commit: 795d72fab680fc06f338f4ab4db38ee10049ae1e Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sun Dec 24 11:48:50 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sun Dec 24 11:56:30 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=795d72fa
sys-apps/systemd: add 254.8 Bug: https://bugs.gentoo.org/920331 Signed-off-by: Sam James <sam <AT> gentoo.org> sys-apps/systemd/Manifest | 1 + .../systemd/files/254-PrivateDevices-userdbd.patch | 242 ++++++++++ sys-apps/systemd/systemd-254.8.ebuild | 526 +++++++++++++++++++++ 3 files changed, 769 insertions(+) diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest index 5bbbd1461af0..062d2c576f03 100644 --- a/sys-apps/systemd/Manifest +++ b/sys-apps/systemd/Manifest @@ -9,4 +9,5 @@ DIST systemd-stable-254.4.tar.gz 14332995 BLAKE2B 2b51ea867e142beeaf332cead5e2da DIST systemd-stable-254.5.tar.gz 14334696 BLAKE2B 2f63d79ae93add69ac0b56dda9f67019340f84692de4da200557b9f5f1f16bebbad42a9a7e2d6ef7420aa37746d2ede0481fd8e39f03a31576c7e4e48e259ce3 SHA512 cac713670216add9e5473e2c86f04da441015e7cc0ac1500b9e1489a435f9b80c4c6ee24e9b22e4c4213a495bc1a0a908925df2045e344a2170d5aea6aafa16c DIST systemd-stable-254.6.tar.gz 14400611 BLAKE2B 5b23131b8aaabcd386ceb9cfb4ba8e7e1c92c454dbcc2dd907fb459f3022cd324cef86d531fe296ad56349602e487544d60900f71e189aadac6ec0a361a382e3 SHA512 3ebb8c2b931d13cf6efa59842d6d7fb84410fee02f5161061900321497d33750e0b88e2366a4234ba1ab0b89b797da0b1f8b577e0924e560cd9914fde83a1e45 DIST systemd-stable-254.7.tar.gz 14411955 BLAKE2B 1213237a001fb0aef8912637f31d7d77888bc2505e1e8d8d295642a547bdebbc3a786eed095694e6a6fe2665d6e8e45e98cd883186eedeb1b4fd73daf2520dcf SHA512 2e859813f1f52fa693631ce43466875ac2ac42e09872011ee52fe4e44727663c3de9f128a47776899423188c1e99ce73a69059426a9356c930e275037d001685 +DIST systemd-stable-254.8.tar.gz 14418468 BLAKE2B e5a151ece86e57c7224fc95bda1b4ede1277fce4a2ba28d3605ab0431a2aafe1088f90c49a20e3b53a5b56aeef7c0f1f5da0601db740150f5efdf6eae7bbde80 SHA512 a3f35d9fcafcccd8d9c33ab1047241f226146017be95562a67c7dcc9eeb4b77bded92ad80e92f4767f2bf2009df0172a621d4c54a805e07ed5a5ed03940ec28e DIST systemd-stable-255.1.tar.gz 14863856 BLAKE2B 3cf30872cf68117fea970ee2af2dad5e017bec351c866b7b22c9e2f8501c6e526421288feee7fbcf4994bba24beb4b2d98e858ac5b014dd832f9833767e28efe SHA512 ec1506b8e36c943920d8a5a8f6bbedd687d6a8cbc5cd28510485aaa65b96ad1bb58e77cf138818c95d31ea748bb65c56b95efd781d18c8936e910e222e9fdedb diff --git a/sys-apps/systemd/files/254-PrivateDevices-userdbd.patch b/sys-apps/systemd/files/254-PrivateDevices-userdbd.patch new file mode 100644 index 000000000000..115c831c275a --- /dev/null +++ b/sys-apps/systemd/files/254-PrivateDevices-userdbd.patch @@ -0,0 +1,242 @@ +https://bugs.gentoo.org/920331 +https://github.com/systemd/systemd/issues/30535 + +From 4a9e03aa6bb2cbd23dac00f2b2a7642cc79eaade Mon Sep 17 00:00:00 2001 +From: Daan De Meyer <[email protected]> +Date: Wed, 27 Sep 2023 11:55:59 +0200 +Subject: [PATCH 1/2] core: Make private /dev read-only after populating it + +--- + src/core/namespace.