a partially-processed directory, and restart the removal
loop one level down. When done with the inner directory, we use the name to
unlinkat() it from the parent, and proceed with the removal of other items.
Because the nesting is increased by one level, it is best to view this patch
with -b/--ignore-space-change.
This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639.
The issue was reported and patches reviewed by Qualys Team.
Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure.
(cherry picked from commit 5b1cf7a9be37e20133c0208005274ce4a5b5c6a1)
(cherry picked from commit 911516e1614e435755814ada5fc6064fa107a105)
---
src/shared/rm-rf.c | 161 +++++++++++++++++++++++++++++++--------------
1 file changed, 113 insertions(+), 48 deletions(-)
diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index 1bd2431d8a..954686ffc9 100644
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -52,7 +52,6 @@ static int patch_dirfd_mode(
}
int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags) {
-
mode_t old_mode;
int r;
@@ -116,12 +115,13 @@ int fstatat_harder(int dfd,
return 0;
}
-static int rm_rf_children_inner(
+static int rm_rf_inner_child(
int fd,
const char *fname,
int is_dir,
RemoveFlags flags,
- const struct stat *root_dev) {
+ const struct stat *root_dev,
+ bool allow_recursion) {
struct stat st;
int r, q = 0;
@@ -141,9 +141,7 @@ static int rm_rf_children_inner(
}
if (is_dir) {
- _cleanup_close_ int subdir_fd = -1;
-
- /* if root_dev is set, remove subdirectories only if device is same */
+ /* If root_dev is set, remove subdirectories only if device is same */
if (root_dev && st.st_dev != root_dev->st_dev)
return 0;
@@ -155,7 +153,6 @@ static int rm_rf_children_inner(
return 0;
if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) {
-
/* This could be a subvolume, try to remove it */
r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
@@ -169,13 +166,16 @@ static int rm_rf_children_inner(
return 1;
}
- subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+ if (!allow_recursion)
+ return -EISDIR;
+
+ int subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
if (subdir_fd < 0)
return -errno;
/* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type
* again for each directory */
- q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
+ q = rm_rf_children(subdir_fd, flags | REMOVE_PHYSICAL, root_dev);
} else if (flags & REMOVE_ONLY_DIRECTORIES)
return 0;
@@ -188,63 +188,128 @@ static int rm_rf_children_inner(
return 1;
}
+typedef struct TodoEntry {
+ DIR *dir; /* A directory that we were operating on. */
+ char *dirname; /* The filename of that directory itself. */
+} TodoEntry;
+
+static void free_todo_entries(TodoEntry **todos) {
+ for (TodoEntry *x = *todos; x && x->dir; x++) {
+ closedir(x->dir);
+ free(x->dirname);
+ }
+
+ freep(todos);
+}
+
int rm_rf_children(
int fd,
RemoveFlags flags,
const struct stat *root_dev) {
- _cleanup_closedir_ DIR *d = NULL;
- struct dirent *de;
+ _cleanup_(free_todo_entries) TodoEntry *todos = NULL;
+ size_t n_todo = 0;
+ _cleanup_free_ char *dirname = NULL; /* Set when we are recursing and want to delete ourselves */
int ret = 0, r;
- assert(fd >= 0);
+ /* Return the first error we run into, but nevertheless try to go on.
+ * The passed fd is closed in all cases, including on failure. */
+
+ for (;;) { /* This loop corresponds to the directory nesting level. */
+ _cleanup_closedir_ DIR *d = NULL;
+
+ if (n_todo > 0) {
+ /* We know that we are in recursion here, because n_todo is set.
+ * We need to remove the inner directory we were operating on. */
+ assert(dirname);
+ r = unlinkat_harder(dirfd(todos[n_todo-1].dir), dirname, AT_REMOVEDIR, flags);
+ if (r < 0 && r != -ENOENT && ret == 0)
+ ret = r;
+ dirname = mfree(dirname);
+
+ /* And now let's back out one level up */
+ n_todo --;
+ d = TAKE_PTR(todos[n_todo].dir);
+ dirname = TAKE_PTR(todos[n_todo].dirname);
+
+ assert(d);
+ fd = dirfd(d); /* Retrieve the file descriptor from the DIR object */
+ assert(fd >= 0);
+ } else {
+ next_fd:
+ assert(fd >= 0);
+ d = fdopendir(fd);
+ if (!d) {
+ safe_close(fd);
+ return -errno;
+ }
+ fd = dirfd(d); /* We donated the fd to fdopendir(). Let's make sure we sure we have
+ * the right descriptor even if it were to internally invalidate the
+ * one we passed. */
+
+ if (!(flags & REMOVE_PHYSICAL)) {
+ struct statfs sfs;
+
+ if (fstatfs(fd, &sfs) < 0)
+ return -errno;
+
+ if (is_physical_fs(&sfs)) {
+ /* We refuse to clean physical file systems with this call, unless
+ * explicitly requested. This is extra paranoia just to be sure we
+ * never ever remove non-state data. */
+
+ _cleanup_free_ char *path = NULL;
+
+ (void) fd_get_path(fd, &path);
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ "Attempted to remove disk file system under \"%s\", and we can't allow that.",
+ strna(path));
+ }
+ }
+ }
- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
- * fd, in all cases, including on failure. */
+ struct dirent *de;
+ FOREACH_DIRENT_ALL(de, d, return -errno) {
+ int is_dir;
- d = fdopendir(fd);
- if (!d) {
- safe_close(fd);
- return -errno;
- }
+ if (dot_or_dot_dot(de->d_name))
+ continue;
- if (!(flags & REMOVE_PHYSICAL)) {
- struct statfs sfs;
+ is_dir = de->d_type == DT_UNKNOWN ? -1 : de->d_type == DT_DIR;
- if (fstatfs(dirfd(d), &sfs) < 0)
- return -errno;
+ r = rm_rf_inner_child(fd, de->d_name, is_dir, flags, root_dev, false);
+ if (r == -EISDIR) {
+ /* Push the current working state onto the todo list */
- if (is_physical_fs(&sfs)) {
- /* We refuse to clean physical file systems with this call, unless explicitly
- * requested. This is extra paranoia just to be sure we never ever remove non-state
- * data. */
+ if (!GREEDY_REALLOC0(todos, n_todo + 2))
+ return log_oom();
- _cleanup_free_ char *path = NULL;
+ _cleanup_free_ char *newdirname = strdup(de->d_name);
+ if (!newdirname)
+ return log_oom();
- (void) fd_get_path(fd, &path);
- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
- "Attempted to remove disk file system under \"%s\", and we can't allow that.",
- strna(path));
- }
- }
+ int newfd = openat(fd, de->d_name,
+ O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
+ if (newfd >= 0) {
+ todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) };
+ fd = newfd;
+ dirname = TAKE_PTR(newdirname);
- FOREACH_DIRENT_ALL(de, d, return -errno) {
- int is_dir;
+ goto next_fd;
- if (dot_or_dot_dot(de->d_name))
- continue;
+ } else if (errno != -ENOENT && ret == 0)
+ ret = -errno;
- is_dir =
- de->d_type == DT_UNKNOWN ? -1 :
- de->d_type == DT_DIR;
+ } else if (r < 0 && r != -ENOENT && ret == 0)
+ ret = r;
+ }
- r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev);
- if (r < 0 && r != -ENOENT && ret == 0)
- ret = r;
- }
+ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(fd) < 0 && ret >= 0)
+ ret = -errno;
- if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0)
- ret = -errno;
+ if (n_todo == 0)
+ break;
+ }
return ret;
}
@@ -337,5 +402,5 @@ int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME))
return -EINVAL;
- return rm_rf_children_inner(fd, name, -1, flags, NULL);
+ return rm_rf_inner_child(fd, name, -1, flags, NULL, true);
}
--
2.27.0

