diff --git a/0012-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch b/0012-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch deleted file mode 100644 index 5bbf0546fcf6536589e09bbd2e1c80427037cf9b..0000000000000000000000000000000000000000 --- a/0012-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From f58c5ced373c2532b5cc44ba2e0c3a28b41472f2 Mon Sep 17 00:00:00 2001 -From: Jan Synacek -Date: Tue, 15 May 2018 09:24:20 +0200 -Subject: [PATCH] Avoid /tmp being mounted as tmpfs without the user's - will - -Ensure PrivateTmp doesn't require tmpfs through tmp.mount, but rather -adds an After relationship. - -Resolves: #1578772 ---- - src/core/unit.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/src/core/unit.c b/src/core/unit.c -index 2b86fdedfd..2c804c8486 100644 ---- a/src/core/unit.c -+++ b/src/core/unit.c -@@ -1090,13 +1090,14 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) { - } - - if (c->private_tmp) { -- const char *p; - -- FOREACH_STRING(p, "/tmp", "/var/tmp") { -- r = unit_require_mounts_for(u, p, UNIT_DEPENDENCY_FILE); -- if (r < 0) -- return r; -- } -+ r = unit_add_dependency_by_name(u, UNIT_AFTER, "tmp.mount", true, UNIT_DEPENDENCY_FILE); -+ if (r < 0) -+ return r; -+ -+ r = unit_require_mounts_for(u, "/var/tmp", UNIT_DEPENDENCY_FILE); -+ if (r < 0) -+ return r; - - r = unit_add_dependency_by_name(u, UNIT_AFTER, SPECIAL_TMPFILES_SETUP_SERVICE, true, UNIT_DEPENDENCY_FILE); - if (r < 0) --- -2.23.0 - diff --git a/0013-sd-bus-properly-initialize-containers.patch b/0012-sd-bus-properly-initialize-containers.patch similarity index 100% rename from 0013-sd-bus-properly-initialize-containers.patch rename to 0012-sd-bus-properly-initialize-containers.patch diff --git a/0014-Revert-core-one-step-back-again-for-nspawn-we-actual.patch b/0013-Revert-core-one-step-back-again-for-nspawn-we-actual.patch similarity index 100% rename from 0014-Revert-core-one-step-back-again-for-nspawn-we-actual.patch rename to 0013-Revert-core-one-step-back-again-for-nspawn-we-actual.patch diff --git a/0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch b/0014-journal-don-t-enable-systemd-journald-audit.socket-b.patch similarity index 100% rename from 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch rename to 0014-journal-don-t-enable-systemd-journald-audit.socket-b.patch diff --git a/0016-systemd-change-time-log-level.patch b/0015-systemd-change-time-log-level.patch similarity index 100% rename from 0016-systemd-change-time-log-level.patch rename to 0015-systemd-change-time-log-level.patch diff --git a/0017-fix-capsh-drop-but-ping-success.patch b/0016-fix-capsh-drop-but-ping-success.patch similarity index 100% rename from 0017-fix-capsh-drop-but-ping-success.patch rename to 0016-fix-capsh-drop-but-ping-success.patch diff --git a/0018-resolved-create-etc-resolv.conf-symlink-at-runtime.patch b/0017-resolved-create-etc-resolv.conf-symlink-at-runtime.patch similarity index 88% rename from 0018-resolved-create-etc-resolv.conf-symlink-at-runtime.patch rename to 0017-resolved-create-etc-resolv.conf-symlink-at-runtime.patch index 1ab3033eb492ee4fcc4bbce4eb640f103be7a120..21ba7904cc4904cd665b22a552339607e2037f5e 100644 --- a/0018-resolved-create-etc-resolv.conf-symlink-at-runtime.patch +++ b/0017-resolved-create-etc-resolv.conf-symlink-at-runtime.patch @@ -14,7 +14,7 @@ don't touch it in that case either. https://bugzilla.redhat.com/show_bug.cgi?id=1313085 --- src/resolve/resolved.c | 5 +++++ - tmpfiles.d/etc.conf.m4 | 3 --- + tmpfiles.d/etc.conf.in | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c @@ -33,19 +33,19 @@ index 50989a6b0a..95a51a574a 100644 /* Drop privileges, but keep three caps. Note that we drop two of those too, later on (see below) */ r = drop_privileges(uid, gid, (UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */ -diff --git a/tmpfiles.d/etc.conf.m4 b/tmpfiles.d/etc.conf.m4 +diff --git a/tmpfiles.d/etc.conf.in b/tmpfiles.d/etc.conf.in index f82e0b82ce..66a777bdb2 100644 ---- a/tmpfiles.d/etc.conf.m4 -+++ b/tmpfiles.d/etc.conf.m4 +--- a/tmpfiles.d/etc.conf.in ++++ b/tmpfiles.d/etc.conf.in @@ -12,9 +12,6 @@ L+ /etc/mtab - - - - ../proc/self/mounts - m4_ifdef(`HAVE_SMACK_RUN_LABEL', + {% if HAVE_SMACK_RUN_LABEL %} t /etc/mtab - - - - security.SMACK64=_ - )m4_dnl --m4_ifdef(`ENABLE_RESOLVE', + {% endif %} +-{% if ENABLE_RESOLVE %} -L! /etc/resolv.conf - - - - ../run/systemd/resolve/stub-resolv.conf --)m4_dnl +-{% endif %} C! /etc/nsswitch.conf - - - - - m4_ifdef(`HAVE_PAM', + {% if HAVE_PAM %} C! /etc/pam.d - - - - -- 2.23.0 diff --git a/0018-nop_job-of-a-unit-must-also-be-coldpluged-after-deserization.patch b/0018-nop_job-of-a-unit-must-also-be-coldpluged-after-deserization.patch new file mode 100644 index 0000000000000000000000000000000000000000..afca3e7794d407059309c0057f510ba90e947f78 --- /dev/null +++ b/0018-nop_job-of-a-unit-must-also-be-coldpluged-after-deserization.patch @@ -0,0 +1,53 @@ +From 07e13151c566588b5f679e2576d3dfc2125c6e7c Mon Sep 17 00:00:00 2001 +From: huangkaibin +Date: Sun, 22 Apr 2018 18:49:19 +0800 +Subject: [PATCH] systemd-core: nop_job of a unit must also be coldpluged +after deserization. + +When a unit is not in-active, and systemctl try-restart is executed for +this unit, +systemd will do nothing for it and just accept it as a nop_job for the +unit. +When then nop-job is still in the running queue, then daemon-reload is +performed, this nop job +will be dropped from the unit since it is not coldpluged in the +unit_coldplug function. +After then, the systemctl try-restart command will hang forever since no +JOB_DONE dbus signal will be sent +to it from systemd. +This patch fix this problem by do coldplug for the nop_job in +unit_coldplug function. +--- + src/core/unit.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/unit.c b/src/core/unit.c +index 0a2f3c8..b9bd102 100644 +--- a/src/core/unit.c ++++ b/src/core/unit.c +@@ -3601,11 +3601,17 @@ int unit_coldplug(Unit *u) { + r = q; + } + +- uj = u->job ?: u->nop_job; +- if (uj) { +- q = job_coldplug(uj); +- if (q < 0 && r >= 0) +- r = q; ++ if (u->job || u->nop_job) { ++ if (u->job) { ++ q = job_coldplug(u->job); ++ if (q < 0 && r >= 0) ++ r = q; ++ } ++ if (u->nop_job) { ++ q = job_coldplug(u->nop_job); ++ if (q < 0 && r >= 0) ++ r = q; ++ } + } + + return r; +-- +2.27.0 + diff --git a/0019-core-serialize-u-pids-until-the-processes-have-been-.patch b/0019-core-serialize-u-pids-until-the-processes-have-been-.patch deleted file mode 100644 index c71b9aecb40292d3942b9d3e726cde3238310e0a..0000000000000000000000000000000000000000 --- a/0019-core-serialize-u-pids-until-the-processes-have-been-.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 428a9f6f1d0396b9eacde2b38d667cbe3f15eb55 Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Mon, 16 Nov 2020 15:12:21 +0100 -Subject: [PATCH] core: serialize u->pids until the processes have been moved - to the scope cgroup - -Otherwise if a daemon-reload happens somewhere between the enqueue of the job -start for the scope unit and scope_start() then u->pids might be lost and none -of the processes specified by "PIDs=" will be moved into the scope cgroup. ---- - src/core/scope.c | 37 +++++++++++++++++++++++++++++++++++-- - 1 file changed, 35 insertions(+), 2 deletions(-) - -diff --git a/src/core/scope.c b/src/core/scope.c -index a4db272f93..a372f8d726 100644 ---- a/src/core/scope.c -+++ b/src/core/scope.c -@@ -8,6 +8,7 @@ - #include "dbus-unit.h" - #include "load-dropin.h" - #include "log.h" -+#include "process-util.h" - #include "scope.h" - #include "serialize.h" - #include "special.h" -@@ -235,8 +236,18 @@ static int scope_coldplug(Unit *u) { - if (r < 0) - return r; - -- if (!IN_SET(s->deserialized_state, SCOPE_DEAD, SCOPE_FAILED)) -- (void) unit_enqueue_rewatch_pids(u); -+ if (!IN_SET(s->deserialized_state, SCOPE_DEAD, SCOPE_FAILED)) { -+ if (u->pids) { -+ void *pidp; -+ -+ SET_FOREACH(pidp, u->pids) { -+ r = unit_watch_pid(u, PTR_TO_PID(pidp), false); -+ if (r < 0 && r != -EEXIST) -+ return r; -+ } -+ } else -+ (void) unit_enqueue_rewatch_pids(u); -+ } - - bus_scope_track_controller(s); - -@@ -366,6 +377,10 @@ static int scope_start(Unit *u) { - return r; - } - -+ /* Now u->pids have been moved into the scope cgroup, it's not needed -+ * anymore. */ -+ u->pids = set_free(u->pids); -+ - s->result = SCOPE_SUCCESS; - - scope_set_state(s, SCOPE_RUNNING); -@@ -427,6 +442,7 @@ static int scope_get_timeout(Unit *u, usec_t *timeout) { - - static int scope_serialize(Unit *u, FILE *f, FDSet *fds) { - Scope *s = SCOPE(u); -+ void *pidp; - - assert(s); - assert(f); -@@ -438,6 +454,9 @@ static int scope_serialize(Unit *u, FILE *f, FDSet *fds) { - if (s->controller) - (void) serialize_item(f, "controller", s->controller); - -+ SET_FOREACH(pidp, u->pids) -+ serialize_item_format(f, "pids", PID_FMT, PTR_TO_PID(pidp)); -+ - return 0; - } - -@@ -473,6 +492,20 @@ static int scope_deserialize_item(Unit *u, const char *key, const char *value, F - if (r < 0) - return log_oom(); - -+ } else if (streq(key, "pids")) { -+ pid_t pid; -+ -+ if (parse_pid(value, &pid) < 0) -+ log_unit_debug(u, "Failed to parse pids value: %s", value); -+ else { -+ r = set_ensure_allocated(&u->pids, NULL); -+ if (r < 0) -+ return r; -+ -+ r = set_put(u->pids, PID_TO_PTR(pid)); -+ if (r < 0) -+ return r; -+ } - } else - log_unit_debug(u, "Unknown serialization key: %s", key); - --- -2.23.0 - diff --git a/0019-journald-enforce-longer-line-length-limit-during-set.patch b/0019-journald-enforce-longer-line-length-limit-during-set.patch deleted file mode 100644 index bb907887e243f0905148416213638891a0588f53..0000000000000000000000000000000000000000 --- a/0019-journald-enforce-longer-line-length-limit-during-set.patch +++ /dev/null @@ -1,108 +0,0 @@ -From 80e9720616df0eeaba75874fd86fbfbe8b7a03a7 Mon Sep 17 00:00:00 2001 -From: Yangyang Shen -Date: Wed, 24 Mar 2021 21:23:01 +0800 -Subject: [PATCH] journald: enforce longer line length limit during "setup" - phase of stream protocol - -This PR made modification on Lennart Poettering's basis. Fix the LineMax's function failure problem. - -Signed-off-by: Yangyang Shen ---- - src/journal/journald-stream.c | 35 ++++++++++++++++++++++++++++------- - 1 file changed, 28 insertions(+), 7 deletions(-) - -diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c -index 385dc4b..85723f5 100644 ---- a/src/journal/journald-stream.c -+++ b/src/journal/journald-stream.c -@@ -39,6 +39,12 @@ - - #define STDOUT_STREAMS_MAX 4096 - -+/* During the "setup" protocol phase of the stream logic let's define a different maximum line length than -+ * during the actual operational phase. We want to allow users to specify very short line lengths after all, -+ * but the unit name we embed in the setup protocol might be longer than that. Hence, during the setup phase -+ * let's enforce a line length matching the maximum unit name length (255) */ -+#define STDOUT_STREAM_SETUP_PROTOCOL_LINE_MAX (UNIT_NAME_MAX-1U) -+ - typedef enum StdoutStreamState { - STDOUT_STREAM_IDENTIFIER, - STDOUT_STREAM_UNIT_ID, -@@ -47,7 +53,7 @@ typedef enum StdoutStreamState { - STDOUT_STREAM_FORWARD_TO_SYSLOG, - STDOUT_STREAM_FORWARD_TO_KMSG, - STDOUT_STREAM_FORWARD_TO_CONSOLE, -- STDOUT_STREAM_RUNNING -+ STDOUT_STREAM_RUNNING, - } StdoutStreamState; - - /* The different types of log record terminators: a real \n was read, a NUL character was read, the maximum line length -@@ -468,6 +474,18 @@ static int stdout_stream_found( - return r; - } - -+static size_t stdout_stream_line_max(StdoutStream *s) { -+ assert(s); -+ -+ /* During the "setup" phase of our protocol, let's ensure we use a line length where a full unit name -+ * can fit in */ -+ if (s->state != STDOUT_STREAM_RUNNING) -+ return STDOUT_STREAM_SETUP_PROTOCOL_LINE_MAX; -+ -+ /* After the protocol's "setup" phase is complete, let's use whatever the user configured */ -+ return s->server->line_max; -+} -+ - static int stdout_stream_scan( - StdoutStream *s, - char *p, -@@ -475,19 +493,22 @@ static int stdout_stream_scan( - LineBreak force_flush, - size_t *ret_consumed) { - -- size_t consumed = 0; -+ size_t consumed = 0, line_max; - int r; - - assert(s); - assert(p); - -+ line_max = stdout_stream_line_max(s); -+ - for (;;) { - LineBreak line_break; - size_t skip, found; - char *end1, *end2; -+ size_t tmp_remaining = MIN(remaining, line_max); - -- end1 = memchr(p, '\n', remaining); -- end2 = memchr(p, 0, end1 ? (size_t) (end1 - p) : remaining); -+ end1 = memchr(p, '\n', tmp_remaining); -+ end2 = memchr(p, 0, end1 ? (size_t) (end1 - p) : tmp_remaining); - - if (end2) { - /* We found a NUL terminator */ -@@ -499,9 +520,9 @@ static int stdout_stream_scan( - found = end1 - p; - skip = found + 1; - line_break = LINE_BREAK_NEWLINE; -- } else if (remaining >= s->server->line_max) { -+ } else if (remaining >= line_max) { - /* Force a line break after the maximum line length */ -- found = skip = s->server->line_max; -+ found = skip = line_max; - line_break = LINE_BREAK_LINE_MAX; - } else - break; -@@ -563,7 +584,7 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents, - - /* Try to make use of the allocated buffer in full, but never read more than the configured line size. Also, - * always leave room for a terminating NUL we might need to add. */ -- limit = MIN(s->allocated - 1, s->server->line_max); -+ limit = MIN(s->allocated - 1, MAX(s->server->line_max, STDOUT_STREAM_SETUP_PROTOCOL_LINE_MAX)); - assert(s->length <= limit); - iovec = IOVEC_MAKE(s->buffer + s->length, limit - s->length); - --- -1.8.3.1 - diff --git a/0020-scope-on-unified-make-sure-to-unwatch-all-PIDs-once-.patch b/0020-scope-on-unified-make-sure-to-unwatch-all-PIDs-once-.patch deleted file mode 100644 index 405dcb96a594d138df13c0adc62bd773e1d9d01e..0000000000000000000000000000000000000000 --- a/0020-scope-on-unified-make-sure-to-unwatch-all-PIDs-once-.patch +++ /dev/null @@ -1,49 +0,0 @@ -From e9eec8b5d2c106c5dd51382a155e6045c7c17c1a Mon Sep 17 00:00:00 2001 -From: Franck Bui -Date: Mon, 30 Nov 2020 15:26:15 +0100 -Subject: [PATCH] scope: on unified, make sure to unwatch all PIDs once they've - been moved to the cgroup scope - -Commit 428a9f6f1d0396b9eacde2b38d667cbe3f15eb55 freed u->pids which is -problematic since the references to this unit in m->watch_pids were no more -removed when the unit was freed. - -This patch makes sure to clean all this refs up before freeing u->pids by -calling unit_unwatch_all_pids(). ---- - src/core/scope.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/src/core/scope.c b/src/core/scope.c -index 654702ca3b..a247da206f 100644 ---- a/src/core/scope.c -+++ b/src/core/scope.c -@@ -375,10 +375,6 @@ static int scope_start(Unit *u) { - return r; - } - -- /* Now u->pids have been moved into the scope cgroup, it's not needed -- * anymore. */ -- u->pids = set_free(u->pids); -- - s->result = SCOPE_SUCCESS; - - scope_set_state(s, SCOPE_RUNNING); -@@ -386,7 +382,13 @@ static int scope_start(Unit *u) { - /* Set the maximum runtime timeout. */ - scope_arm_timer(s, usec_add(UNIT(s)->active_enter_timestamp.monotonic, s->runtime_max_usec)); - -- /* Start watching the PIDs currently in the scope */ -+ /* On unified we use proper notifications hence we can unwatch the PIDs -+ * we just attached to the scope. This can also be done on legacy as -+ * we're going to update the list of the processes we watch with the -+ * PIDs currently in the scope anyway. */ -+ unit_unwatch_all_pids(u); -+ -+ /* Start watching the PIDs currently in the scope (legacy hierarchy only) */ - (void) unit_enqueue_rewatch_pids(u); - return 1; - } --- -2.23.0 - diff --git a/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch b/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch new file mode 100644 index 0000000000000000000000000000000000000000..941da27c6fc9c9a97d1b1fcdde21c8d3ce6993eb --- /dev/null +++ b/backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch @@ -0,0 +1,40 @@ +From 2426beacca09d84091759be45b25c88116302184 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 5 Oct 2021 10:32:56 +0200 +Subject: [PATCH 2/6] rm-rf: optionally fsync() after removing directory tree + +(cherry picked from commit bdfe7ada0d4d66e6d6e65f2822acbb1ec230f9c2) +--- + src/shared/rm-rf.c | 3 +++ + src/shared/rm-rf.h | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c +index dffb9cf6ee..5ef7c662dd 100644 +--- a/src/shared/rm-rf.c ++++ b/src/shared/rm-rf.c +@@ -250,6 +250,9 @@ int rm_rf_children( + ret = r; + } + ++ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0) ++ ret = -errno; ++ + return ret; + } + +diff --git a/src/shared/rm-rf.h b/src/shared/rm-rf.h +index 577a2795e0..24fd9a2aa2 100644 +--- a/src/shared/rm-rf.h ++++ b/src/shared/rm-rf.h +@@ -14,6 +14,7 @@ typedef enum RemoveFlags { + REMOVE_MISSING_OK = 1 << 4, /* If the top-level directory is missing, ignore the ENOENT for it */ + REMOVE_CHMOD = 1 << 5, /* chmod() for write access if we cannot delete or access something */ + REMOVE_CHMOD_RESTORE = 1 << 6, /* Restore the old mode before returning */ ++ REMOVE_SYNCFS = 1 << 7, /* syncfs() the root of the specified directory after removing everything in it */ + } RemoveFlags; + + int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags); +-- +2.27.0 + diff --git a/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch b/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch new file mode 100644 index 0000000000000000000000000000000000000000..d7222c4f191ddf3d075e70254cc289d8efc33d40 --- /dev/null +++ b/backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch @@ -0,0 +1,321 @@ +From ca4a0e7d41f0b2a1fe2f99dbc3763187c16cf7ab Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Tue, 26 Jan 2021 16:30:06 +0100 +Subject: [PATCH 1/6] rm-rf: refactor rm_rf_children(), split out body of + directory iteration loop + +This splits out rm_rf_children_inner() as body of the loop. We can use +that to implement rm_rf_child() for deleting one specific entry in a +directory. + +(cherry picked from commit 1f0fb7d544711248cba34615e43c5a76bc902d74) +--- + src/shared/rm-rf.c | 223 ++++++++++++++++++++++++++------------------- + src/shared/rm-rf.h | 3 +- + 2 files changed, 131 insertions(+), 95 deletions(-) + +diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c +index 900a7fb5ff..dffb9cf6ee 100644 +--- a/src/shared/rm-rf.c ++++ b/src/shared/rm-rf.c +@@ -19,6 +19,9 @@ + #include "stat-util.h" + #include "string-util.h" + ++/* We treat tmpfs/ramfs + cgroupfs as non-physical file sytems. cgroupfs is similar to tmpfs in a way after ++ * all: we can create arbitrary directory hierarchies in it, and hence can also use rm_rf() on it to remove ++ * those again. */ + static bool is_physical_fs(const struct statfs *sfs) { + return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs); + } +@@ -113,133 +116,145 @@ int fstatat_harder(int dfd, + return 0; + } + +-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) { +- _cleanup_closedir_ DIR *d = NULL; +- struct dirent *de; +- int ret = 0, r; +- struct statfs sfs; ++static int rm_rf_children_inner( ++ int fd, ++ const char *fname, ++ int is_dir, ++ RemoveFlags flags, ++ const struct stat *root_dev) { + +- assert(fd >= 0); ++ struct stat st; ++ int r; + +- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed +- * fd, in all cases, including on failure.. */ ++ assert(fd >= 0); ++ assert(fname); + +- if (!