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/core/namespace.c b/src/core/namespace.c +index e2304f5d066da..d1153f7690140 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -995,6 +995,11 @@ static int mount_private_dev(MountEntry *m) { + if (r < 0) + log_debug_errno(r, "Failed to set up basic device tree at '%s', ignoring: %m", temporary_mount); + ++ /* Make the bind mount read-only. */ ++ r = mount_nofollow_verbose(LOG_DEBUG, NULL, dev, NULL, MS_REMOUNT|MS_BIND|MS_RDONLY, NULL); ++ if (r < 0) ++ return r; ++ + /* Create the /dev directory if missing. It is more likely to be missing when the service is started + * with RootDirectory. This is consistent with mount units creating the mount points when missing. */ + (void) mkdir_p_label(mount_entry_path(m), 0755); + +From cd7f3702eb47c82a50bf74c2b7c15c2e4e1f5c79 Mon Sep 17 00:00:00 2001 +From: Daan De Meyer <[email protected]> +Date: Wed, 27 Sep 2023 10:52:50 +0200 +Subject: [PATCH 2/2] core: Use a subdirectory of /run/ for PrivateDevices= + +When we're starting early boot services such as systemd-userdbd.service, +/tmp might not yet be mounted, so let's use a directory in /run instead +which is guaranteed to be available. +--- + src/core/execute.c | 1 + + src/core/namespace.c | 61 +++++++++++++++++++++++++++++---------- + src/core/namespace.h | 2 ++ + src/test/test-namespace.c | 1 + + src/test/test-ns.c | 1 + + 5 files changed, 50 insertions(+), 16 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index a52df64d01081..89c3868d55f6c 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -3307,6 +3307,7 @@ static int apply_mount_namespace( + extension_dir, + root_dir || root_image ? params->notify_socket : NULL, + host_os_release_stage, ++ params->runtime_scope, + error_path); + + /* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports +diff --git a/src/core/namespace.c b/src/core/namespace.c +index d1153f7690140..a0471ac8884bf 100644 +--- a/src/core/namespace.c ++++ b/src/core/namespace.c +@@ -909,7 +909,19 @@ static int clone_device_node( + return 0; + } + +-static int mount_private_dev(MountEntry *m) { ++static char *settle_runtime_dir(RuntimeScope scope) { ++ char *runtime_dir; ++ ++ if (scope != RUNTIME_SCOPE_USER) ++ return strdup("/run/"); ++ ++ if (asprintf(&runtime_dir, "/run/user/" UID_FMT, geteuid()) < 0) ++ return NULL; ++ ++ return runtime_dir; ++} ++ ++static int mount_private_dev(MountEntry *m, RuntimeScope scope) { + static const char devnodes[] = + "/dev/null\0" + "/dev/zero\0" +@@ -918,13 +930,21 @@ static int mount_private_dev(MountEntry *m) { + "/dev/urandom\0" + "/dev/tty\0"; + +- char temporary_mount[] = "/tmp/namespace-dev-XXXXXX"; ++ _cleanup_free_ char *runtime_dir = NULL, *temporary_mount = NULL; + const char *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL; + bool can_mknod = true; + int r; + + assert(m); + ++ runtime_dir = settle_runtime_dir(scope); ++ if (!runtime_dir) ++ return log_oom_debug(); ++ ++ temporary_mount = path_join(runtime_dir, "systemd/namespace-dev-XXXXXX"); ++ if (!temporary_mount) ++ return log_oom_debug(); ++ + if (!mkdtemp(temporary_mount)) + return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount); + +@@ -1364,7 +1384,8 @@ static int apply_one_mount( + MountEntry *m, + const ImagePolicy *mount_image_policy, + const ImagePolicy *extension_image_policy, +- const NamespaceInfo *ns_info) { ++ const NamespaceInfo *ns_info, ++ RuntimeScope scope) { + + _cleanup_free_ char *inaccessible = NULL; + bool rbind = true, make = false; +@@ -1379,8 +1400,7 @@ static int apply_one_mount( + switch (m->mode) { + + case INACCESSIBLE: { +- _cleanup_free_ char *tmp = NULL; +- const char *runtime_dir; ++ _cleanup_free_ char *runtime_dir = NULL; + struct stat target; + + /* First, get rid of everything that is below if there +@@ -1396,14 +1416,14 @@ static int apply_one_mount( + mount_entry_path(m)); + } + +- if (geteuid() == 0) +- runtime_dir = "/run"; +- else { +- if (asprintf(&tmp, "/run/user/" UID_FMT, geteuid()) < 0) +- return -ENOMEM; +- +- runtime_dir = tmp; +- } ++ /* We don't pass the literal runtime scope through here but one based purely on our UID. This ++ * means that the root user's --user services will use the host's inaccessible inodes rather ++ * then root's private ones. This is preferable since it means device nodes that are ++ * overmounted to make them inaccessible will be overmounted with a device node, rather than ++ * an AF_UNIX socket inode. */ ++ runtime_dir = settle_runtime_dir(geteuid() == 0 ? RUNTIME_SCOPE_SYSTEM : RUNTIME_SCOPE_USER); ++ if (!runtime_dir) ++ return log_oom_debug(); + + r = mode_to_inaccessible_node(runtime_dir, target.st_mode, &inaccessible); + if (r < 0) +@@ -1523,7 +1543,7 @@ static int apply_one_mount( + break; + + case PRIVATE_DEV: +- return mount_private_dev(m); ++ return mount_private_dev(m, scope); + + case BIND_DEV: + return mount_bind_dev(m); +@@ -1824,6 +1844,7 @@ static int apply_mounts( + const NamespaceInfo *ns_info, + MountEntry *mounts, + size_t *n_mounts, ++ RuntimeScope scope, + char **symlinks, + char **error_path) { + +@@ -1875,7 +1896,7 @@ static int apply_mounts( + break; + } + +- r = apply_one_mount(root, m, mount_image_policy, extension_image_policy, ns_info); ++ r = apply_one_mount(root, m, mount_image_policy, extension_image_policy, ns_info, scope); + if (r < 0) { + if (error_path && mount_entry_path(m)) + *error_path = strdup(mount_entry_path(m)); +@@ -2030,6 +2051,7 @@ int setup_namespace( + const char *extension_dir, + const char *notify_socket, + const char *host_os_release_stage, ++ RuntimeScope scope, + char **error_path) { + + _cleanup_(loop_device_unrefp) LoopDevice *loop_device = NULL; +@@ -2490,7 +2512,14 @@ int setup_namespace( + (void) base_filesystem_create(root, UID_INVALID, GID_INVALID); + + /* Now make the magic happen */ +- r = apply_mounts(root, mount_image_policy, extension_image_policy, ns_info, mounts, &n_mounts, symlinks, error_path); ++ r = apply_mounts(root, ++ mount_image_policy, ++ extension_image_policy, ++ ns_info, ++ mounts, &n_mounts, ++ scope, ++ symlinks, ++ error_path); + if (r < 0) + goto finish; + +diff --git a/src/core/namespace.h b/src/core/namespace.h +index b6132154c5132..581403d89826d 100644 +--- a/src/core/namespace.h ++++ b/src/core/namespace.h +@@ -16,6 +16,7 @@ typedef struct MountImage MountImage; + #include "fs-util.h" + #include "macro.h" + #include "namespace-util.h" ++#include "runtime-scope.h" + #include "string-util.h" + + typedef enum ProtectHome { +@@ -134,6 +135,7 @@ int setup_namespace( + const char *extension_dir, + const char *notify_socket, + const char *host_os_release_stage, ++ RuntimeScope scope, + char **error_path); + + #define RUN_SYSTEMD_EMPTY "/run/systemd/empty" +diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c +index 25aafc35ca837..42ac65d08c87a 100644 +--- a/src/test/test-namespace.c ++++ b/src/test/test-namespace.c +@@ -206,6 +206,7 @@ TEST(protect_kernel_logs) { + NULL, + NULL, + NULL, ++ RUNTIME_SCOPE_SYSTEM, + NULL); + assert_se(r == 0); + +diff --git a/src/test/test-ns.c b/src/test/test-ns.c +index 77afd2f6b9eb8..eb3afed9e1c66 100644 +--- a/src/test/test-ns.c ++++ b/src/test/test-ns.c +@@ -108,6 +108,7 @@ int main(int argc, char *argv[]) { + NULL, + NULL, + NULL, ++ RUNTIME_SCOPE_SYSTEM, + NULL); + if (r < 0) { + log_error_errno(r, "Failed to set up namespace: %m"); diff --git a/sys-apps/systemd/systemd-254.8.ebuild b/sys-apps/systemd/systemd-254.8.ebuild new file mode 100644 index 000000000000..0ad5f8893f48 --- /dev/null +++ b/sys-apps/systemd/systemd-254.8.ebuild @@ -0,0 +1,526 @@ +# Copyright 2011-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +PYTHON_COMPAT=( python3_{10..12} ) + +# Avoid QA warnings +TMPFILES_OPTIONAL=1 +UDEV_OPTIONAL=1 + +QA_PKGCONFIG_VERSION=$(ver_cut 1) + +if [[ ${PV} == 9999 ]]; then + EGIT_REPO_URI="https://github.com/systemd/systemd.git"; + inherit git-r3 +else + if [[ ${PV} == *.* ]]; then + MY_PN=systemd-stable + else + MY_PN=systemd + fi + MY_PV=${PV/_/-} + MY_P=${MY_PN}-${MY_PV} + S=${WORKDIR}/${MY_P} + SRC_URI="https://github.com/systemd/${MY_PN}/archive/v${MY_PV}/${MY_P}.tar.gz"; + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86" +fi + +inherit bash-completion-r1 linux-info meson-multilib pam python-single-r1 +inherit secureboot systemd toolchain-funcs udev usr-ldscript + +DESCRIPTION="System and service manager for Linux" +HOMEPAGE="http://systemd.io/"; + +LICENSE="GPL-2 LGPL-2.1 MIT public-domain" +SLOT="0/2" +IUSE=" + acl apparmor audit boot cgroup-hybrid cryptsetup curl +dns-over-tls elfutils + fido2 +gcrypt gnutls homed http idn importd iptables kernel-install +kmod + +lz4 lzma +openssl pam pcre pkcs11 policykit pwquality qrcode + +resolvconf +seccomp selinux split-usr +sysv-utils test tpm ukify vanilla xkb +zstd +" +REQUIRED_USE=" + ${PYTHON_REQUIRED_USE} + dns-over-tls? ( || ( gnutls openssl ) ) + fido2? ( cryptsetup openssl ) + homed? ( cryptsetup pam openssl ) + importd? ( curl lzma || ( gcrypt openssl ) ) + pwquality? ( homed ) + boot? ( kernel-install ) + ukify? ( boot ) +" +RESTRICT="!test? ( test )" + +MINKV="4.15" + +COMMON_DEPEND=" + >=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] + sys-libs/libcap:0=[${MULTILIB_USEDEP}] + virtual/libcrypt:=[${MULTILIB_USEDEP}] + acl? ( sys-apps/acl:0= ) + apparmor? ( sys-libs/libapparmor:0= ) + audit? ( >=sys-process/audit-2:0= ) + cryptsetup? ( >=sys-fs/cryptsetup-2.0.1:0= ) + curl? ( net-misc/curl:0= ) + elfutils? ( >=dev-libs/elfutils-0.158:0= ) + fido2? ( dev-libs/libfido2:0= ) + gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) + gnutls? ( >=net-libs/gnutls-3.6.0:0= ) + http? ( >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] ) + idn? ( net-dns/libidn2:= ) + importd? ( + app-arch/bzip2:0= + sys-libs/zlib:0= + ) + kmod? ( >=sys-apps/kmod-15:0= ) + lz4? ( >=app-arch/lz4-0_p131:0=[${MULTILIB_USEDEP}] ) + lzma? ( >=app-arch/xz-utils-5.0.5-r1:0=[${MULTILIB_USEDEP}] ) + iptables? ( net-firewall/iptables:0= ) + openssl? ( >=dev-libs/openssl-1.1.0:0= ) + pam? ( sys-libs/pam:=[${MULTILIB_USEDEP}] ) + pkcs11? ( app-crypt/p11-kit:0= ) + pcre? ( dev-libs/libpcre2 ) + pwquality? ( dev-libs/libpwquality:0= ) + qrcode? ( media-gfx/qrencode:0= ) + seccomp? ( >=sys-libs/libseccomp-2.3.3:0= ) + selinux? ( sys-libs/libselinux:0= ) + tpm? ( app-crypt/tpm2-tss:0= ) + xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= ) + zstd? ( >=app-arch/zstd-1.4.0:0=[${MULTILIB_USEDEP}] ) +" + +# Newer linux-headers needed by ia64, bug #480218 +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-${MINKV} +" + +PEFILE_DEPEND='dev-python/pefile[${PYTHON_USEDEP}]' + +# baselayout-2.2 has /run +RDEPEND="${COMMON_DEPEND} + >=acct-group/adm-0-r1 + >=acct-group/wheel-0-r1 + >=acct-group/kmem-0-r1 + >=acct-group/tty-0-r1 + >=acct-group/utmp-0-r1 + >=acct-group/audio-0-r1 + >=acct-group/cdrom-0-r1 + >=acct-group/dialout-0-r1 + >=acct-group/disk-0-r1 + >=acct-group/input-0-r1 + >=acct-group/kvm-0-r1 + >=acct-group/lp-0-r1 + >=acct-group/render-0-r1 + acct-group/sgx + >=acct-group/tape-0-r1 + acct-group/users + >=acct-group/video-0-r1 + >=acct-group/systemd-journal-0-r1 + >=acct-user/root-0-r1 + acct-user/nobody + >=acct-user/systemd-journal-remote-0-r1 + >=acct-user/systemd-coredump-0-r1 + >=acct-user/systemd-network-0-r1 + acct-user/systemd-oom + >=acct-user/systemd-resolve-0-r1 + >=acct-user/systemd-timesync-0-r1 + >=sys-apps/baselayout-2.2 + ukify? ( + ${PYTHON_DEPS} + $(python_gen_cond_dep "${PEFILE_DEPEND}") + ) + selinux? ( + sec-policy/selinux-base-policy[systemd] + sec-policy/selinux-ntp + ) + sysv-utils? ( + !sys-apps/openrc[sysv-utils(-)] + !sys-apps/sysvinit + ) + !sysv-utils? ( sys-apps/sysvinit ) + resolvconf? ( !net-dns/openresolv ) + !sys-apps/hwids[udev] + !sys-auth/nss-myhostname + !sys-fs/eudev + !sys-fs/udev +" + +# sys-apps/dbus: the daemon only (+ build-time lib dep for tests) +PDEPEND=">=sys-apps/dbus-1.9.8[systemd] + >=sys-fs/udev-init-scripts-34 + policykit? ( sys-auth/polkit ) + !vanilla? ( sys-apps/gentoo-systemd-integration )" + +BDEPEND=" + app-arch/xz-utils:0 + dev-util/gperf + >=dev-util/meson-0.46 + >=sys-apps/coreutils-8.16 + sys-devel/gettext + virtual/pkgconfig + test? ( + app-text/tree + dev-lang/perl + sys-apps/dbus + ) + app-text/docbook-xml-dtd:4.2 + app-text/docbook-xml-dtd:4.5 + app-text/docbook-xsl-stylesheets + dev-libs/libxslt:0 + ${PYTHON_DEPS} + $(python_gen_cond_dep " + dev-python/jinja[\${PYTHON_USEDEP}] + dev-python/lxml[\${PYTHON_USEDEP}] + boot? ( >=dev-python/pyelftools-0.30[\${PYTHON_USEDEP}] ) + ukify? ( test? ( ${PEFILE_DEPEND} ) ) + ") +" + +QA_FLAGS_IGNORED="usr/lib/systemd/boot/efi/.