100
backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch Normal file
View File

@ -0,0 +1,100 @@
From 811b137d6137cc3e8932599e6ef9254ba43ff5eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 23 Nov 2021 16:56:42 +0100
Subject: [PATCH 5/6] shared/rm_rf: refactor rm_rf() to shorten code a bit
(cherry picked from commit 84ced330020c0bae57bd4628f1f44eec91304e69)
(cherry picked from commit 664529efa9431edc043126013ea54e6c399ae2d3)
---
src/shared/rm-rf.c | 54 +++++++++++++++++++++-------------------------
1 file changed, 24 insertions(+), 30 deletions(-)
diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index 7362954116..1bd2431d8a 100644
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -250,7 +250,7 @@ int rm_rf_children(
}
int rm_rf(const char *path, RemoveFlags flags) {
- int fd, r;
+ int fd, r, q = 0;
assert(path);
@@ -282,49 +282,43 @@ int rm_rf(const char *path, RemoveFlags flags) {
}
fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
- if (fd < 0) {
+ if (fd >= 0) {
+ /* We have a dir */
+ r = rm_rf_children(fd, flags, NULL);
+
+ if (FLAGS_SET(flags, REMOVE_ROOT) && rmdir(path) < 0)
+ q = -errno;
+ } else {
if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
return 0;
if (!IN_SET(errno, ENOTDIR, ELOOP))
return -errno;
- if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES))
+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES) || !FLAGS_SET(flags, REMOVE_ROOT))
return 0;
- if (FLAGS_SET(flags, REMOVE_ROOT)) {
-
- if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
- struct statfs s;
-
- if (statfs(path, &s) < 0)
- return -errno;
- if (is_physical_fs(&s))
- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
- "Attempted to remove files from a disk file system under \"%s\", refusing.",
- path);
- }
-
- if (unlink(path) < 0) {
- if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
- return 0;
+ if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
+ struct statfs s;
+ if (statfs(path, &s) < 0)
return -errno;
- }
+ if (is_physical_fs(&s))
+ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
+ "Attempted to remove files from a disk file system under \"%s\", refusing.",
+ path);
}
- return 0;
+ r = 0;
+ if (unlink(path) < 0)
+ q = -errno;
}
- r = rm_rf_children(fd, flags, NULL);
-
- if (FLAGS_SET(flags, REMOVE_ROOT) &&
- rmdir(path) < 0 &&
- r >= 0 &&
- (!FLAGS_SET(flags, REMOVE_MISSING_OK) || errno != ENOENT))
- r = -errno;
-
- return r;
+ if (r < 0)
+ return r;
+ if (q < 0 && (q != -ENOENT || !FLAGS_SET(flags, REMOVE_MISSING_OK)))
+ return q;
+ return 0;
}
int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
--
2.27.0

68
backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch Normal file
View File

@ -0,0 +1,68 @@
From 89395b63f04f1acc0db533c32637ea20379f97c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 23 Nov 2021 15:55:45 +0100
Subject: [PATCH 4/6] shared/rm_rf: refactor rm_rf_children_inner() to shorten
code a bit
(cherry picked from commit 3bac86abfa1b1720180840ffb9d06b3d54841c11)
(cherry picked from commit 47741ff9eae6311a03e4d3d837128191826a4a3a)
---
src/shared/rm-rf.c | 27 +++++++++------------------
1 file changed, 9 insertions(+), 18 deletions(-)
diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index 19f37e0f19..7362954116 100644
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -124,7 +124,7 @@ static int rm_rf_children_inner(
const struct stat *root_dev) {
struct stat st;
- int r;
+ int r, q = 0;
assert(fd >= 0);
assert(fname);
@@ -142,7 +142,6 @@ static int rm_rf_children_inner(
if (is_dir) {
_cleanup_close_ int subdir_fd = -1;
- int q;
/* if root_dev is set, remove subdirectories only if device is same */
if (root_dev && st.st_dev != root_dev->st_dev)
@@ -178,23 +177,15 @@ static int rm_rf_children_inner(
* again for each directory */
q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
- r = unlinkat_harder(fd, fname, AT_REMOVEDIR, flags);
- if (r < 0)
- return r;
- if (q < 0)
- return q;
-
- return 1;
-
- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
- r = unlinkat_harder(fd, fname, 0, flags);
- if (r < 0)
- return r;
-
- return 1;
- }
+ } else if (flags & REMOVE_ONLY_DIRECTORIES)
+ return 0;
- return 0;
+ r = unlinkat_harder(fd, fname, is_dir ? AT_REMOVEDIR : 0, flags);
+ if (r < 0)
+ return r;
+ if (q < 0)
+ return q;
+ return 1;
}
int rm_rf_children(
--
2.27.0

28
backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch Normal file
View File

@ -0,0 +1,28 @@
From 7563de501246dccf5a9ea229933481aa1e7bd5c9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 23 Nov 2021 15:05:58 +0100
Subject: [PATCH 3/6] tmpfiles: 'st' may have been used uninitialized
(cherry picked from commit 160dadc0350c77d612aa9d5569f57d9bc84c3dca)
---
src/shared/rm-rf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c
index 5ef7c662dd..19f37e0f19 100644
--- a/src/shared/rm-rf.c
+++ b/src/shared/rm-rf.c
@@ -129,7 +129,9 @@ static int rm_rf_children_inner(
assert(fd >= 0);
assert(fname);
- if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
+ if (is_dir < 0 ||
+ root_dev ||
+ (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) {
r = fstatat_harder(fd, fname, &st, AT_SYMLINK_NOFOLLOW, flags);
if (r < 0)
--
2.27.0

