Systemd partition fix#490
Closed
Devender-117 wants to merge 703 commits intosystemd:v255-stablefrom
Closed
Conversation
When invoked as the coredump handler by the kernel, systemd-coredump's stdout and stderr streams are closed. This is dangerous as this means the fd's can get reallocated, leading to hard to debug errors such as log messages ending up being appended to a compressed coredump file. To avoid such issues in the future, let's bind stdout/stderr to /dev/null so the file descriptors can't get used for anything else. (cherry picked from commit 1f9d2a8) (cherry picked from commit fba50bc)
Inspired by systemd/systemd#24024 this is another user mode helper, where this might be an issue. hence let's rather be safe than sorry, and also connect stdin/stdout/stderr explicitly with /dev/null. (cherry picked from commit 50492ce) (cherry picked from commit 6894877)
since in this specific case (r == 0) `errno` is irrelevant and most likely set to zero, leading up to a confusing message: ``` [ 120.595085] H systemd[1]: session-5.scope: No PIDs left to attach to the scope's control group, refusing: Success [ 120.595144] H systemd[1]: session-5.scope: Failed with result 'resources'. ``` (cherry picked from commit e99b928) (cherry picked from commit 5c822e3)
For the system manager, /run/systemd/private is publicly accessible, because /run/systemd is 0755, and /run/systemd/private is 0777. For the user manager, /run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This does not directly cause any security issue because we check the sender in bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()). But it makes sense to limit access to the socket to avoid wasting time in PID1. Somebody could send messages there that'd we'd reject anyway. It also makes things more explicit. (cherry picked from commit df1cbd1) (cherry picked from commit dc3333b)
When running on images you don't want to modify the /tmp directory even if it's writable, and often it will just be read-only. Set PrivateTmp=yes. Fixes systemd/systemd#23592 (cherry picked from commit f2d26cd) (cherry picked from commit 6e111d2)
(cherry picked from commit 01d9fbc)
Kubevirt is currently technically based on KVM (but not xen yet[1]). The systemd-detect-virt command, used to differentiate the current virtualization environment, works fine on x86 relying on CPUID, while fails to get the correct value (none instead of kvm) on aarch64. Let's fix this by adding a new 'vendor[KubeVirt] = kvm' classification considering the sys_vendor is always KubeVirt. [1] https://groups.google.com/g/kubevirt-dev/c/C6cUgzTOsVg Signed-off-by: Fei Li <lifei.shirley@bytedance.com> (cherry picked from commit c15d1ac) (cherry picked from commit e7d635f)
Follow-up for 49bb7fe. Fixes an issue reported at systemd/systemd#26270 (comment). (cherry picked from commit 9361a71) (cherry picked from commit e91a304) (cherry picked from commit f32581a)
If UDP is blocked on the system (e.g. by iptables or BPF), the kernel will return EPERM on some or all of the system calls (connect, sendmsg, etc.). In this case, try to fall back to TCP, which hopefully will not be blocked. (cherry picked from commit 3dd6336) (cherry picked from commit a88e35b) (cherry picked from commit 58cbb7a) (cherry picked from commit 5f6a369)
The TPM code expects a description unless the PCR index indicates that no measurements have to take place. The assert was preempting this check from happening. Fixes: #26428 (cherry picked from commit f92428e) (cherry picked from commit cd5de28) (cherry picked from commit ac3d892) (cherry picked from commit 2cf90e1)
Previously, we skip the entries before arg_lines unconditionally, which doesn't behave correctly when used with --grep. After this commit, when a pattern is specified, we don't skip the entries early, but rely on the count of the lines shown to tell us when to stop. To achieve that we would have to search backwards instead. Fixes #25147 (cherry picked from commit db46919) (cherry picked from commit c4cdbb9) (cherry picked from commit e988919) (cherry picked from commit a90a456)
r and R take globs, so let's name the argument appropriately in the tl;dr listing. Also, use 'clean-up' in the file name where it represents the verb "clean up", and other minor spelling adjustments. (cherry picked from commit 164297c) (cherry picked from commit aac6921) (cherry picked from commit e72f167) (cherry picked from commit 88302d7)