*" +QA_EXECSTACK="usr/lib/systemd/boot/efi/*" + +pkg_pretend() { + if [[ ${MERGE_TYPE} != buildonly ]]; then + if use test && has pid-sandbox ${FEATURES}; then + ewarn "Tests are known to fail with PID sandboxing enabled." + ewarn "See https://bugs.gentoo.org/674458."; + fi + + local CONFIG_CHECK="~BLK_DEV_BSG ~CGROUPS + ~CGROUP_BPF ~DEVTMPFS ~EPOLL ~FANOTIFY ~FHANDLE + ~INOTIFY_USER ~IPV6 ~NET ~NET_NS ~PROC_FS ~SIGNALFD ~SYSFS + ~TIMERFD ~TMPFS_XATTR ~UNIX ~USER_NS + ~CRYPTO_HMAC ~CRYPTO_SHA256 ~CRYPTO_USER_API_HASH + ~!GRKERNSEC_PROC ~!IDE ~!SYSFS_DEPRECATED + ~!SYSFS_DEPRECATED_V2" + + use acl && CONFIG_CHECK+=" ~TMPFS_POSIX_ACL" + use seccomp && CONFIG_CHECK+=" ~SECCOMP ~SECCOMP_FILTER" + + if kernel_is -ge 5 10 20; then + CONFIG_CHECK+=" ~KCMP" + else + CONFIG_CHECK+=" ~CHECKPOINT_RESTORE" + fi + + if kernel_is -ge 4 18; then + CONFIG_CHECK+=" ~AUTOFS_FS" + else + CONFIG_CHECK+=" ~AUTOFS4_FS" + fi + + if linux_config_exists; then + local uevent_helper_path=$(linux_chkconfig_string UEVENT_HELPER_PATH) + if [[ -n ${uevent_helper_path} ]] && [[ ${uevent_helper_path} != '""' ]]; then + ewarn "It's recommended to set an empty value to the following kernel config option:" + ewarn "CONFIG_UEVENT_HELPER_PATH=${uevent_helper_path}" + fi + if linux_chkconfig_present X86; then + CONFIG_CHECK+=" ~DMIID" + fi + fi + + if kernel_is -lt ${MINKV//./ }; then + ewarn "Kernel version at least ${MINKV} required" + fi + + check_extra_config + fi +} + +pkg_setup() { + use boot && secureboot_pkg_setup +} + +src_unpack() { + default + [[ ${PV} != 9999 ]] || git-r3_src_unpack +} + +src_prepare() { + local PATCHES=( + "${FILESDIR}/systemd-253-initrd-generators.patch" + "${FILESDIR}/254-PrivateDevices-userdbd.patch" + ) + + if ! use vanilla; then + PATCHES+=( + "${FILESDIR}/gentoo-generator-path-r2.patch" + "${FILESDIR}/gentoo-journald-audit-r1.patch" + ) + fi + + # Fails with split-usr. + sed -i -e '2i exit 77' test/test-rpm-macros.sh || die + + default +} + +src_configure() { + # Prevent conflicts with i686 cross toolchain, bug 559726 + tc-export AR CC NM OBJCOPY RANLIB + + python_setup + + multilib-minimal_src_configure +} + +multilib_src_configure() { + local myconf=( + --localstatedir="${EPREFIX}/var" + -Dsupport-url="https://gentoo.org/support/"; + -Dpamlibdir="$(getpam_mod_dir)" + # avoid bash-completion dep + -Dbashcompletiondir="$(get_bashcompdir)" + $(meson_use split-usr) + $(meson_use split-usr split-bin) + -Drootprefix="$(usex split-usr "${EPREFIX:-/}" "${EPREFIX}/usr")" + -Drootlibdir="${EPREFIX}/usr/$(get_libdir)" + # Disable compatibility with sysvinit + -Dsysvinit-path= + -Dsysvrcnd-path= + # Avoid infinite exec recursion, bug 642724 + -Dtelinit-path="${EPREFIX}/lib/sysvinit/telinit" + # no deps + -Dima=true + -Ddefault-hierarchy=$(usex cgroup-hybrid hybrid unified) + # Optional components/dependencies + $(meson_native_use_bool acl) + $(meson_native_use_bool apparmor) + $(meson_native_use_bool audit) + $(meson_native_use_bool boot bootloader) + $(meson_native_use_bool cryptsetup libcryptsetup) + $(meson_native_use_bool curl libcurl) + $(meson_native_use_bool dns-over-tls dns-over-tls) + $(meson_native_use_bool elfutils) + $(meson_native_use_bool fido2 libfido2) + $(meson_use gcrypt) + $(meson_native_use_bool gnutls) + $(meson_native_use_bool homed) + $(meson_native_use_bool http microhttpd) + $(meson_native_use_bool idn) + $(meson_native_use_bool importd) + $(meson_native_use_bool importd bzip2) + $(meson_native_use_bool importd zlib) + $(meson_native_use_bool kernel-install) + $(meson_native_use_bool kmod) + $(meson_use lz4) + $(meson_use lzma xz) + $(meson_use test