8
backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch
View File

@ -16,8 +16,8 @@ index 92815b1dbaea..1c8159a23550 100644
if (!separate_argv0) {
char *w = NULL;
- if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))
+ if (!GREEDY_REALLOC0(n, nbufsize, nlen + 2))
- if (!GREEDY_REALLOC(n, nlen + 2))
+ if (!GREEDY_REALLOC0(n, nlen + 2))
return log_oom();
w = strdup(path);
@ -25,8 +25,8 @@ index 92815b1dbaea..1c8159a23550 100644
p += 2;
p += strspn(p, WHITESPACE);
- if (!GREEDY_REALLOC(n, nbufsize, nlen + 2))
+ if (!GREEDY_REALLOC0(n, nbufsize, nlen + 2))
- if (!GREEDY_REALLOC(n, nlen + 2))
+ if (!GREEDY_REALLOC0(n, nlen + 2))
return log_oom();
w = strdup(";");

0
0020-fix-CVE-2021-33910.patch → backport-fix-CVE-2021-33910.patch
View File

26
backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch Normal file
View File

@ -0,0 +1,26 @@
From 193105f2d0408e2d96265935174b3cf0f100ef2e Mon Sep 17 00:00:00 2001
From: jiangchuangang <jiangchuangang@huawei.com>
Date: Mon, 29 Nov 2021 22:30:37 +0800
Subject: [PATCH] fix ConditionDirectoryNotEmpty when it comes to a
Non-directory file
---
src/shared/condition.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/condition.c b/src/shared/condition.c
index 6e769e9d59..a86f2b9ffb 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -931,7 +931,7 @@ static int condition_test_directory_not_empty(Condition *c, char **env) {
assert(c->type == CONDITION_DIRECTORY_NOT_EMPTY);
r = dir_is_empty(c->parameter);
- return r <= 0 && r != -ENOENT;
+ return r <= 0 && !IN_SET(r, -ENOENT, -ENOTDIR);
}
static int condition_test_file_not_empty(Condition *c, char **env) {
--
2.27.0

33
backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch Normal file
View File

@ -0,0 +1,33 @@
From 7c4c9948d02ceda903ed4e4deea0d0084612625a Mon Sep 17 00:00:00 2001
From: jiangchuangang <jiangchuangang@huawei.com>
Date: Tue, 30 Nov 2021 15:25:27 +0800
Subject: [PATCH] fix ConditionPathIsReadWrite when path does not exist.
---
src/shared/condition.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/shared/condition.c b/src/shared/condition.c
index a86f2b9ffb..dae75a5bf5 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -894,11 +894,15 @@ static int condition_test_path_is_mount_point(Condition *c, char **env) {
}
static int condition_test_path_is_read_write(Condition *c, char **env) {
+ int r;
+
assert(c);
assert(c->parameter);
assert(c->type == CONDITION_PATH_IS_READ_WRITE);
- return path_is_read_only_fs(c->parameter) <= 0;
+ r = path_is_read_only_fs(c->parameter);
+
+ return r <= 0 && r != -ENOENT;
}
static int condition_test_cpufeature(Condition *c, char **env) {
--
2.27.0

25
backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch Normal file
View File

@ -0,0 +1,25 @@
From 5896a9ebdbe4d38c01390d0a5e82f9fcb4971059 Mon Sep 17 00:00:00 2001
From: yangmingtai <961612727@qq.com>
Date: Mon, 6 Dec 2021 17:06:13 +0800
Subject: [PATCH] fix DirectoryNotEmpty when it comes to a Non-directory file
---
src/core/path.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/core/path.c b/src/core/path.c
index 29ec66fd4d..bcd922901b 100644
--- a/src/core/path.c
+++ b/src/core/path.c
@@ -215,7 +215,7 @@ static bool path_spec_check_good(PathSpec *s, bool initial, bool from_trigger_no
int k;
k = dir_is_empty(s->path);
- good = !(k == -ENOENT || k > 0);
+ good = !(IN_SET(k, -ENOENT, -ENOTDIR) || k > 0);
break;
}
--
2.27.0

BIN
systemd-248.tar.gz → systemd-249.tar.gz
View File

Binary file not shown.