(flags & REMOVE_PHYSICAL)) { ++ if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) { + +- r = fstatfs(fd, &sfs); +- if (r < 0) { +- safe_close(fd); +- return -errno; +- } ++ r = fstatat_harder(fd, fname, &st, AT_SYMLINK_NOFOLLOW, flags); ++ if (r < 0) ++ return r; + +- if (is_physical_fs(&sfs)) { +- /* We refuse to clean physical file systems with this call, +- * unless explicitly requested. This is extra paranoia just +- * to be sure we never ever remove non-state data. */ +- _cleanup_free_ char *path = NULL; ++ is_dir = S_ISDIR(st.st_mode); ++ } + +- (void) fd_get_path(fd, &path); +- log_error("Attempted to remove disk file system under \"%s\", and we can't allow that.", +- strna(path)); ++ if (is_dir) { ++ _cleanup_close_ int subdir_fd = -1; ++ int q; + +- safe_close(fd); +- return -EPERM; +- } +- } ++ /* if root_dev is set, remove subdirectories only if device is same */ ++ if (root_dev && st.st_dev != root_dev->st_dev) ++ return 0; + +- d = fdopendir(fd); +- if (!d) { +- safe_close(fd); +- return errno == ENOENT ? 0 : -errno; +- } ++ /* Stop at mount points */ ++ r = fd_is_mount_point(fd, fname, 0); ++ if (r < 0) ++ return r; ++ if (r > 0) ++ return 0; + +- FOREACH_DIRENT_ALL(de, d, return -errno) { +- bool is_dir; +- struct stat st; ++ if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) { + +- if (dot_or_dot_dot(de->d_name)) +- continue; ++ /* This could be a subvolume, try to remove it */ + +- if (de->d_type == DT_UNKNOWN || +- (de->d_type == DT_DIR && (root_dev || (flags & REMOVE_SUBVOLUME)))) { +- r = fstatat_harder(fd, de->d_name, &st, AT_SYMLINK_NOFOLLOW, flags); ++ r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA); + if (r < 0) { +- if (ret == 0 && r != -ENOENT) +- ret = r; +- continue; +- } ++ if (!IN_SET(r, -ENOTTY, -EINVAL)) ++ return r; + +- is_dir = S_ISDIR(st.st_mode); +- } else +- is_dir = de->d_type == DT_DIR; ++ /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */ ++ } else ++ /* It was a subvolume, done. */ ++ return 1; ++ } + +- if (is_dir) { +- _cleanup_close_ int subdir_fd = -1; ++ subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); ++ if (subdir_fd < 0) ++ return -errno; + +- /* if root_dev is set, remove subdirectories only if device is same */ +- if (root_dev && st.st_dev != root_dev->st_dev) +- continue; ++ /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type ++ * again for each directory */ ++ q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); + +- subdir_fd = openat(fd, de->d_name, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); +- if (subdir_fd < 0) { +- if (ret == 0 && errno != ENOENT) +- ret = -errno; +- continue; +- } ++ r = unlinkat_harder(fd, fname, AT_REMOVEDIR, flags); ++ if (r < 0) ++ return r; ++ if (q < 0) ++ return q; + +- /* Stop at mount points */ +- r = fd_is_mount_point(fd, de->d_name, 0); +- if (r < 0) { +- if (ret == 0 && r != -ENOENT) +- ret = r; ++ return 1; + +- continue; +- } +- if (r > 0) +- continue; ++ } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) { ++ r = unlinkat_harder(fd, fname, 0, flags); ++ if (r < 0) ++ return r; + +- if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) { ++ return 1; ++ } + +- /* This could be a subvolume, try to remove it */ ++ return 0; ++} + +- r = btrfs_subvol_remove_fd(fd, de->d_name, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA); +- if (r < 0) { +- if (!IN_SET(r, -ENOTTY, -EINVAL)) { +- if (ret == 0) +- ret = r; ++int rm_rf_children( ++ int fd, ++ RemoveFlags flags, ++ const struct stat *root_dev) { + +- continue; +- } ++ _cleanup_closedir_ DIR *d = NULL; ++ struct dirent *de; ++ int ret = 0, r; + +- /* ENOTTY, then it wasn't a btrfs subvolume, continue below. */ +- } else +- /* It was a subvolume, continue. */ +- continue; +- } ++ assert(fd >= 0); ++ ++ /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed ++ * fd, in all cases, including on failure. */ ++ ++ d = fdopendir(fd); ++ if (!d) { ++ safe_close(fd); ++ return -errno; ++ } + +- /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file +- * system type again for each directory */ +- r = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); +- if (r < 0 && ret == 0) +- ret = r; ++ if (!(flags & REMOVE_PHYSICAL)) { ++ struct statfs sfs; + +- r = unlinkat_harder(fd, de->d_name, AT_REMOVEDIR, flags); +- if (r < 0 && r != -ENOENT && ret == 0) +- ret = r; ++ if (fstatfs(dirfd(d), &sfs) < 0) ++ return -errno; ++ ++ if (is_physical_fs(&sfs)) { ++ /* We refuse to clean physical file systems with this call, unless explicitly ++ * requested. This is extra paranoia just to be sure we never ever remove non-state ++ * data. */ + +- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) { ++ _cleanup_free_ char *path = NULL; + +- r = unlinkat_harder(fd, de->d_name, 0, flags); +- if (r < 0 && r != -ENOENT && ret == 0) +- ret = r; ++ (void) fd_get_path(fd, &path); ++ return log_error_errno(SYNTHETIC_ERRNO(EPERM), ++ "Attempted to remove disk file system under \"%s\", and we can't allow that.", ++ strna(path)); + } + } ++ ++ FOREACH_DIRENT_ALL(de, d, return -errno) { ++ int is_dir; ++ ++ if (dot_or_dot_dot(de->d_name)) ++ continue; ++ ++ is_dir = ++ de->d_type == DT_UNKNOWN ? -1 : ++ de->d_type == DT_DIR; ++ ++ r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev); ++ if (r < 0 && r != -ENOENT && ret == 0) ++ ret = r; ++ } ++ + return ret; + } + + int rm_rf(const char *path, RemoveFlags flags) { + int fd, r; +- struct statfs s; + + assert(path); + +@@ -284,9 +299,10 @@ int rm_rf(const char *path, RemoveFlags flags) { + if (FLAGS_SET(flags, REMOVE_ROOT)) { + + if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { ++ struct statfs s; ++ + if (statfs(path, &s) < 0) + return -errno; +- + if (is_physical_fs(&s)) + return log_error_errno(SYNTHETIC_ERRNO(EPERM), + "Attempted to remove files from a disk file system under \"%s\", refusing.", +@@ -314,3 +330,22 @@ int rm_rf(const char *path, RemoveFlags flags) { + + return r; + } ++ ++int rm_rf_child(int fd, const char *name, RemoveFlags flags) { ++ ++ /* Removes one specific child of the specified directory */ ++ ++ if (fd < 0) ++ return -EBADF; ++ ++ if (!filename_is_valid(name)) ++ return -EINVAL; ++ ++ if ((flags & (REMOVE_ROOT|REMOVE_MISSING_OK)) != 0) /* Doesn't really make sense here, we are not supposed to remove 'fd' anyway */ ++ return -EINVAL; ++ ++ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME)) ++ return -EINVAL; ++ ++ return rm_rf_children_inner(fd, name, -1, flags, NULL); ++} +diff --git a/src/shared/rm-rf.h b/src/shared/rm-rf.h +index 40f0894c96..577a2795e0 100644 +--- a/src/shared/rm-rf.h ++++ b/src/shared/rm-rf.h +@@ -23,7 +23,8 @@ int fstatat_harder(int dfd, + int fstatat_flags, + RemoveFlags remove_flags); + +-int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev); ++int rm_rf_children(int fd, RemoveFlags flags, const struct stat *root_dev); ++int rm_rf_child(int fd, const char *name, RemoveFlags flags); + int rm_rf(const char *path, RemoveFlags flags); + + /* Useful for usage with _cleanup_(), destroys a directory and frees the pointer */ +-- +2.27.0 + diff --git a/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch b/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch new file mode 100644 index 0000000000000000000000000000000000000000..803a0782f58aac39e23b8337d7ed215ad7f68fa6 --- /dev/null +++ b/backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch @@ -0,0 +1,273 @@ +From 6a28f8b55904c818b25e4db2e1511faac79fd471 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 30 Nov 2021 22:29:05 +0100 +Subject: [PATCH 6/6] shared/rm-rf: loop over nested directories instead of + instead of recursing + +To remove directory structures, we need to remove the innermost items first, +and then recursively remove higher-level directories. We would recursively +descend into directories and invoke rm_rf_children and rm_rm_children_inner. +This is problematic when too many directories are nested. + +Instead, let's create a "TODO" queue. In the the queue, for each level we +hold the DIR* object we were working on, and the name of the directory. This +allows us to leave a partially-processed directory, and restart the removal +loop one level down. When done with the inner directory, we use the name to +unlinkat() it from the parent, and proceed with the removal of other items. + +Because the nesting is increased by one level, it is best to view this patch +with -b/--ignore-space-change. + +This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639. +The issue was reported and patches reviewed by Qualys Team. +Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure. + +(cherry picked from commit 5b1cf7a9be37e20133c0208005274ce4a5b5c6a1) +(cherry picked from commit 911516e1614e435755814ada5fc6064fa107a105) +--- + src/shared/rm-rf.c | 161 +++++++++++++++++++++++++++++++-------------- + 1 file changed, 113 insertions(+), 48 deletions(-) + +diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c +index 1bd2431d8a..954686ffc9 100644 +--- a/src/shared/rm-rf.c ++++ b/src/shared/rm-rf.c +@@ -52,7 +52,6 @@ static int patch_dirfd_mode( + } + + int unlinkat_harder(int dfd, const char *filename, int unlink_flags, RemoveFlags remove_flags) { +- + mode_t old_mode; + int r; + +@@ -116,12 +115,13 @@ int fstatat_harder(int dfd, + return 0; + } + +-static int rm_rf_children_inner( ++static int rm_rf_inner_child( + int fd, + const char *fname, + int is_dir, + RemoveFlags flags, +- const struct stat *root_dev) { ++ const struct stat *root_dev, ++ bool allow_recursion) { + + struct stat st; + int r, q = 0; +@@ -141,9 +141,7 @@ static int rm_rf_children_inner( + } + + if (is_dir) { +- _cleanup_close_ int subdir_fd = -1; +- +- /* if root_dev is set, remove subdirectories only if device is same */ ++ /* If root_dev is set, remove subdirectories only if device is same */ + if (root_dev && st.st_dev != root_dev->st_dev) + return 0; + +@@ -155,7 +153,6 @@ static int rm_rf_children_inner( + return 0; + + if ((flags & REMOVE_SUBVOLUME) && btrfs_might_be_subvol(&st)) { +- + /* This could be a subvolume, try to remove it */ + + r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA); +@@ -169,13 +166,16 @@ static int rm_rf_children_inner( + return 1; + } + +- subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); ++ if (!allow_recursion) ++ return -EISDIR; ++ ++ int subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); + if (subdir_fd < 0) + return -errno; + + /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type + * again for each directory */ +- q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); ++ q = rm_rf_children(subdir_fd, flags | REMOVE_PHYSICAL, root_dev); + + } else if (flags & REMOVE_ONLY_DIRECTORIES) + return 0; +@@ -188,63 +188,128 @@ static int rm_rf_children_inner( + return 1; + } + ++typedef struct TodoEntry { ++ DIR *dir; /* A directory that we were operating on. */ ++ char *dirname; /* The filename of that directory itself. */ ++} TodoEntry; ++ ++static void free_todo_entries(TodoEntry **todos) { ++ for (TodoEntry *x = *todos; x && x->dir; x++) { ++ closedir(x->dir); ++ free(x->dirname); ++ } ++ ++ freep(todos); ++} ++ + int rm_rf_children( + int fd, + RemoveFlags flags, + const struct stat *root_dev) { + +- _cleanup_closedir_ DIR *d = NULL; +- struct dirent *de; ++ _cleanup_(free_todo_entries) TodoEntry *todos = NULL; ++ size_t n_todo = 0; ++ _cleanup_free_ char *dirname = NULL; /* Set when we are recursing and want to delete ourselves */ + int ret = 0, r; + +- assert(fd >= 0); ++ /* Return the first error we run into, but nevertheless try to go on. ++ * The passed fd is closed in all cases, including on failure. */ ++ ++ for (;;) { /* This loop corresponds to the directory nesting level. */ ++ _cleanup_closedir_ DIR *d = NULL; ++ ++ if (n_todo > 0) { ++ /* We know that we are in recursion here, because n_todo is set. ++ * We need to remove the inner directory we were operating on. */ ++ assert(dirname); ++ r = unlinkat_harder(dirfd(todos[n_todo-1].dir), dirname, AT_REMOVEDIR, flags); ++ if (r < 0 && r != -ENOENT && ret == 0) ++ ret = r; ++ dirname = mfree(dirname); ++ ++ /* And now let's back out one level up */ ++ n_todo --; ++ d = TAKE_PTR(todos[n_todo].dir); ++ dirname = TAKE_PTR(todos[n_todo].dirname); ++ ++ assert(d); ++ fd = dirfd(d); /* Retrieve the file descriptor from the DIR object */ ++ assert(fd >= 0); ++ } else { ++ next_fd: ++ assert(fd >= 0); ++ d = fdopendir(fd); ++ if (!d) { ++ safe_close(fd); ++ return -errno; ++ } ++ fd = dirfd(d); /* We donated the fd to fdopendir(). Let's make sure we sure we have ++ * the right descriptor even if it were to internally invalidate the ++ * one we passed. */ ++ ++ if (!(flags & REMOVE_PHYSICAL)) { ++ struct statfs sfs; ++ ++ if (fstatfs(fd, &sfs) < 0) ++ return -errno; ++ ++ if (is_physical_fs(&sfs)) { ++ /* We refuse to clean physical file systems with this call, unless ++ * explicitly requested. This is extra paranoia just to be sure we ++ * never ever remove non-state data. */ ++ ++ _cleanup_free_ char *path = NULL; ++ ++ (void) fd_get_path(fd, &path); ++ return log_error_errno(SYNTHETIC_ERRNO(EPERM), ++ "Attempted to remove disk file system under \"%s\", and we can't allow that.", ++ strna(path)); ++ } ++ } ++ } + +- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed +- * fd, in all cases, including on failure. */ ++ struct dirent *de; ++ FOREACH_DIRENT_ALL(de, d, return -errno) { ++ int is_dir; + +- d = fdopendir(fd); +- if (!d) { +- safe_close(fd); +- return -errno; +- } ++ if (dot_or_dot_dot(de->d_name)) ++ continue; + +- if (!(flags & REMOVE_PHYSICAL)) { +- struct statfs sfs; ++ is_dir = de->d_type == DT_UNKNOWN ? -1 : de->d_type == DT_DIR; + +- if (fstatfs(dirfd(d), &sfs) < 0) +- return -errno; ++ r = rm_rf_inner_child(fd, de->d_name, is_dir, flags, root_dev, false); ++ if (r == -EISDIR) { ++ /* Push the current working state onto the todo list */ + +- if (is_physical_fs(&sfs)) { +- /* We refuse to clean physical file systems with this call, unless explicitly +- * requested. This is extra paranoia just to be sure we never ever remove non-state +- * data. */ ++ if (!GREEDY_REALLOC0(todos, n_todo + 2)) ++ return log_oom(); + +- _cleanup_free_ char *path = NULL; ++ _cleanup_free_ char *newdirname = strdup(de->d_name); ++ if (!newdirname) ++ return log_oom(); + +- (void) fd_get_path(fd, &path); +- return log_error_errno(SYNTHETIC_ERRNO(EPERM), +- "Attempted to remove disk file system under \"%s\", and we can't allow that.", +- strna(path)); +- } +- } ++ int newfd = openat(fd, de->d_name, ++ O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); ++ if (newfd >= 0) { ++ todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) }; ++ fd = newfd; ++ dirname = TAKE_PTR(newdirname); + +- FOREACH_DIRENT_ALL(de, d, return -errno) { +- int is_dir; ++ goto next_fd; + +- if (dot_or_dot_dot(de->d_name)) +- continue; ++ } else if (errno != -ENOENT && ret == 0) ++ ret = -errno; + +- is_dir = +- de->d_type == DT_UNKNOWN ? -1 : +- de->d_type == DT_DIR; ++ } else if (r < 0 && r != -ENOENT && ret == 0) ++ ret = r; ++ } + +- r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev); +- if (r < 0 && r != -ENOENT && ret == 0) +- ret = r; +- } ++ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(fd) < 0 && ret >= 0) ++ ret = -errno; + +- if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0) +- ret = -errno; ++ if (n_todo == 0) ++ break; ++ } + + return ret; + } +@@ -337,5 +402,5 @@ int rm_rf_child(int fd, const char *name, RemoveFlags flags) { + if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME)) + return -EINVAL; + +- return rm_rf_children_inner(fd, name, -1, flags, NULL); ++ return rm_rf_inner_child(fd, name, -1, flags, NULL, true); + } +-- +2.27.0 + diff --git a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch new file mode 100644 index 0000000000000000000000000000000000000000..ee920f65a2ce302eff6abf6261850d58a162f14b --- /dev/null +++ b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch @@ -0,0 +1,100 @@ +From 811b137d6137cc3e8932599e6ef9254ba43ff5eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 23 Nov 2021 16:56:42 +0100 +Subject: [PATCH 5/6] shared/rm_rf: refactor rm_rf() to shorten code a bit + +(cherry picked from commit 84ced330020c0bae57bd4628f1f44eec91304e69) +(cherry picked from commit 664529efa9431edc043126013ea54e6c399ae2d3) +--- + src/shared/rm-rf.c | 54 +++++++++++++++++++++------------------------- + 1 file changed, 24 insertions(+), 30 deletions(-) + +diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c +index 7362954116..1bd2431d8a 100644 +--- a/src/shared/rm-rf.c ++++ b/src/shared/rm-rf.c +@@ -250,7 +250,7 @@ int rm_rf_children( + } + + int rm_rf(const char *path, RemoveFlags flags) { +- int fd, r; ++ int fd, r, q = 0; + + assert(path); + +@@ -282,49 +282,43 @@ int rm_rf(const char *path, RemoveFlags flags) { + } + + fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME); +- if (fd < 0) { ++ if (fd >= 0) { ++ /* We have a dir */ ++ r = rm_rf_children(fd, flags, NULL); ++ ++ if (FLAGS_SET(flags, REMOVE_ROOT) && rmdir(path) < 0) ++ q = -errno; ++ } else { + if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT) + return 0; + + if (!IN_SET(errno, ENOTDIR, ELOOP)) + return -errno; + +- if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES)) ++ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES) || !FLAGS_SET(flags, REMOVE_ROOT)) + return 0; + +- if (FLAGS_SET(flags, REMOVE_ROOT)) { +- +- if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { +- struct statfs s; +- +- if (statfs(path, &s) < 0) +- return -errno; +- if (is_physical_fs(&s)) +- return log_error_errno(SYNTHETIC_ERRNO(EPERM), +- "Attempted to remove files from a disk file system under \"%s\", refusing.", +- path); +- } +- +- if (unlink(path) < 0) { +- if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT) +- return 0; ++ if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) { ++ struct statfs s; + ++ if (statfs(path, &s) < 0) + return -errno; +- } ++ if (is_physical_fs(&s)) ++ return log_error_errno(SYNTHETIC_ERRNO(EPERM), ++ "Attempted to remove files from a disk file system under \"%s\", refusing.", ++ path); + } + +- return 0; ++ r = 0; ++ if (unlink(path) < 0) ++ q = -errno; + } + +- r = rm_rf_children(fd, flags, NULL); +- +- if (FLAGS_SET(flags, REMOVE_ROOT) && +- rmdir(path) < 0 && +- r >= 0 && +- (!FLAGS_SET(flags, REMOVE_MISSING_OK) || errno != ENOENT)) +- r = -errno; +- +- return r; ++ if (r < 0) ++ return r; ++ if (q < 0 && (q != -ENOENT || !FLAGS_SET(flags, REMOVE_MISSING_OK))) ++ return q; ++ return 0; + } + + int rm_rf_child(int fd, const char *name, RemoveFlags flags) { +-- +2.27.0 + diff --git a/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch new file mode 100644 index 0000000000000000000000000000000000000000..b81bd34db13dcdc77036a2b4dc1db86665a193b8 --- /dev/null +++ b/backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch @@ -0,0 +1,68 @@ +From 89395b63f04f1acc0db533c32637ea20379f97c0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 23 Nov 2021 15:55:45 +0100 +Subject: [PATCH 4/6] shared/rm_rf: refactor rm_rf_children_inner() to shorten + code a bit + +(cherry picked from commit 3bac86abfa1b1720180840ffb9d06b3d54841c11) +(cherry picked from commit 47741ff9eae6311a03e4d3d837128191826a4a3a) +--- + src/shared/rm-rf.