An rpminspect test in Fedora/RHEL is flagging our stub files as having an executable stack. The check is correct: $ readelf --wide --program-headers build/src/boot/efi/linuxx64.elf.stub | rg -i stack GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10 It seems to be just an omission in the linker script… None of the objects that are linked into the stub are marked as requiring an executable stack: $ readelf --wide --sections build/src/boot/efi/*.c.o \ /usr/lib/gnuefi/x64/libgnuefi.a \ /usr/lib/gnuefi/x64/libefi.a \ /usr/lib/gcc/x86_64-redhat-linux/12/libgcc.a \ | rg '.note.GNU-stack.*X' (nothing) On aarch64 we end up with a nonexecutable stack, but on ia32 and x64 we get one, so this might be just a matter of defaults in the linker. It doesn't matter greatly, but let's mark the stack as non-executable to avoid the warning. Note: '-Wl,-z' is not needed, things work with just '-z'. (cherry picked from commit 1eca770) (cherry picked from commit 44c2ff5) (cherry picked from commit 4f4344e) (cherry picked from commit c68ae31)
I'm not sure what "suffix" was meant by this comment, but the file has the usual suffix. The file was added with the current name back in c4708f1. Maybe an earlier version of the patch did something different. (cherry picked from commit 9c71885) (cherry picked from commit d9abd8b) (cherry picked from commit 2ca2390) (cherry picked from commit 3339b23)
Only service and scope units have RuntimeMaxUSec bus property. To suppress the "Until:" field for other unit types, the entry must be initialized with USEC_INFINITY. Fixes #26473. (cherry picked from commit b59052b) (cherry picked from commit 2bfb07b) (cherry picked from commit 028cee0) (cherry picked from commit e385eb5)
If the boot ID cannot be obtained, let's first fallback to the machine ID, and if still cannot, then let's use 0. Otherwise, no timer event source cannot be triggered. Fixes #26549. (cherry picked from commit 6d2326e) (cherry picked from commit 58c821a) (cherry picked from commit 7897619) (cherry picked from commit ac04d80)
If the default target is masked, `systemctl get-default` prints Failed to get default target: Operation not possible due to RF-kill That's a bit too cryptic, so let's make it clear what's actually happening. Fixes #26589. (cherry picked from commit 7c78a19) (cherry picked from commit 144ac49) (cherry picked from commit 30eae23) (cherry picked from commit 407726d)
We checked ERRNO_IS_NOT_SUPPORTED on a possible positive non-error code, which isn't right. Fix that. Also add caching, since we are about to call this more often. (cherry picked from commit 90ec8eb) (cherry picked from commit 5ee19fd) (cherry picked from commit 8e62340) (cherry picked from commit cb4f512)
This ensures that shell string escape operations will not produce output with invalid UTF-8 from the input by escaping invalid UTF-8 data as if they were single byte characters. (cherry picked from commit 00f5715) (cherry picked from commit e906fd2) (cherry picked from commit e0a674f) (cherry picked from commit dfa043a)
The kernel loads the DTB from EFI before ExitBootServices(): https://github.com/torvalds/linux/blob/v6.5/drivers/firmware/efi/libstub/fdt.c#L245 DTBs can map and assign arbitrary memory ranges. The kernel refuses to load one from the dtb= kernel command line parameter when secure boot is enabled, as it's not safe. Let's do the same for type 1 entries, as they are unverified. This only affects arm64 and riscv64, firmwares do not support DTB on x86. (cherry picked from commit 4b4d612) (cherry picked from commit c1404ff) (cherry picked from commit 7844c65) (cherry picked from commit f381320) (cherry picked from commit 3c97ff5)
Something went wrong when 6aa2c55 was cherry-picked for v250-stable, causing it to fail to build when seccomp is disabled. Fix this by changing the code to how it looks like in other versions of the backported commit, slightly adapted to the file's style in v250. Fixes the following build error: | ../git/src/core/main.c: In function 'parse_config_file': | ../git/src/core/main.c:721:101: error: lvalue required as unary '&' operand | 721 | { "Manager", "SystemCallArchitectures", config_parse_syscall_archs, 0, &DISABLED_CONFIGURATION }, | | ^ Fixes: 8e8c7d5 ("pid1: generate compat warning for SystemCallArchitectures= if seccomp is off")
|
Failed to load packit config file: For more info, please check out the documentation or contact the Packit team. You can also use our CLI command |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.