418
systemd.spec
View File

@ -19,8 +19,8 @@
Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 248
Release: 15
Version: 249
Release: 7
License: MIT and LGPLv2+ and GPLv2+
Summary: System and Service Manager
@ -37,14 +37,14 @@ Source11: 20-grubby.install
Source12: systemd-user
Source13: rc.local
Source100: udev-40-openEuler.rules
Source101: udev-55-persistent-net-generator.rules
Source102: udev-56-net-sriov-names.rules
Source103: udev-61-openeuler-persistent-storage.rules
Source104: net-set-sriov-names
Source105: rule_generator.functions
Source106: write_net_rules
Source107: detect_virt
Source100: udev-40-openEuler.rules
Source101: udev-55-persistent-net-generator.rules
Source102: udev-56-net-sriov-names.rules
Source103: udev-61-openeuler-persistent-storage.rules
Source104: net-set-sriov-names
Source105: rule_generator.functions
Source106: write_net_rules
Source107: detect_virt
Patch0001: 0001-update-rtc-with-system-clock-when-shutdown.patch
Patch0002: 0002-udev-add-actions-while-rename-netif-failed.patch
@ -57,21 +57,28 @@ Patch0008: 0008-rules-add-the-rule-that-adds-elevator-kernel-command.patch
Patch0009: 0009-units-add-Install-section-to-tmp.mount.patch
Patch0010: 0010-Make-systemd-udevd.service-start-after-systemd-remou.patch
Patch0011: 0011-udev-virsh-shutdown-vm.patch
Patch0012: 0012-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch
Patch0013: 0013-sd-bus-properly-initialize-containers.patch
Patch0014: 0014-Revert-core-one-step-back-again-for-nspawn-we-actual.patch
Patch0015: 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch
Patch0016: 0016-systemd-change-time-log-level.patch
Patch0017: 0017-fix-capsh-drop-but-ping-success.patch
Patch0018: 0018-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
Patch0019: 0019-journald-enforce-longer-line-length-limit-during-set.patch
Patch0020: 0020-fix-CVE-2021-33910.patch
Patch0021: backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch
Patch0012: 0012-sd-bus-properly-initialize-containers.patch
Patch0013: 0013-Revert-core-one-step-back-again-for-nspawn-we-actual.patch
Patch0014: 0014-journal-don-t-enable-systemd-journald-audit.socket-b.patch
Patch0015: 0015-systemd-change-time-log-level.patch
Patch0016: 0016-fix-capsh-drop-but-ping-success.patch
Patch0017: 0017-resolved-create-etc-resolv.conf-symlink-at-runtime.patch
patch0018: 0018-nop_job-of-a-unit-must-also-be-coldpluged-after-deserization.patch
#openEuler
Patch9000: disable-systemd-timesyncd-networkd-resolved-homed-us.patch
#backport
Patch6000: backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch
Patch6001: backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch
Patch6002: backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch
Patch6003: backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch
Patch6004: backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch
Patch6005: backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch
Patch6006: backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch
Patch6007: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch
Patch6008: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch
Patch6009: backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch
patch6010: backport-fix-CVE-2021-33910.patch
BuildRequires: gcc, gcc-c++, rsync
BuildRequires: gcc, gcc-c++
BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel
BuildRequires: audit-libs-devel, cryptsetup-devel, dbus-devel, libacl-devel
BuildRequires: gobject-introspection-devel, libblkid-devel, xz-devel, xz
@ -81,6 +88,7 @@ BuildRequires: gnutls-devel, qrencode-devel, libmicrohttpd-devel, libxkbcommon-
BuildRequires: iptables-devel, docbook-style-xsl, pkgconfig, libxslt, gperf
BuildRequires: gawk, tree, hostname, git, meson >= 0.43, gettext, dbus >= 1.9.18
BuildRequires: python3-devel, python3-lxml, firewalld-filesystem, libseccomp-devel
BuildRequires: python3-jinja2
%if 0%{?have_gnu_efi}
BuildRequires: gnu-efi gnu-efi-devel
%endif
@ -114,9 +122,7 @@ Provides: systemd-sysv = 206
Conflicts: initscripts < 9.56.1
Recommends: %{name}-help
Provides: %{name}-pam
Provides: %{name}-rpm-config
Obsoletes: %{name}-pam < 243
Obsoletes: %{name}-rpm-config < 243
%description
@ -205,20 +211,6 @@ Obsoletes: %{name}-journal-gateway < 227-7
Programs to forward journal entries over the network, using encrypted HTTP,
and to write journal files from serialized journal contents.
%package udev-compat
Summary: Udev rules compatibility with NetworkManager
Requires: %{name} = %{version}-%{release}
License: LGPLv2+
Requires(pre): /usr/bin/getent
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description udev-compat
systemd-udev-compat is a set of udev rules which conflict with NetworkManager.
If users choose to use the network-scripts to manager the network, the package can be used
to do somethings when down or up nics or disk.
%package oomd
Summary: Systemd oomd feature
Requires: %{name} = %{version}-%{release}
@ -231,6 +223,108 @@ Requires(postun): systemd
%description oomd
Systemd-oomd.service, systemd-oomd - A userspace out-of-memory (OOM) killer
%package resolved
Summary: Network Name Resolution manager
License: LGPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires(post): systemd
Requires(preun):systemd
Requires(postun):systemd
Requires(pre): /usr/bin/getent
%description resolved
systemd-resolve is a system service that provides network name resolution to
local applications. It implements a caching and validating DNS/DNSSEC stub
resolver, as well as an LLMNR and MulticastDNS resolver and responder.
%package nspawn
Summary: Spawn a command or OS in a light-weight container
License: LGPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
%description nspawn
systemd-nspawn may be used to run a command or OS in a light-weight namespace
container. In many ways it is similar to chroot, but more powerful since it
fully virtualizes the file system hierarchy, as well as the process tree, the
various IPC subsystems and the host and domain name.
%package networkd
Summary: System daemon that manages network configurations
Requires: %{name}%{?_isa} = %{version}-%{release}
License: LGPLv2+