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c +index 19f37e0f19..7362954116 100644 +--- a/src/shared/rm-rf.c ++++ b/src/shared/rm-rf.c +@@ -124,7 +124,7 @@ static int rm_rf_children_inner( + const struct stat *root_dev) { + + struct stat st; +- int r; ++ int r, q = 0; + + assert(fd >= 0); + assert(fname); +@@ -142,7 +142,6 @@ static int rm_rf_children_inner( + + if (is_dir) { + _cleanup_close_ int subdir_fd = -1; +- int q; + + /* if root_dev is set, remove subdirectories only if device is same */ + if (root_dev && st.st_dev != root_dev->st_dev) +@@ -178,23 +177,15 @@ static int rm_rf_children_inner( + * again for each directory */ + q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev); + +- r = unlinkat_harder(fd, fname, AT_REMOVEDIR, flags); +- if (r < 0) +- return r; +- if (q < 0) +- return q; +- +- return 1; +- +- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) { +- r = unlinkat_harder(fd, fname, 0, flags); +- if (r < 0) +- return r; +- +- return 1; +- } ++ } else if (flags & REMOVE_ONLY_DIRECTORIES) ++ return 0; + +- return 0; ++ r = unlinkat_harder(fd, fname, is_dir ? AT_REMOVEDIR : 0, flags); ++ if (r < 0) ++ return r; ++ if (q < 0) ++ return q; ++ return 1; + } + + int rm_rf_children( +-- +2.27.0 + diff --git a/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch b/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch new file mode 100644 index 0000000000000000000000000000000000000000..4bb3fc812791b4b4cc822e68d093bfdb59282818 --- /dev/null +++ b/backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch @@ -0,0 +1,28 @@ +From 7563de501246dccf5a9ea229933481aa1e7bd5c9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Tue, 23 Nov 2021 15:05:58 +0100 +Subject: [PATCH 3/6] tmpfiles: 'st' may have been used uninitialized + +(cherry picked from commit 160dadc0350c77d612aa9d5569f57d9bc84c3dca) +--- + src/shared/rm-rf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/shared/rm-rf.c b/src/shared/rm-rf.c +index 5ef7c662dd..19f37e0f19 100644 +--- a/src/shared/rm-rf.c ++++ b/src/shared/rm-rf.c +@@ -129,7 +129,9 @@ static int rm_rf_children_inner( + assert(fd >= 0); + assert(fname); + +- if (is_dir < 0 || (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) { ++ if (is_dir < 0 || ++ root_dev || ++ (is_dir > 0 && (root_dev || (flags & REMOVE_SUBVOLUME)))) { + + r = fstatat_harder(fd, fname, &st, AT_SYMLINK_NOFOLLOW, flags); + if (r < 0) +-- +2.27.0 + diff --git a/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch b/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch index 17e0d0ba9d6c8b95b375e434a9121b6bd5699ff2..8c68ab479fa238b883fa5a69f9d157c60e986a2b 100644 --- a/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch +++ b/backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch @@ -16,8 +16,8 @@ index 92815b1dbaea..1c8159a23550 100644 if (!separate_argv0) { char *w = NULL; -- if (!GREEDY_REALLOC(n, nbufsize, nlen + 2)) -+ if (!GREEDY_REALLOC0(n, nbufsize, nlen + 2)) +- if (!GREEDY_REALLOC(n, nlen + 2)) ++ if (!GREEDY_REALLOC0(n, nlen + 2)) return log_oom(); w = strdup(path); @@ -25,8 +25,8 @@ index 92815b1dbaea..1c8159a23550 100644 p += 2; p += strspn(p, WHITESPACE); -- if (!GREEDY_REALLOC(n, nbufsize, nlen + 2)) -+ if (!GREEDY_REALLOC0(n, nbufsize, nlen + 2)) +- if (!GREEDY_REALLOC(n, nlen + 2)) ++ if (!GREEDY_REALLOC0(n, nlen + 2)) return log_oom(); w = strdup(";"); diff --git a/0020-fix-CVE-2021-33910.patch b/backport-fix-CVE-2021-33910.patch similarity index 100% rename from 0020-fix-CVE-2021-33910.patch rename to backport-fix-CVE-2021-33910.patch diff --git a/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch b/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch new file mode 100644 index 0000000000000000000000000000000000000000..6e026b31bc1a641c7fc919841af3c8f012642af4 --- /dev/null +++ b/backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch @@ -0,0 +1,26 @@ +From 193105f2d0408e2d96265935174b3cf0f100ef2e Mon Sep 17 00:00:00 2001 +From: jiangchuangang +Date: Mon, 29 Nov 2021 22:30:37 +0800 +Subject: [PATCH] fix ConditionDirectoryNotEmpty when it comes to a + Non-directory file + +--- + src/shared/condition.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/shared/condition.c b/src/shared/condition.c +index 6e769e9d59..a86f2b9ffb 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -931,7 +931,7 @@ static int condition_test_directory_not_empty(Condition *c, char **env) { + assert(c->type == CONDITION_DIRECTORY_NOT_EMPTY); + + r = dir_is_empty(c->parameter); +- return r <= 0 && r != -ENOENT; ++ return r <= 0 && !IN_SET(r, -ENOENT, -ENOTDIR); + } + + static int condition_test_file_not_empty(Condition *c, char **env) { +-- +2.27.0 + diff --git a/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch b/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c8b7f28840f31f54ad4645a2bb80651f6ecc421 --- /dev/null +++ b/backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch @@ -0,0 +1,33 @@ +From 7c4c9948d02ceda903ed4e4deea0d0084612625a Mon Sep 17 00:00:00 2001 +From: jiangchuangang +Date: Tue, 30 Nov 2021 15:25:27 +0800 +Subject: [PATCH] fix ConditionPathIsReadWrite when path does not exist. + +--- + src/shared/condition.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/shared/condition.c b/src/shared/condition.c +index a86f2b9ffb..dae75a5bf5 100644 +--- a/src/shared/condition.c ++++ b/src/shared/condition.c +@@ -894,11 +894,15 @@ static int condition_test_path_is_mount_point(Condition *c, char **env) { + } + + static int condition_test_path_is_read_write(Condition *c, char **env) { ++ int r; ++ + assert(c); + assert(c->parameter); + assert(c->type == CONDITION_PATH_IS_READ_WRITE); + +- return path_is_read_only_fs(c->parameter) <= 0; ++ r = path_is_read_only_fs(c->parameter); ++ ++ return r <= 0 && r != -ENOENT; + } + + static int condition_test_cpufeature(Condition *c, char **env) { +-- +2.27.0 + diff --git a/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch b/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch new file mode 100644 index 0000000000000000000000000000000000000000..3234d285d6003099edd76292342908b72f1593b5 --- /dev/null +++ b/backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch @@ -0,0 +1,25 @@ +From 5896a9ebdbe4d38c01390d0a5e82f9fcb4971059 Mon Sep 17 00:00:00 2001 +From: yangmingtai <961612727@qq.com> +Date: Mon, 6 Dec 2021 17:06:13 +0800 +Subject: [PATCH] fix DirectoryNotEmpty when it comes to a Non-directory file + +--- + src/core/path.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/path.c b/src/core/path.c +index 29ec66fd4d..bcd922901b 100644 +--- a/src/core/path.c ++++ b/src/core/path.c +@@ -215,7 +215,7 @@ static bool path_spec_check_good(PathSpec *s, bool initial, bool from_trigger_no + int k; + + k = dir_is_empty(s->path); +- good = !(k == -ENOENT || k > 0); ++ good = !(IN_SET(k, -ENOENT, -ENOTDIR) || k > 0); + break; + } + +-- +2.27.0 + diff --git a/systemd-248.tar.gz b/systemd-249.tar.gz similarity index 55% rename from systemd-248.tar.gz rename to systemd-249.tar.gz index 625247acb0ead0fa72859c4f76997d955919eb04..7d0d938cbff08c53ec81b1068eff3afb5d76da0d 100644 Binary files a/systemd-248.tar.gz and b/systemd-249.tar.gz differ diff --git a/systemd.spec b/systemd.spec index d2975f463ad9a7c1c2ba6ebfcc46310c730b228c..72aee7e68ef0397145c0e73bba31a47742c32825 100644 --- a/systemd.spec +++ b/systemd.spec @@ -19,8 +19,8 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd -Version: 248 -Release: 15 +Version: 249 +Release: 7 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -38,13 +38,7 @@ Source12: systemd-user Source13: rc.local Source100: udev-40-openEuler.rules -Source101: udev-55-persistent-net-generator.rules -Source102: udev-56-net-sriov-names.rules Source103: udev-61-openeuler-persistent-storage.rules -Source104: net-set-sriov-names -Source105: rule_generator.functions -Source106: write_net_rules -Source107: detect_virt Patch0001: 0001-update-rtc-with-system-clock-when-shutdown.patch Patch0002: 0002-udev-add-actions-while-rename-netif-failed.patch @@ -57,21 +51,28 @@ Patch0008: 0008-rules-add-the-rule-that-adds-elevator-kernel-command.patch Patch0009: 0009-units-add-Install-section-to-tmp.mount.patch Patch0010: 0010-Make-systemd-udevd.service-start-after-systemd-remou.patch Patch0011: 0011-udev-virsh-shutdown-vm.patch -Patch0012: 0012-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.patch -Patch0013: 0013-sd-bus-properly-initialize-containers.patch -Patch0014: 0014-Revert-core-one-step-back-again-for-nspawn-we-actual.patch -Patch0015: 0015-journal-don-t-enable-systemd-journald-audit.socket-b.patch -Patch0016: 0016-systemd-change-time-log-level.patch -Patch0017: 0017-fix-capsh-drop-but-ping-success.patch -Patch0018: 0018-resolved-create-etc-resolv.conf-symlink-at-runtime.patch -Patch0019: 0019-journald-enforce-longer-line-length-limit-during-set.patch -Patch0020: 0020-fix-CVE-2021-33910.patch -Patch0021: backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch - -#openEuler -Patch9000: disable-systemd-timesyncd-networkd-resolved-homed-us.patch - -BuildRequires: gcc, gcc-c++, rsync +Patch0012: 0012-sd-bus-properly-initialize-containers.patch +Patch0013: 0013-Revert-core-one-step-back-again-for-nspawn-we-actual.patch +Patch0014: 0014-journal-don-t-enable-systemd-journald-audit.socket-b.patch +Patch0015: 0015-systemd-change-time-log-level.patch +Patch0016: 0016-fix-capsh-drop-but-ping-success.patch +Patch0017: 0017-resolved-create-etc-resolv.conf-symlink-at-runtime.patch +patch0018: 0018-nop_job-of-a-unit-must-also-be-coldpluged-after-deserization.patch + +#backport +Patch6000: backport-core-fix-free-undefined-pointer-when-strdup-failed-i.patch +Patch6001: backport-fix-ConditionDirectoryNotEmpty-when-it-comes-to-a-No.patch +Patch6002: backport-fix-ConditionPathIsReadWrite-when-path-does-not-exis.patch +Patch6003: backport-fix-DirectoryNotEmpty-when-it-comes-to-a-Non-directo.patch +Patch6004: backport-CVE-2021-3997-rm-rf-refactor-rm_rf_children-split-out-body-of-dire.patch +Patch6005: backport-CVE-2021-3997-rm-rf-optionally-fsync-after-removing-directory-tree.patch +Patch6006: backport-CVE-2021-3997-tmpfiles-st-may-have-been-used-uninitialized.patch +Patch6007: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf_children_inner-to-shorte.patch +Patch6008: backport-CVE-2021-3997-shared-rm_rf-refactor-rm_rf-to-shorten-code-a-bit.patch +Patch6009: backport-CVE-2021-3997-shared-rm-rf-loop-over-nested-directories-instead-of.patch +patch6010: backport-fix-CVE-2021-33910.patch + +BuildRequires: gcc, gcc-c++ BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel BuildRequires: audit-libs-devel, cryptsetup-devel, dbus-devel, libacl-devel BuildRequires: gobject-introspection-devel, libblkid-devel, xz-devel, xz @@ -81,6 +82,7 @@ BuildRequires: gnutls-devel, qrencode-devel, libmicrohttpd-devel, libxkbcommon- BuildRequires: iptables-devel, docbook-style-xsl, pkgconfig, libxslt, gperf BuildRequires: gawk, tree, hostname, git, meson >= 0.43, gettext, dbus >= 1.9.18 BuildRequires: python3-devel, python3-lxml, firewalld-filesystem, libseccomp-devel +BuildRequires: python3-jinja2 %if 0%{?have_gnu_efi} BuildRequires: gnu-efi gnu-efi-devel %endif @@ -114,9 +116,7 @@ Provides: systemd-sysv = 206 Conflicts: initscripts < 9.56.1 Recommends: %{name}-help -Provides: %{name}-pam Provides: %{name}-rpm-config -Obsoletes: %{name}-pam < 243 Obsoletes: %{name}-rpm-config < 243 %description @@ -205,20 +205,6 @@ Obsoletes: %{name}-journal-gateway < 227-7 Programs to forward journal entries over the network, using encrypted HTTP, and to write journal files from serialized journal contents. -%package udev-compat -Summary: Udev rules compatibility with NetworkManager -Requires: %{name} = %{version}-%{release} -License: LGPLv2+ -Requires(pre): /usr/bin/getent -Requires(post): systemd -Requires(preun): systemd -Requires(postun): systemd - -%description udev-compat -systemd-udev-compat is a set of udev rules which conflict with NetworkManager. -If users choose to use the network-scripts to manager the network, the package can be used -to do somethings when down or up nics or disk. - %package oomd Summary: Systemd oomd feature Requires: %{name} = %{version}-%{release} @@ -231,6 +217,108 @@ Requires(postun): systemd %description oomd Systemd-oomd.service, systemd-oomd - A userspace out-of-memory (OOM) killer +%package resolved +Summary: Network Name Resolution manager +License: LGPLv2+ +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): systemd +Requires(preun):systemd +Requires(postun):systemd +Requires(pre): /usr/bin/getent + +%description resolved +systemd-resolve is a system service that provides network name resolution to +local applications. It implements a caching and validating DNS/DNSSEC stub +resolver, as well as an LLMNR and MulticastDNS resolver and responder. + +%package nspawn +Summary: Spawn a command or OS in a light-weight container +License: LGPLv2+ +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description nspawn +systemd-nspawn may be used to run a command or OS in a light-weight namespace +container. In many ways it is similar to chroot, but more powerful since it +fully virtualizes the file system hierarchy, as well as the process tree, the +various IPC subsystems and the host and domain name. + +%package networkd +Summary: System daemon that manages network configurations +Requires: %{name}%{?_isa} = %{version}-%{release} +License: LGPLv2+ +Requires(pre): /usr/bin/getent +Requires(post): systemd +Requires(preun):systemd +Requires(postun):systemd + +%description networkd +systemd-networkd is a system service that manages networks. It detects +and configures network devices as they appear, as well as creating virtual +network devices. + +%package timesyncd +Summary: Network Time Synchronization +License: LGPLv2+ +Requires: %{name}%{?_isa} = %{version}-%{release} +Requires(post): systemd +Requires(preun):systemd +Requires(postun):systemd +Requires(pre): /usr/bin/getent + +%description timesyncd +systemd-timesyncd is a system service that may be used to synchronize +the local system clock with a remote Network Time Protocol (NTP) server. +It also saves the local time to disk every time the clock has been +synchronized and uses this to possibly advance the system realtime clock +on subsequent reboots to ensure it (roughly) monotonically advances even +if the system lacks a battery-buffered RTC chip. + +%package pam +Summary: systemd PAM module +Requires: %{name} = %{version}-%{release} + +%description pam +Systemd PAM module registers the session with systemd-logind. + +%package portable +Summary: Systemd tools for portable services +License: LGPLv2+ +Requires: %{name} = %{version}-%{release} +%systemd_requires + +%description portable +Systemd tools to manage portable services. The feature is still +considered experimental so the package might change or vanish. +Use at own risk. + +More information can be found online: + +http://0pointer.net/blog/walkthrough-for-portable-services.html +https://systemd.io/PORTABLE_SERVICES + +%package userdbd +Summary: Systemd tools for userdbd services +License: LGPLv2+ +Requires: %{name} = %{version}-%{release} +%systemd_requires + +%description userdbd +systemd-userdbd is a system service that multiplexes user/group lookups to +all local services that provide JSON user/group record definitions to the system. +Most of systemd-userdbd's functionality is accessible through the userdbctl(1) command. + +%package pstore +Summary: Systemd tools for pstore services +License: LGPLv2+ +Requires: %{name} = %{version}-%{release} +%systemd_requires + +%description pstore +systemd-pstore.service is a system service that archives the contents +of the Linux persistent storage filesystem, pstore, to other storage, +thus preserving the existing information contained in the pstore, +and clearing pstore storage for future error events. + %package_help %prep @@ -397,13 +485,7 @@ install -m 0644 %{SOURCE13} %{buildroot}%{_sysconfdir}/rc.d/rc.local ln -s rc.d/rc.local %{buildroot}%{_sysconfdir}/rc.local install -m 0644 %{SOURCE100} %{buildroot}/%{_udevrulesdir}/40-openEuler.rules -install -m 0644 %{SOURCE101} %{buildroot}/%{_udevrulesdir}/55-persistent-net-generator.rules -install -m 0644 %{SOURCE102} %{buildroot}/%{_udevrulesdir}/56-net-sriov-names.rules install -m 0644 %{SOURCE103} %{buildroot}/%{_udevrulesdir}/61-openeuler-persistent-storage.rules -install -m 0755 %{SOURCE104} %{buildroot}/usr/lib/udev -install -m 0755 %{SOURCE105} %{buildroot}/usr/lib/udev -install -m 0755 %{SOURCE106} %{buildroot}/usr/lib/udev -install -m 0755 %{SOURCE107} %{buildroot}/usr/lib/udev # remove rpath info for file in $(find %{buildroot}/ -executable -type f -exec file {} ';' | grep "\" | awk -F ':' '{print $1}') @@ -547,9 +629,11 @@ getent group systemd-journal &>/dev/null || groupadd -r -g 190 systemd-journal 2 getent group systemd-coredump &>/dev/null || groupadd -r systemd-coredump 2>&1 || : getent passwd systemd-coredump &>/dev/null || useradd -r -l -g systemd-coredump -d / -s /sbin/nologin -c "systemd Core Dumper" systemd-coredump &>/dev/null || : +%pre networkd getent group systemd-network &>/dev/null || groupadd -r -g 192 systemd-network 2>&1 || : getent passwd systemd-network &>/dev/null || useradd -r -u 192 -l -g systemd-network -d / -s /sbin/nologin -c "systemd Network Management" systemd-network &>/dev/null || : +%pre resolved getent group systemd-resolve &>/dev/null || groupadd -r -g 193 systemd-resolve 2>&1 || : getent passwd systemd-resolve &>/dev/null || useradd -r -u 193 -l -g systemd-resolve -d / -s /sbin/nologin -c "systemd Resolver" systemd-resolve &>/dev/null || : @@ -642,20 +726,32 @@ if [ $1 -eq 0 ] ; then serial-getty@.service \ console-getty.service \ debug-shell.service \ + >/dev/null || : +fi + + +%preun resolved +if [ $1 -eq 0 ] ; then + systemctl disable --quiet \ + systemd-resolved.service \ + >/dev/null || : +fi + +%preun networkd +if [ $1 -eq 0 ] ; then + systemctl disable --quiet \ systemd-networkd.service \ systemd-networkd-wait-online.service \ - systemd-resolved.service \ >/dev/null || : fi -%pre udev +%pre timesyncd getent group systemd-timesync &>/dev/null || groupadd -r systemd-timesync 2>&1 || : getent passwd systemd-timesync &>/dev/null || useradd -r -l -g systemd-timesync -d / -s /sbin/nologin -c "systemd Time Synchronization" systemd-timesync &>/dev/null || : -%post udev +%post timesyncd # Move old stuff around in /var/lib mv %{_localstatedir}/lib/random-seed %{_localstatedir}/lib/systemd/random-seed &>/dev/null -mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null if [ -L %{_localstatedir}/lib/systemd/timesync ]; then rm %{_localstatedir}/lib/systemd/timesync mv %{_localstatedir}/lib/private/systemd/timesync %{_localstatedir}/lib/systemd/timesync @@ -664,6 +760,12 @@ if [ -f %{_localstatedir}/lib/systemd/clock ] ; then mkdir -p %{_localstatedir}/lib/systemd/timesync mv %{_localstatedir}/lib/systemd/clock %{_localstatedir}/lib/systemd/timesync/. fi +# devided from post and preun stage of udev that included in macro udev_services +%systemd_post systemd-timesyncd.service + +%post udev +# Move old stuff around in /var/lib +mv %{_localstatedir}/lib/backlight %{_localstatedir}/lib/systemd/backlight &>/dev/null udevadm hwdb --update &>/dev/null %systemd_post %udev_services @@ -679,6 +781,9 @@ if [ -f "/usr/lib/udev/rules.d/50-udev-default.rules" ]; then fi %{_bindir}/systemctl daemon-reload &>/dev/null || : +%preun timesyncd +%systemd_preun systemd-timesyncd.service + %preun udev %systemd_preun %udev_services @@ -715,6 +820,15 @@ fi %systemd_postun_with_restart systemd-journal-upload.service %firewalld_reload +%preun portable +%systemd_preun systemd-portabled.service + +%preun userdbd +%systemd_preun systemd-userdbd.service systemd-userdbd.socket + +%preun pstore +%systemd_preun systemd-pstore.service + %files -f %{name}.lang %doc %{_pkgdocdir} %exclude %{_pkgdocdir}/LICENSE.