Requires(pre): /usr/bin/getent
Requires(post): systemd
Requires(preun):systemd
Requires(postun):systemd
%description networkd
systemd-networkd is a system service that manages networks. It detects
and configures network devices as they appear, as well as creating virtual
network devices.
%package timesyncd
Summary: Network Time Synchronization
License: LGPLv2+
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires(post): systemd
Requires(preun):systemd
Requires(postun):systemd
Requires(pre): /usr/bin/getent
%description timesyncd
systemd-timesyncd is a system service that may be used to synchronize
the local system clock with a remote Network Time Protocol (NTP) server.
It also saves the local time to disk every time the clock has been
synchronized and uses this to possibly advance the system realtime clock
on subsequent reboots to ensure it (roughly) monotonically advances even
if the system lacks a battery-buffered RTC chip.
%package pam
Summary: systemd PAM module
Requires: %{name} = %{version}-%{release}
%description pam
Systemd PAM module registers the session with systemd-logind.
%package portable
Summary: Systemd tools for portable services
License: LGPLv2+
Requires: %{name} = %{version}-%{release}
%systemd_requires
%description portable
Systemd tools to manage portable services. The feature is still
considered experimental so the package might change or vanish.
Use at own risk.
More information can be found online:
http://0pointer.net/blog/walkthrough-for-portable-services.html
https://systemd.io/PORTABLE_SERVICES
%package userdbd
Summary: Systemd tools for userdbd services
License: LGPLv2+
Requires: %{name} = %{version}-%{release}
%systemd_requires
%description userdbd
systemd-userdbd is a system service that multiplexes user/group lookups to
all local services that provide JSON user/group record definitions to the system.
Most of systemd-userdbd's functionality is accessible through the userdbctl(1) command.
%package pstore
Summary: Systemd tools for pstore services
License: LGPLv2+
Requires: %{name} = %{version}-%{release}
%systemd_requires
%description pstore
systemd-pstore.service is a system service that archives the contents
of the Linux persistent storage filesystem, pstore, to other storage,
thus preserving the existing information contained in the pstore,
and clearing pstore storage for future error events.
%package_help
%prep
@ -397,13 +491,6 @@ install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/rc.d/rc.local
ln -s rc.d/rc.local %{buildroot}%{_sysconfdir}/rc.local
install -m 0644 %{SOURCE100} %{buildroot}/%{_udevrulesdir}/40-openEuler.rules
install -m 0644 %{SOURCE101} %{buildroot}/%{_udevrulesdir}/55-persistent-net-generator.rules
install -m 0644 %{SOURCE102} %{buildroot}/%{_udevrulesdir}/56-net-sriov-names.rules
install -m 0644 %{SOURCE103} %{buildroot}/%{_udevrulesdir}/61-openeuler-persistent-storage.rules
install -m 0755 %{SOURCE104} %{buildroot}/usr/lib/udev
install -m 0755 %{SOURCE105} %{buildroot}/usr/lib/udev
install -m 0755 %{SOURCE106} %{buildroot}/usr/lib/udev
install -m 0755 %{SOURCE107} %{buildroot}/usr/lib/udev
# remove rpath info
for file in $(find %{buildroot}/ -executable -type f -exec file {} ';' | grep "\<ELF\>" | awk -F ':' '{print $1}')
@ -547,9 +634,11 @@ getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2
getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || :
getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || :
%pre networkd
getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2>&1 || :
getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || :
%pre resolved
getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || :
getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || :
@ -642,20 +731,32 @@ if [ $1 -eq 0 ] ; then
serial-getty@.service \
console-getty.service \
debug-shell.service \
systemd-networkd.service \
systemd-networkd-wait-online.service \
>/dev/null || :
fi
%preun resolved
if [ $1 -eq 0 ] ; then
systemctl disable --quiet \
systemd-resolved.service \
>/dev/null || :
fi
%pre udev
%preun networkd
if [ $1 -eq 0 ] ; then
systemctl disable --quiet \
systemd-networkd.service \
systemd-networkd-wait-online.service \
>/dev/null || :
fi
%pre timesyncd
getent group systemd-timesync &>/dev/null || groupadd -r systemd-timesync 2>&1 || :
getent passwd systemd-timesync &>/dev/null || useradd -r -l -g systemd-timesync -d / -s /sbin/nologin -c "systemd Time Synchronization" systemd-timesync &>/dev/null || :
%post udev
%post timesyncd
# Move old stuff around in /var/lib
mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null
mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null
if [ -L %{_localstatedir}/lib/systemd/timesync ]; then
rm %{_localstatedir}/lib/systemd/timesync
mv %{_localstatedir}/lib/private/systemd/timesync %{_localstatedir}/lib/systemd/timesync
@ -664,6 +765,12 @@ if [ -f %{_localstatedir}/lib/systemd/clock ] ; then
mkdir -p %{_localstatedir}/lib/systemd/timesync
mv %{_localstatedir}/lib/systemd/clock %{_localstatedir}/lib/systemd/timesync/.
fi
# devided from post and preun stage of udev that included in macro udev_services
%systemd_post systemd-timesyncd.service
%post udev
# Move old stuff around in /var/lib
mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null
udevadm hwdb --update &>/dev/null
%systemd_post %udev_services
@ -679,6 +786,9 @@ if [ -f "/usr/lib/udev/rules.d/50-udev-default.rules" ]; then
fi
%{_bindir}/systemctl daemon-reload &>/dev/null || :
%preun timesyncd
%systemd_preun systemd-timesyncd.service
%preun udev
%systemd_preun %udev_services
@ -715,6 +825,15 @@ fi
%systemd_postun_with_restart systemd-journal-upload.service
%firewalld_reload
%preun portable
%systemd_preun systemd-portabled.service
%preun userdbd
%systemd_preun systemd-userdbd.service systemd-userdbd.socket
%preun pstore
%systemd_preun systemd-pstore.service
%files -f %{name}.lang
%doc %{_pkgdocdir}
%exclude %{_pkgdocdir}/LICENSE.*
@ -753,7 +872,6 @@ fi
/usr/sbin/reboot
/usr/sbin/halt
/usr/sbin/telinit
/usr/sbin/resolvconf
/usr/sbin/init
/usr/sbin/runlevel
/usr/sbin/poweroff
@ -773,12 +891,9 @@ fi
/usr/share/bash-completion/completions/portablectl
/usr/share/bash-completion/completions/systemd-run
/usr/share/bash-completion/completions/systemd-cat
/usr/share/bash-completion/completions/resolvectl
/usr/share/bash-completion/completions/coredumpctl
/usr/share/bash-completion/completions/systemd-delta
/usr/share/bash-completion/completions/systemd-cgls
/usr/share/bash-completion/completions/systemd-resolve
/usr/share/bash-completion/completions/networkctl
/usr/share/bash-completion/completions/systemd-detect-virt
/usr/share/bash-completion/completions/hostnamectl
/usr/share/bash-completion/completions/systemd-cgtop
@ -793,14 +908,12 @@ fi
/usr/share/zsh/site-functions/_journalctl
/usr/share/zsh/site-functions/_systemd-delta
/usr/share/zsh/site-functions/_systemd-tmpfiles
/usr/share/zsh/site-functions/_resolvectl
/usr/share/zsh/site-functions/_systemctl
/usr/share/zsh/site-functions/_systemd-run
/usr/share/zsh/site-functions/_sd_outputmodes
/usr/share/zsh/site-functions/_sd_unit_files
/usr/share/zsh/site-functions/_sd_machines
/usr/share/zsh/site-functions/_coredumpctl
/usr/share/zsh/site-functions/_networkctl
/usr/share/zsh/site-functions/_timedatectl
/usr/share/zsh/site-functions/_busctl
/usr/share/zsh/site-functions/_systemd
@ -811,33 +924,25 @@ fi
/usr/share/dbus-1/system-services/org.freedesktop.portable1.service
/usr/share/dbus-1/system-services/org.freedesktop.login1.service
/usr/share/dbus-1/system-services/org.freedesktop.locale1.service
/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service
/usr/share/dbus-1/system-services/org.freedesktop.hostname1.service
/usr/share/dbus-1/system-services/org.freedesktop.network1.service
/usr/share/dbus-1/system-services/org.freedesktop.timedate1.service
/usr/share/dbus-1/system.d/org.freedesktop.resolve1.conf
/usr/share/dbus-1/system.d/org.freedesktop.timedate1.conf
/usr/share/dbus-1/system.d/org.freedesktop.hostname1.conf
/usr/share/dbus-1/system.d/org.freedesktop.login1.conf
/usr/share/dbus-1/system.d/org.freedesktop.systemd1.conf
/usr/share/dbus-1/system.d/org.freedesktop.locale1.conf
/usr/share/dbus-1/system.d/org.freedesktop.portable1.conf
/usr/share/dbus-1/system.d/org.freedesktop.network1.conf
/usr/share/pkgconfig/systemd.pc
/usr/share/pkgconfig/udev.pc
/usr/share/polkit-1/actions/org.freedesktop.hostname1.policy
/usr/share/polkit-1/actions/org.freedesktop.portable1.policy
/usr/share/polkit-1/actions/org.freedesktop.timedate1.policy
/usr/share/polkit-1/actions/org.freedesktop.resolve1.policy
/usr/share/polkit-1/actions/org.freedesktop.systemd1.policy
/usr/share/polkit-1/actions/org.freedesktop.login1.policy
/usr/share/polkit-1/actions/org.freedesktop.network1.policy
/usr/share/polkit-1/actions/org.freedesktop.locale1.policy
/usr/share/polkit-1/rules.d/systemd-networkd.rules
/usr/bin/systemd-machine-id-setup
/usr/bin/localectl
/usr/bin/systemd-path
/usr/bin/portablectl
/usr/bin/systemd-run
/usr/bin/systemd-firstboot
/usr/bin/systemd-escape
@ -845,13 +950,9 @@ fi
/usr/bin/systemd-cat
/usr/bin/systemd-inhibit
/usr/bin/systemd-ask-password
/usr/bin/resolvectl
/usr/bin/systemd-notify
/usr/bin/coredumpctl
/usr/bin/systemd-delta
/usr/bin/systemd-cgls
/usr/bin/systemd-resolve
/usr/bin/networkctl
/usr/bin/systemd-stdio-bridge
/usr/bin/systemd-detect-virt
/usr/bin/systemd-socket-activate
@ -869,7 +970,7 @@ fi
/usr/bin/systemd-sysusers
/usr/bin/systemd-tty-ask-password-agent
/usr/bin/busctl
/usr/bin/userdbctl
/usr/bin/coredumpctl
%dir /usr/lib/environment.d
%dir /usr/lib/binfmt.d
%dir /usr/lib/tmpfiles.d
@ -880,6 +981,7 @@ fi
/usr/lib/sysusers.d/systemd.conf
/usr/lib/sysusers.d/basic.conf
/usr/lib/systemd/system/hwclock-save.service
/usr/lib/systemd/system/initrd-usr-fs.target
/usr/lib/systemd/system/sysinit.target.wants/hwclock-save.service
%{_systemddir}/systemd-update-done
%{_systemddir}/systemd-update-utmp
@ -891,10 +993,8 @@ fi
%{_systemddir}/systemd-cgroups-agent
%{_systemddir}/systemd-sulogin-shell
%{_systemddir}/systemd-boot-check-no-failures
%dir %{_systemddir}/ntp-units.d
%{_systemddir}/systemd-user-sessions
%{_systemddir}/systemd-sysctl
%{_systemddir}/systemd-networkd-wait-online
%{_systemddir}/systemd-socket-proxyd
%{_systemddir}/systemd-ac-power
%{_systemddir}/systemd-hostnamed
@ -905,11 +1005,9 @@ fi
%{_systemddir}/systemd-journald
%{_systemddir}/systemd-user-runtime-dir
%{_systemddir}/systemd-logind
%{_systemddir}/systemd-networkd
%dir %{_systemddir}/system-preset
%dir %{_systemddir}/user-environment-generators
%{_systemddir}/systemd-shutdown
%{_systemddir}/systemd-portabled
%{_systemddir}/libsystemd-shared*.so
%{_systemddir}/systemd-reply-password
%dir %{_systemddir}/system-generators
@ -918,35 +1016,21 @@ fi
%{_systemddir}/systemd-fsck
%{_systemddir}/systemd-timedated
%dir %{_systemddir}/user-generators
%dir %{_systemddir}/portable
%{_systemddir}/systemd
%dir %{_systemddir}/user-preset
%{_systemddir}/systemd-coredump
%{_systemddir}/resolv.conf
%{_systemddir}/systemd-veritysetup
%{_systemddir}/systemd-network-generator
%{_systemddir}/systemd-time-wait-sync
%{_systemddir}/systemd-pstore
%{_systemddir}/systemd-resolved
%{_systemddir}/systemd-binfmt
%{_systemddir}/user-preset/90-systemd.preset
%dir %{_systemddir}/portable/profile
%dir %{_systemddir}/portable/profile/strict
%dir %{_systemddir}/portable/profile/nonetwork
%dir %{_systemddir}/portable/profile/trusted
%dir %{_systemddir}/portable/profile/default
%{_systemddir}/portable/profile/default/service.conf
%{_systemddir}/portable/profile/trusted/service.conf
%{_systemddir}/portable/profile/nonetwork/service.conf
%{_systemddir}/portable/profile/strict/service.conf
%{_unitdir}/systemd-networkd.socket
%{_unitdir}/systemd-binfmt.service
%{_unitdir}/systemd-machine-id-commit.service
%dir %{_unitdir}/basic.target.wants
%{_unitdir}/systemd-coredump.socket
%{_unitdir}/systemd-coredump@.service
%{_unitdir}/ctrl-alt-del.target
%{_unitdir}/systemd-tmpfiles-setup.service
%{_unitdir}/systemd-time-wait-sync.service
%{_unitdir}/rpcbind.target
%{_unitdir}/systemd-update-done.service
%{_unitdir}/dev-hugepages.mount
@ -960,7 +1044,6 @@ fi
%{_unitdir}/syslog.socket
%{_unitdir}/systemd-localed.service
%{_unitdir}/systemd-ask-password-console.service