* @@ -753,7 +867,6 @@ fi /usr/sbin/reboot /usr/sbin/halt /usr/sbin/telinit -/usr/sbin/resolvconf /usr/sbin/init /usr/sbin/runlevel /usr/sbin/poweroff @@ -773,12 +886,9 @@ fi /usr/share/bash-completion/completions/portablectl /usr/share/bash-completion/completions/systemd-run /usr/share/bash-completion/completions/systemd-cat -/usr/share/bash-completion/completions/resolvectl /usr/share/bash-completion/completions/coredumpctl /usr/share/bash-completion/completions/systemd-delta /usr/share/bash-completion/completions/systemd-cgls -/usr/share/bash-completion/completions/systemd-resolve -/usr/share/bash-completion/completions/networkctl /usr/share/bash-completion/completions/systemd-detect-virt /usr/share/bash-completion/completions/hostnamectl /usr/share/bash-completion/completions/systemd-cgtop @@ -793,14 +903,12 @@ fi /usr/share/zsh/site-functions/_journalctl /usr/share/zsh/site-functions/_systemd-delta /usr/share/zsh/site-functions/_systemd-tmpfiles -/usr/share/zsh/site-functions/_resolvectl /usr/share/zsh/site-functions/_systemctl /usr/share/zsh/site-functions/_systemd-run /usr/share/zsh/site-functions/_sd_outputmodes /usr/share/zsh/site-functions/_sd_unit_files /usr/share/zsh/site-functions/_sd_machines /usr/share/zsh/site-functions/_coredumpctl -/usr/share/zsh/site-functions/_networkctl /usr/share/zsh/site-functions/_timedatectl /usr/share/zsh/site-functions/_busctl /usr/share/zsh/site-functions/_systemd @@ -811,33 +919,25 @@ fi /usr/share/dbus-1/system-services/org.freedesktop.portable1.service /usr/share/dbus-1/system-services/org.freedesktop.login1.service /usr/share/dbus-1/system-services/org.freedesktop.locale1.service -/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service /usr/share/dbus-1/system-services/org.freedesktop.hostname1.service -/usr/share/dbus-1/system-services/org.freedesktop.network1.service /usr/share/dbus-1/system-services/org.freedesktop.timedate1.service -/usr/share/dbus-1/system.d/org.freedesktop.resolve1.conf /usr/share/dbus-1/system.d/org.freedesktop.timedate1.conf /usr/share/dbus-1/system.d/org.freedesktop.hostname1.conf /usr/share/dbus-1/system.d/org.freedesktop.login1.conf /usr/share/dbus-1/system.d/org.freedesktop.systemd1.conf /usr/share/dbus-1/system.d/org.freedesktop.locale1.conf /usr/share/dbus-1/system.d/org.freedesktop.portable1.conf -/usr/share/dbus-1/system.d/org.freedesktop.network1.conf /usr/share/pkgconfig/systemd.pc /usr/share/pkgconfig/udev.pc /usr/share/polkit-1/actions/org.freedesktop.hostname1.policy /usr/share/polkit-1/actions/org.freedesktop.portable1.policy /usr/share/polkit-1/actions/org.freedesktop.timedate1.policy -/usr/share/polkit-1/actions/org.freedesktop.resolve1.policy /usr/share/polkit-1/actions/org.freedesktop.systemd1.policy /usr/share/polkit-1/actions/org.freedesktop.login1.policy -/usr/share/polkit-1/actions/org.freedesktop.network1.policy /usr/share/polkit-1/actions/org.freedesktop.locale1.policy -/usr/share/polkit-1/rules.d/systemd-networkd.rules /usr/bin/systemd-machine-id-setup /usr/bin/localectl /usr/bin/systemd-path -/usr/bin/portablectl /usr/bin/systemd-run /usr/bin/systemd-firstboot /usr/bin/systemd-escape @@ -845,13 +945,9 @@ fi /usr/bin/systemd-cat /usr/bin/systemd-inhibit /usr/bin/systemd-ask-password -/usr/bin/resolvectl /usr/bin/systemd-notify -/usr/bin/coredumpctl /usr/bin/systemd-delta /usr/bin/systemd-cgls -/usr/bin/systemd-resolve -/usr/bin/networkctl /usr/bin/systemd-stdio-bridge /usr/bin/systemd-detect-virt /usr/bin/systemd-socket-activate @@ -869,7 +965,7 @@ fi /usr/bin/systemd-sysusers /usr/bin/systemd-tty-ask-password-agent /usr/bin/busctl -/usr/bin/userdbctl +/usr/bin/coredumpctl %dir /usr/lib/environment.d %dir /usr/lib/binfmt.d %dir /usr/lib/tmpfiles.d @@ -880,6 +976,7 @@ fi /usr/lib/sysusers.d/systemd.conf /usr/lib/sysusers.d/basic.conf /usr/lib/systemd/system/hwclock-save.service +/usr/lib/systemd/system/initrd-usr-fs.target /usr/lib/systemd/system/sysinit.target.wants/hwclock-save.service %{_systemddir}/systemd-update-done %{_systemddir}/systemd-update-utmp @@ -891,10 +988,8 @@ fi %{_systemddir}/systemd-cgroups-agent %{_systemddir}/systemd-sulogin-shell %{_systemddir}/systemd-boot-check-no-failures -%dir %{_systemddir}/ntp-units.d %{_systemddir}/systemd-user-sessions %{_systemddir}/systemd-sysctl -%{_systemddir}/systemd-networkd-wait-online %{_systemddir}/systemd-socket-proxyd %{_systemddir}/systemd-ac-power %{_systemddir}/systemd-hostnamed @@ -905,11 +1000,9 @@ fi %{_systemddir}/systemd-journald %{_systemddir}/systemd-user-runtime-dir %{_systemddir}/systemd-logind -%{_systemddir}/systemd-networkd %dir %{_systemddir}/system-preset %dir %{_systemddir}/user-environment-generators %{_systemddir}/systemd-shutdown -%{_systemddir}/systemd-portabled %{_systemddir}/libsystemd-shared*.so %{_systemddir}/systemd-reply-password %dir %{_systemddir}/system-generators @@ -918,35 +1011,21 @@ fi %{_systemddir}/systemd-fsck %{_systemddir}/systemd-timedated %dir %{_systemddir}/user-generators -%dir %{_systemddir}/portable %{_systemddir}/systemd %dir %{_systemddir}/user-preset %{_systemddir}/systemd-coredump -%{_systemddir}/resolv.conf %{_systemddir}/systemd-veritysetup %{_systemddir}/systemd-network-generator -%{_systemddir}/systemd-time-wait-sync -%{_systemddir}/systemd-pstore -%{_systemddir}/systemd-resolved %{_systemddir}/systemd-binfmt %{_systemddir}/user-preset/90-systemd.preset -%dir %{_systemddir}/portable/profile -%dir %{_systemddir}/portable/profile/strict -%dir %{_systemddir}/portable/profile/nonetwork -%dir %{_systemddir}/portable/profile/trusted -%dir %{_systemddir}/portable/profile/default -%{_systemddir}/portable/profile/default/service.conf -%{_systemddir}/portable/profile/trusted/service.conf -%{_systemddir}/portable/profile/nonetwork/service.conf -%{_systemddir}/portable/profile/strict/service.conf %{_unitdir}/systemd-networkd.socket %{_unitdir}/systemd-binfmt.service %{_unitdir}/systemd-machine-id-commit.service %dir %{_unitdir}/basic.target.wants %{_unitdir}/systemd-coredump.socket +%{_unitdir}/systemd-coredump@.service %{_unitdir}/ctrl-alt-del.target %{_unitdir}/systemd-tmpfiles-setup.service -%{_unitdir}/systemd-time-wait-sync.service %{_unitdir}/rpcbind.target %{_unitdir}/systemd-update-done.service %{_unitdir}/dev-hugepages.mount @@ -960,7 +1039,6 @@ fi %{_unitdir}/syslog.socket %{_unitdir}/systemd-localed.service %{_unitdir}/systemd-ask-password-console.service -%{_unitdir}/systemd-pstore.service %{_unitdir}/exit.target %{_unitdir}/systemd-ask-password-console.path %{_unitdir}/systemd-logind.service @@ -1010,7 +1088,6 @@ fi %{_unitdir}/systemd-update-utmp.service %dir %{_unitdir}/rescue.target.wants %{_unitdir}/bluetooth.target -%{_unitdir}/systemd-networkd-wait-online.service %{_unitdir}/systemd-ask-password-wall.path %{_unitdir}/emergency.service %{_unitdir}/network-pre.target @@ -1030,7 +1107,6 @@ fi %{_unitdir}/systemd-update-utmp-runlevel.service %{_unitdir}/network-online.target %{_unitdir}/systemd-initctl.socket -%{_unitdir}/systemd-coredump@.service %{_unitdir}/time-sync.target %{_unitdir}/runlevel5.target %{_unitdir}/paths.target @@ -1053,23 +1129,19 @@ fi %{_unitdir}/runlevel4.target %{_unitdir}/serial-getty@.service %{_unitdir}/sysinit.target -%{_unitdir}/dbus-org.freedesktop.portable1.service %{_unitdir}/rc-local.service %{_unitdir}/debug-shell.service %{_unitdir}/dev-mqueue.mount %{_unitdir}/emergency.target -%{_unitdir}/systemd-portabled.service %{_unitdir}/dbus-org.freedesktop.timedate1.service %{_unitdir}/runlevel1.target %dir %{_unitdir}/remote-fs.target.wants %{_unitdir}/dbus-org.freedesktop.hostname1.service -%{_unitdir}/systemd-networkd.service %{_unitdir}/runlevel0.target %{_unitdir}/user.slice %{_unitdir}/systemd-journal-catalog-update.service %{_unitdir}/local-fs-pre.target %{_unitdir}/systemd-halt.service -%{_unitdir}/systemd-resolved.service %{_unitdir}/container-getty@.service %{_unitdir}/slices.target %{_unitdir}/systemd-network-generator.service @@ -1135,8 +1207,6 @@ fi %{_unitdir}/systemd-journald-varlink@.socket %{_unitdir}/systemd-journald@.service %{_unitdir}/systemd-journald@.socket -%{_unitdir}/systemd-userdbd.service -%{_unitdir}/systemd-userdbd.socket %{_unitdir}/usb-gadget.target %{_unitdir}/modprobe@.service %{_systemddir}/system-generators/systemd-fstab-generator @@ -1167,9 +1237,6 @@ fi %{_userunitdir}/systemd-tmpfiles-clean.timer %{_userunitdir}/sockets.target %{_userunitdir}/smartcard.target -%{_systemddir}/systemd-userdbd -%{_systemddir}/systemd-userwork -%{_systemddir}/network/80-container-host0.network %{_systemddir}/network/80-wifi-adhoc.network %{_systemddir}/network/80-wifi-ap.network.example %{_systemddir}/network/80-wifi-station.network.example @@ -1188,14 +1255,13 @@ fi %{_systemddir}/systemd-xdg-autostart-condition %{_systemddir}/user-generators/systemd-xdg-autostart-generator %{_systemddir}/user/xdg-desktop-autostart.target -/usr/lib/sysctl.d/50-coredump.conf /usr/lib/sysctl.d/50-default.conf /usr/lib/sysctl.d/50-pid-max.conf +/usr/lib/sysctl.d/50-coredump.conf /usr/lib/tmpfiles.d/systemd-tmp.conf /usr/lib/tmpfiles.d/systemd-nologin.conf /usr/lib/tmpfiles.d/systemd.conf /usr/lib/tmpfiles.d/journal-nocow.conf -/usr/lib/tmpfiles.d/portables.conf /usr/lib/tmpfiles.d/x11.conf /usr/lib/tmpfiles.d/tmp.conf /usr/lib/tmpfiles.d/home.conf @@ -1203,7 +1269,6 @@ fi /usr/lib/tmpfiles.d/legacy.conf /usr/lib/tmpfiles.d/static-nodes-permissions.conf /usr/lib/tmpfiles.d/var.conf -/usr/lib/tmpfiles.d/systemd-pstore.conf /usr/lib/environment.d/99-environment.conf %ghost %config(noreplace) /etc/localtime %dir /etc/rc.d @@ -1218,15 +1283,11 @@ fi %ghost %config(noreplace) /etc/machine-info %ghost %config(noreplace) /etc/machine-id %ghost %config(noreplace) /etc/hostname -%dir /etc/systemd/network %config(noreplace) /etc/systemd/user.conf -%config(noreplace) /etc/systemd/coredump.conf %dir /etc/systemd/user %config(noreplace) /etc/systemd/logind.conf -%config(noreplace) /etc/systemd/networkd.conf -%config(noreplace) /etc/systemd/resolved.conf %config(noreplace) /etc/systemd/journald.conf -%config(noreplace) /etc/systemd/pstore.conf +%config(noreplace) /etc/systemd/coredump.conf %dir /etc/systemd/system %config(noreplace) /etc/systemd/system.conf %ghost %config(noreplace) /etc/X11/xorg.conf.d/00-keyboard.conf @@ -1242,7 +1303,6 @@ fi %config(noreplace) /etc/xdg/systemd/user %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf -%{_libdir}/security/pam_systemd.so /usr/lib/rpm/macros.d/macros.systemd /usr/bin/systemd-cryptenroll @@ -1266,6 +1326,9 @@ fi /usr/lib/udev/hwdb.d/20-dmi-id.hwdb /usr/lib/udev/hwdb.d/60-autosuspend-fingerprint-reader.hwdb /usr/lib/udev/hwdb.d/README +/usr/lib/udev/hwdb.d/60-seat.hwdb +/usr/lib/udev/hwdb.d/80-ieee1394-unit-function.hwdb +/usr/lib/udev/rules.d/81-net-dhcp.rules /usr/lib/udev/rules.d/70-memory.rules /usr/lib/udev/rules.d/README /usr/share/bash-completion/completions/systemd-id128 @@ -1273,7 +1336,6 @@ fi %files libs %{_libdir}/libnss_systemd.so.2 -%{_libdir}/libnss_resolve.so.2 %{_libdir}/libnss_myhostname.so.2 %{_libdir}/libsystemd.so.* %{_libdir}/libudev.so.* @@ -1302,10 +1364,8 @@ fi %files udev %ghost %dir /var/lib/systemd/backlight -%ghost %dir /var/lib/systemd/timesync %ghost %dir /var/lib/systemd/rfkill %ghost /var/lib/systemd/random-seed -%ghost /var/lib/systemd/timesync/clock /usr/sbin/udevadm /usr/share/bash-completion/completions/udevadm /usr/share/bash-completion/completions/bootctl @@ -1313,8 +1373,6 @@ fi /usr/share/zsh/site-functions/_bootctl /usr/share/zsh/site-functions/_udevadm /usr/share/zsh/site-functions/_kernel-install -/usr/share/dbus-1/system-services/org.freedesktop.timesync1.service -/usr/share/dbus-1/system.d/org.freedesktop.timesync1.conf /usr/bin/systemd-hwdb /usr/bin/udevadm /usr/bin/bootctl @@ -1323,7 +1381,6 @@ fi %dir /usr/lib/udev %dir /usr/lib/kernel %dir /usr/lib/modules-load.d -%{_systemddir}/systemd-timesyncd %{_systemddir}/systemd-growfs %{_systemddir}/systemd-modules-load %dir %{_systemddir}/system-sleep @@ -1351,7 +1408,6 @@ fi %dir %{_unitdir}/systemd-udev-trigger.service.d %{_unitdir}/systemd-random-seed.service %{_unitdir}/systemd-quotacheck.service -%{_unitdir}/systemd-timesyncd.service %{_unitdir}/systemd-udevd-control.socket %{_unitdir}/hibernate.target %{_unitdir}/systemd-remount-fs.service @@ -1385,12 +1441,12 @@ fi %{_systemddir}/system-generators/systemd-cryptsetup-generator %{_systemddir}/system-generators/systemd-hibernate-resume-generator %{_systemddir}/system-generators/systemd-gpt-auto-generator -%{_systemddir}/ntp-units.d/80-systemd-timesync.list %if 0%{?have_gnu_efi} %dir %{_systemddir}/boot %dir %{_systemddir}/boot/efi %{_systemddir}/boot/efi/systemd-boot%{efi_arch}.efi %{_systemddir}/boot/efi/linux%{efi_arch}.efi.stub +%{_systemddir}/boot/efi/linux%{efi_arch}.elf.stub %endif %{_systemddir}/network/99-default.link %dir /usr/lib/kernel/install.d @@ -1429,6 +1485,7 @@ fi %{_udevhwdbdir}/60-autosuspend.hwdb %{_udevrulesdir}/60-autosuspend.rules %{_udevrulesdir}/40-openEuler.rules +%{_udevrulesdir}/61-openeuler-persistent-storage.rules %{_udevrulesdir}/40-elevator.rules %{_udevrulesdir}/73-idrac.rules %{_udevrulesdir}/60-block.rules @@ -1465,7 +1522,6 @@ fi %dir /etc/udev %dir /etc/kernel %dir /etc/modules-load.d -%config(noreplace) /etc/systemd/timesyncd.conf %config(noreplace) /etc/systemd/sleep.conf %dir /etc/kernel/install.d %ghost /etc/udev/hwdb.bin @@ -1475,9 +1531,7 @@ fi %files container /usr/share/bash-completion/completions/machinectl -/usr/share/bash-completion/completions/systemd-nspawn /usr/share/zsh/site-functions/_machinectl -/usr/share/zsh/site-functions/_systemd-nspawn /usr/share/dbus-1/system-services/org.freedesktop.import1.service /usr/share/dbus-1/system-services/org.freedesktop.machine1.service /usr/share/dbus-1/services/org.freedesktop.systemd1.service @@ -1488,7 +1542,6 @@ fi /usr/share/polkit-1/actions/org.freedesktop.machine1.policy %{_libdir}/libnss_mymachines.so.2 /usr/bin/machinectl -/usr/bin/systemd-nspawn %{_systemddir}/systemd-import %{_systemddir}/systemd-machined %{_systemddir}/systemd-importd @@ -1503,13 +1556,9 @@ fi %{_unitdir}/machine.slice %{_unitdir}/machines.target %dir %{_unitdir}/machines.target.wants -%{_unitdir}/systemd-nspawn@.service %{_unitdir}/machines.target.wants/var-lib-machines.mount %{_unitdir}/remote-fs.target.wants/var-lib-machines.mount -%{_systemddir}/network/80-container-vz.network -%{_systemddir}/network/80-container-ve.network %{_systemddir}/network/80-vm-vt.network -/usr/lib/tmpfiles.d/systemd-nspawn.conf %files journal-remote %ghost %dir /var/log/journal/remote @@ -1532,19 +1581,11 @@ fi %config(noreplace) /etc/systemd/journal-remote.conf %config(noreplace) /etc/systemd/journal-upload.conf -%files udev-compat -%{_udevrulesdir}/55-persistent-net-generator.rules -%{_udevrulesdir}/56-net-sriov-names.rules -%{_udevrulesdir}/61-openeuler-persistent-storage.rules -/usr/lib/udev/rule_generator.functions -/usr/lib/udev/write_net_rules -/usr/lib/udev/net-set-sriov-names -/usr/lib/udev/detect_virt - %files oomd /etc/systemd/oomd.conf /usr/bin/oomctl /usr/lib/systemd/system/systemd-oomd.service +/usr/lib/systemd/system/dbus-org.freedesktop.oom1.service /usr/lib/systemd/systemd-oomd /usr/share/dbus-1/system-services/org.freedesktop.oom1.service /usr/share/dbus-1/system.d/org.freedesktop.oom1.conf @@ -1553,7 +1594,110 @@ fi /usr/share/man/*/* %exclude /usr/share/man/man3/* +%files resolved +/usr/sbin/resolvconf +/usr/bin/resolvectl +/usr/share/bash-completion/completions/resolvectl +/usr/share/zsh/site-functions/_resolvectl +/usr/share/bash-completion/completions/systemd-resolve +/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service +/usr/share/dbus-1/system.d/org.freedesktop.resolve1.conf +/usr/share/polkit-1/actions/org.freedesktop.resolve1.policy +/usr/bin/systemd-resolve +%{_systemddir}/resolv.conf +%{_systemddir}/systemd-resolved +%config(noreplace) /etc/systemd/resolved.conf +%{_libdir}/libnss_resolve.so.2 +%{_unitdir}/systemd-resolved.service + +%files nspawn +/usr/share/bash-completion/completions/systemd-nspawn +/usr/share/zsh/site-functions/_systemd-nspawn +/usr/bin/systemd-nspawn +%{_unitdir}/systemd-nspawn@.service +/usr/lib/tmpfiles.d/systemd-nspawn.conf + +%files networkd +/usr/share/bash-completion/completions/networkctl +/usr/share/zsh/site-functions/_networkctl +/usr/share/dbus-1/system-services/org.freedesktop.network1.service +/usr/share/dbus-1/system.d/org.freedesktop.network1.conf +/usr/share/polkit-1/actions/org.freedesktop.network1.policy +/usr/share/polkit-1/rules.d/systemd-networkd.rules +/usr/bin/networkctl +%{_systemddir}/systemd-networkd-wait-online +%{_systemddir}/systemd-networkd +%{_unitdir}/systemd-networkd.socket +%{_unitdir}/systemd-networkd-wait-online.service +%{_unitdir}/systemd-networkd.service +%{_systemddir}/network/80-container-host0.network +%dir /etc/systemd/network +%config(noreplace) /etc/systemd/networkd.conf +%{_systemddir}/network/80-container-vz.network +%{_systemddir}/network/80-container-ve.network + +%files timesyncd +%dir %{_systemddir}/ntp-units.d +%{_systemddir}/systemd-time-wait-sync +%{_unitdir}/systemd-time-wait-sync.service +%ghost %dir /var/lib/systemd/timesync +%ghost /var/lib/systemd/timesync/clock +/usr/share/dbus-1/system-services/org.freedesktop.timesync1.service +/usr/share/dbus-1/system.d/org.freedesktop.timesync1.conf +%{_systemddir}/systemd-timesyncd +%{_unitdir}/systemd-timesyncd.service +%{_systemddir}/ntp-units.d/80-systemd-timesync.list +%config(noreplace) /etc/systemd/timesyncd.conf + +%files pam +%{_libdir}/security/pam_systemd.so + +%files portable +%defattr(-,root,root) +%{_bindir}/portablectl +%{_prefix}/lib/systemd/systemd-portabled +%{_prefix}/lib/systemd/portable +%{_unitdir}/systemd-portabled.service +%{_unitdir}/dbus-org.freedesktop.portable1.service +%{_tmpfilesdir}/portables.conf + +%files pstore +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/systemd/pstore.conf +%{_prefix}/lib/systemd/systemd-pstore +%{_unitdir}/systemd-pstore.service +%{_tmpfilesdir}/systemd-pstore.conf + +%files userdbd +%defattr(-,root,root) +%{_bindir}/userdbctl +%{_prefix}/lib/systemd/systemd-userwork +%{_prefix}/lib/systemd/systemd-userdbd +%{_unitdir}/systemd-userdbd.service +%{_unitdir}/systemd-userdbd.socket + %changelog +* Tue Feb 15 2021 yangmingtai - 249-7 +- disable rename function of net interface + +* Tue Feb 15 2021 yangmingtai - 249-6 +- nop_job of a unit must also be coldpluged after deserization + +* Tue Feb 15 2021 yangmingtai - 249-5 +- fix CVE-2021-3997 and CVE-2021-33910 + +* Tue Feb 8 2021 yangmingtai - 249-4 +- fix ConditionDirectoryNotEmpty,ConditionPathIsReadWrite and DirectoryNotEmpty + +* Tue Feb 8 2021 yangmingtai - 249-3 +- do not make systemd-cpredump sub packages + +* Tue Dec 27 2021 yangmingtai - 249-2 +- delete useless Provides and Obsoletes + +* Wed Dec 8 2021 yangmingtai - 249-1 +- systemd update to v249 + * Tue Dec 28 2021 licunlong - 248-15 - fix typo: disable not denable. @@ -1578,7 +1722,7 @@ fi * Mon Aug 16 2021 yangmingtai - 248-8 - udev: exec daemon-reload after installation -* Thu Jul 22 2021 yangmingtai - 248-7 +* Fri Jul 23 2021 yangmingtai - 248-7 - fix CVE-2021-33910 * Thu Jun 03 2021 shenyangyang - 248-6