%{_unitdir}/systemd-pstore.service
%{_unitdir}/exit.target
%{_unitdir}/systemd-ask-password-console.path
%{_unitdir}/systemd-logind.service
@ -1010,7 +1093,6 @@ fi
%{_unitdir}/systemd-update-utmp.service
%dir %{_unitdir}/rescue.target.wants
%{_unitdir}/bluetooth.target
%{_unitdir}/systemd-networkd-wait-online.service
%{_unitdir}/systemd-ask-password-wall.path
%{_unitdir}/emergency.service
%{_unitdir}/network-pre.target
@ -1030,7 +1112,6 @@ fi
%{_unitdir}/systemd-update-utmp-runlevel.service
%{_unitdir}/network-online.target
%{_unitdir}/systemd-initctl.socket
%{_unitdir}/systemd-coredump@.service
%{_unitdir}/time-sync.target
%{_unitdir}/runlevel5.target
%{_unitdir}/paths.target
@ -1053,23 +1134,19 @@ fi
%{_unitdir}/runlevel4.target
%{_unitdir}/serial-getty@.service
%{_unitdir}/sysinit.target
%{_unitdir}/dbus-org.freedesktop.portable1.service
%{_unitdir}/rc-local.service
%{_unitdir}/debug-shell.service
%{_unitdir}/dev-mqueue.mount
%{_unitdir}/emergency.target
%{_unitdir}/systemd-portabled.service
%{_unitdir}/dbus-org.freedesktop.timedate1.service
%{_unitdir}/runlevel1.target
%dir %{_unitdir}/remote-fs.target.wants
%{_unitdir}/dbus-org.freedesktop.hostname1.service
%{_unitdir}/systemd-networkd.service
%{_unitdir}/runlevel0.target
%{_unitdir}/user.slice
%{_unitdir}/systemd-journal-catalog-update.service
%{_unitdir}/local-fs-pre.target
%{_unitdir}/systemd-halt.service
%{_unitdir}/systemd-resolved.service
%{_unitdir}/container-getty@.service
%{_unitdir}/slices.target
%{_unitdir}/systemd-network-generator.service
@ -1135,8 +1212,6 @@ fi
%{_unitdir}/systemd-journald-varlink@.socket
%{_unitdir}/systemd-journald@.service
%{_unitdir}/systemd-journald@.socket
%{_unitdir}/systemd-userdbd.service
%{_unitdir}/systemd-userdbd.socket
%{_unitdir}/usb-gadget.target
%{_unitdir}/modprobe@.service
%{_systemddir}/system-generators/systemd-fstab-generator
@ -1167,9 +1242,6 @@ fi
%{_userunitdir}/systemd-tmpfiles-clean.timer
%{_userunitdir}/sockets.target
%{_userunitdir}/smartcard.target
%{_systemddir}/systemd-userdbd
%{_systemddir}/systemd-userwork
%{_systemddir}/network/80-container-host0.network
%{_systemddir}/network/80-wifi-adhoc.network
%{_systemddir}/network/80-wifi-ap.network.example
%{_systemddir}/network/80-wifi-station.network.example
@ -1188,14 +1260,13 @@ fi
%{_systemddir}/systemd-xdg-autostart-condition
%{_systemddir}/user-generators/systemd-xdg-autostart-generator
%{_systemddir}/user/xdg-desktop-autostart.target
/usr/lib/sysctl.d/50-coredump.conf
/usr/lib/sysctl.d/50-default.conf
/usr/lib/sysctl.d/50-pid-max.conf
/usr/lib/sysctl.d/50-coredump.conf
/usr/lib/tmpfiles.d/systemd-tmp.conf
/usr/lib/tmpfiles.d/systemd-nologin.conf
/usr/lib/tmpfiles.d/systemd.conf
/usr/lib/tmpfiles.d/journal-nocow.conf
/usr/lib/tmpfiles.d/portables.conf
/usr/lib/tmpfiles.d/x11.conf
/usr/lib/tmpfiles.d/tmp.conf
/usr/lib/tmpfiles.d/home.conf
@ -1203,7 +1274,6 @@ fi
/usr/lib/tmpfiles.d/legacy.conf
/usr/lib/tmpfiles.d/static-nodes-permissions.conf
/usr/lib/tmpfiles.d/var.conf
/usr/lib/tmpfiles.d/systemd-pstore.conf
/usr/lib/environment.d/99-environment.conf
%ghost %config(noreplace) /etc/localtime
%dir /etc/rc.d
@ -1218,15 +1288,11 @@ fi
%ghost %config(noreplace) /etc/machine-info
%ghost %config(noreplace) /etc/machine-id
%ghost %config(noreplace) /etc/hostname
%dir /etc/systemd/network
%config(noreplace) /etc/systemd/user.conf
%config(noreplace) /etc/systemd/coredump.conf
%dir /etc/systemd/user
%config(noreplace) /etc/systemd/logind.conf
%config(noreplace) /etc/systemd/networkd.conf
%config(noreplace) /etc/systemd/resolved.conf
%config(noreplace) /etc/systemd/journald.conf
%config(noreplace) /etc/systemd/pstore.conf
%config(noreplace) /etc/systemd/coredump.conf
%dir /etc/systemd/system
%config(noreplace) /etc/systemd/system.conf
%ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf
@ -1242,7 +1308,6 @@ fi
%config(noreplace) /etc/xdg/systemd/user
%{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%{_libdir}/security/pam_systemd.so
/usr/lib/rpm/macros.d/macros.systemd
/usr/bin/systemd-cryptenroll
@ -1266,6 +1331,9 @@ fi
/usr/lib/udev/hwdb.d/20-dmi-id.hwdb
/usr/lib/udev/hwdb.d/60-autosuspend-fingerprint-reader.hwdb
/usr/lib/udev/hwdb.d/README
/usr/lib/udev/hwdb.d/60-seat.hwdb
/usr/lib/udev/hwdb.d/80-ieee1394-unit-function.hwdb
/usr/lib/udev/rules.d/81-net-dhcp.rules
/usr/lib/udev/rules.d/70-memory.rules
/usr/lib/udev/rules.d/README
/usr/share/bash-completion/completions/systemd-id128
@ -1273,7 +1341,6 @@ fi
%files libs
%{_libdir}/libnss_systemd.so.2
%{_libdir}/libnss_resolve.so.2
%{_libdir}/libnss_myhostname.so.2
%{_libdir}/libsystemd.so.*
%{_libdir}/libudev.so.*
@ -1302,10 +1369,8 @@ fi
%files udev
%ghost %dir /var/lib/systemd/backlight
%ghost %dir /var/lib/systemd/timesync
%ghost %dir /var/lib/systemd/rfkill
%ghost /var/lib/systemd/random-seed
%ghost /var/lib/systemd/timesync/clock
/usr/sbin/udevadm
/usr/share/bash-completion/completions/udevadm
/usr/share/bash-completion/completions/bootctl
@ -1313,8 +1378,6 @@ fi
/usr/share/zsh/site-functions/_bootctl
/usr/share/zsh/site-functions/_udevadm
/usr/share/zsh/site-functions/_kernel-install
/usr/share/dbus-1/system-services/org.freedesktop.timesync1.service
/usr/share/dbus-1/system.d/org.freedesktop.timesync1.conf
/usr/bin/systemd-hwdb
/usr/bin/udevadm
/usr/bin/bootctl
@ -1323,7 +1386,6 @@ fi
%dir /usr/lib/udev
%dir /usr/lib/kernel
%dir /usr/lib/modules-load.d
%{_systemddir}/systemd-timesyncd
%{_systemddir}/systemd-growfs
%{_systemddir}/systemd-modules-load
%dir %{_systemddir}/system-sleep
@ -1351,7 +1413,6 @@ fi
%dir %{_unitdir}/systemd-udev-trigger.service.d
%{_unitdir}/systemd-random-seed.service
%{_unitdir}/systemd-quotacheck.service
%{_unitdir}/systemd-timesyncd.service
%{_unitdir}/systemd-udevd-control.socket
%{_unitdir}/hibernate.target
%{_unitdir}/systemd-remount-fs.service
@ -1385,12 +1446,12 @@ fi
%{_systemddir}/system-generators/systemd-cryptsetup-generator
%{_systemddir}/system-generators/systemd-hibernate-resume-generator
%{_systemddir}/system-generators/systemd-gpt-auto-generator
%{_systemddir}/ntp-units.d/80-systemd-timesync.list
%if 0%{?have_gnu_efi}
%dir %{_systemddir}/boot
%dir %{_systemddir}/boot/efi
%{_systemddir}/boot/efi/systemd-boot%{efi_arch}.efi
%{_systemddir}/boot/efi/linux%{efi_arch}.efi.stub
%{_systemddir}/boot/efi/linux%{efi_arch}.elf.stub
%endif
%{_systemddir}/network/99-default.link
%dir /usr/lib/kernel/install.d
@ -1465,7 +1526,6 @@ fi
%dir /etc/udev
%dir /etc/kernel
%dir /etc/modules-load.d
%config(noreplace) /etc/systemd/timesyncd.conf
%config(noreplace) /etc/systemd/sleep.conf
%dir /etc/kernel/install.d
%ghost /etc/udev/hwdb.bin
@ -1475,9 +1535,7 @@ fi
%files container
/usr/share/bash-completion/completions/machinectl
/usr/share/bash-completion/completions/systemd-nspawn
/usr/share/zsh/site-functions/_machinectl
/usr/share/zsh/site-functions/_systemd-nspawn
/usr/share/dbus-1/system-services/org.freedesktop.import1.service
/usr/share/dbus-1/system-services/org.freedesktop.machine1.service
/usr/share/dbus-1/services/org.freedesktop.systemd1.service
@ -1488,7 +1546,6 @@ fi
/usr/share/polkit-1/actions/org.freedesktop.machine1.policy
%{_libdir}/libnss_mymachines.so.2
/usr/bin/machinectl
/usr/bin/systemd-nspawn
%{_systemddir}/systemd-import
%{_systemddir}/systemd-machined
%{_systemddir}/systemd-importd
@ -1503,13 +1560,9 @@ fi
%{_unitdir}/machine.slice
%{_unitdir}/machines.target
%dir %{_unitdir}/machines.target.wants
%{_unitdir}/systemd-nspawn@.service
%{_unitdir}/machines.target.wants/var-lib-machines.mount
%{_unitdir}/remote-fs.target.wants/var-lib-machines.mount
%{_systemddir}/network/80-container-vz.network
%{_systemddir}/network/80-container-ve.network
%{_systemddir}/network/80-vm-vt.network
/usr/lib/tmpfiles.d/systemd-nspawn.conf
%files journal-remote
%ghost %dir /var/log/journal/remote
@ -1532,19 +1585,11 @@ fi
%config(noreplace) /etc/systemd/journal-remote.conf
%config(noreplace) /etc/systemd/journal-upload.conf
%files udev-compat
%{_udevrulesdir}/55-persistent-net-generator.rules
%{_udevrulesdir}/56-net-sriov-names.rules
%{_udevrulesdir}/61-openeuler-persistent-storage.rules
/usr/lib/udev/rule_generator.functions
/usr/lib/udev/write_net_rules
/usr/lib/udev/net-set-sriov-names
/usr/lib/udev/detect_virt
%files oomd
/etc/systemd/oomd.conf
/usr/bin/oomctl
/usr/lib/systemd/system/systemd-oomd.service
/usr/lib/systemd/system/dbus-org.freedesktop.oom1.service
/usr/lib/systemd/systemd-oomd
/usr/share/dbus-1/system-services/org.freedesktop.oom1.service
/usr/share/dbus-1/system.d/org.freedesktop.oom1.conf
@ -1553,7 +1598,110 @@ fi
/usr/share/man/*/*
%exclude /usr/share/man/man3/*
%files resolved
/usr/sbin/resolvconf
/usr/bin/resolvectl
/usr/share/bash-completion/completions/resolvectl
/usr/share/zsh/site-functions/_resolvectl
/usr/share/bash-completion/completions/systemd-resolve
/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service
/usr/share/dbus-1/system.d/org.freedesktop.resolve1.conf
/usr/share/polkit-1/actions/org.freedesktop.resolve1.policy
/usr/bin/systemd-resolve
%{_systemddir}/resolv.conf
%{_systemddir}/systemd-resolved
%config(noreplace) /etc/systemd/resolved.conf
%{_libdir}/libnss_resolve.so.2
%{_unitdir}/systemd-resolved.service
%files nspawn
/usr/share/bash-completion/completions/systemd-nspawn
/usr/share/zsh/site-functions/_systemd-nspawn
/usr/bin/systemd-nspawn
%{_unitdir}/systemd-nspawn@.service
/usr/lib/tmpfiles.d/systemd-nspawn.conf
%files networkd
/usr/share/bash-completion/completions/networkctl
/usr/share/zsh/site-functions/_networkctl
/usr/share/dbus-1/system-services/org.freedesktop.network1.service
/usr/share/dbus-1/system.d/org.freedesktop.network1.conf
/usr/share/polkit-1/actions/org.freedesktop.network1.policy
/usr/share/polkit-1/rules.d/systemd-networkd.rules
/usr/bin/networkctl
%{_systemddir}/systemd-networkd-wait-online
%{_systemddir}/systemd-networkd
%{_unitdir}/systemd-networkd.socket
%{_unitdir}/systemd-networkd-wait-online.service
%{_unitdir}/systemd-networkd.service
%{_systemddir}/network/80-container-host0.network
%dir /etc/systemd/network
%config(noreplace) /etc/systemd/networkd.conf
%{_systemddir}/network/80-container-vz.network
%{_systemddir}/network/80-container-ve.network
%files timesyncd
%dir %{_systemddir}/ntp-units.d
%{_systemddir}/systemd-time-wait-sync
%{_unitdir}/systemd-time-wait-sync.service
%ghost %dir /var/lib/systemd/timesync
%ghost /var/lib/systemd/timesync/clock
/usr/share/dbus-1/system-services/org.freedesktop.timesync1.service
/usr/share/dbus-1/system.d/org.freedesktop.timesync1.conf
%{_systemddir}/systemd-timesyncd
%{_unitdir}/systemd-timesyncd.service
%{_systemddir}/ntp-units.d/80-systemd-timesync.list
%config(noreplace) /etc/systemd/timesyncd.conf
%files pam
%{_libdir}/security/pam_systemd.so
%files portable
%defattr(-,root,root)
%{_bindir}/portablectl
%{_prefix}/lib/systemd/systemd-portabled
%{_prefix}/lib/systemd/portable
%{_unitdir}/systemd-portabled.service
%{_unitdir}/dbus-org.freedesktop.portable1.service
%{_tmpfilesdir}/portables.conf
%files pstore
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/systemd/pstore.conf
%{_prefix}/lib/systemd/systemd-pstore
%{_unitdir}/systemd-pstore.service
%{_tmpfilesdir}/systemd-pstore.conf
%files userdbd
%defattr(-,root,root)
%{_bindir}/userdbctl
%{_prefix}/lib/systemd/systemd-userwork
%{_prefix}/lib/systemd/systemd-userdbd
%{_unitdir}/systemd-userdbd.service
%{_unitdir}/systemd-userdbd.socket
%changelog
* Tue Feb 15 2021 yangmingtai <yangmingtai@huawei.com> - 249-7
- disable rename function of net interface
* Tue Feb 15 2021 yangmingtai <yangmingtai@huawei.com> - 249-6
- nop_job of a unit must also be coldpluged after deserization
* Tue Feb 15 2021 yangmingtai <yangmingtai@huawei.com> - 249-5
- fix CVE-2021-3997 and CVE-2021-33910
* Tue Feb 8 2021 yangmingtai <yangmingtai@huawei.com> - 249-4
- fix ConditionDirectoryNotEmpty,ConditionPathIsReadWrite and DirectoryNotEmpty
* Tue Feb 8 2021 yangmingtai <yangmingtai@huawei.com> - 249-3
- do not make systemd-cpredump sub packages
* Tue Dec 27 2021 yangmingtai <yangmingtai@huawei.com> - 249-2
- delete useless Provides and Obsoletes
* Wed Dec 8 2021 yangmingtai <yangmingtai@huawei.com> - 249-1
- systemd update to v249
* Tue Dec 28 2021 licunlong <licunlong1@huawei.com> - 248-15
- fix typo: disable not denable.