tests) + $(meson_use zstd) + $(meson_native_use_bool iptables libiptc) + $(meson_native_use_bool openssl) + $(meson_use pam) + $(meson_native_use_bool pkcs11 p11kit) + $(meson_native_use_bool pcre pcre2) + $(meson_native_use_bool policykit polkit) + $(meson_native_use_bool pwquality) + $(meson_native_use_bool qrcode qrencode) + $(meson_native_use_bool seccomp) + $(meson_native_use_bool selinux) + $(meson_native_use_bool tpm tpm2) + $(meson_native_use_bool test dbus) + $(meson_native_use_bool ukify) + $(meson_native_use_bool xkb xkbcommon) + -Dntp-servers="0.gentoo.pool.ntp.org 1.gentoo.pool.ntp.org 2.gentoo.pool.ntp.org 3.gentoo.pool.ntp.org" + # Breaks screen, tmux, etc. + -Ddefault-kill-user-processes=false + -Dcreate-log-dirs=false + + # multilib options + $(meson_native_true backlight) + $(meson_native_true binfmt) + $(meson_native_true coredump) + $(meson_native_true environment-d) + $(meson_native_true firstboot) + $(meson_native_true hibernate) + $(meson_native_true hostnamed) + $(meson_native_true ldconfig) + $(meson_native_true localed) + $(meson_native_true man) + $(meson_native_true networkd) + $(meson_native_true quotacheck) + $(meson_native_true randomseed) + $(meson_native_true rfkill) + $(meson_native_true sysusers) + $(meson_native_true timedated) + $(meson_native_true timesyncd) + $(meson_native_true tmpfiles) + $(meson_native_true vconsole) + ) + + meson_src_configure "${myconf[@]}" +} + +multilib_src_test() { + unset DBUS_SESSION_BUS_ADDRESS XDG_RUNTIME_DIR + local -x COLUMNS=80 + meson_src_test +} + +multilib_src_install_all() { + local rootprefix=$(usex split-usr '' /usr) + local sbin=$(usex split-usr sbin bin) + + # meson doesn't know about docdir + mv "${ED}"/usr/share/doc/{systemd,${PF}} || die + + einstalldocs + dodoc "${FILESDIR}"/nsswitch.conf + + insinto /usr/lib/tmpfiles.d + doins "${FILESDIR}"/legacy.conf + + if ! use resolvconf; then + rm -f "${ED}${rootprefix}/${sbin}"/resolvconf || die + fi + + if ! use sysv-utils; then + rm "${ED}${rootprefix}/${sbin}"/{halt,init,poweroff,reboot,shutdown} || die + rm "${ED}"/usr/share/man/man1/init.1 || die + rm "${ED}"/usr/share/man/man8/{halt,poweroff,reboot,shutdown}.8 || die + fi + + # https://bugs.gentoo.org/761763 + rm -r "${ED}"/usr/lib/sysusers.d || die + + # Preserve empty dirs in /etc & /var, bug #437008 + keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,system,user} + keepdir /etc/udev/rules.d + + keepdir /etc/udev/hwdb.d + + keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + keepdir /var/log/journal + + if use pam; then + newpamd "${FILESDIR}"/systemd-user.pam systemd-user + fi + + if use split-usr; then + # Avoid breaking boot/reboot + dosym ../../../lib/systemd/systemd /usr/lib/systemd/systemd + dosym ../../../lib/systemd/systemd-shutdown /usr/lib/systemd/systemd-shutdown + fi + + gen_usr_ldscript -a systemd udev + + use ukify && python_fix_shebang "${ED}" + use boot && secureboot_auto_sign +} + +migrate_locale() { + local envd_locale_def="${EROOT}/etc/env.d/02locale" + local envd_locale=( "${EROOT}"/etc/env.d/??locale ) + local locale_conf="${EROOT}/etc/locale.conf" + + if [[ ! -L ${locale_conf} && ! -e ${locale_conf} ]]; then + # If locale.conf does not exist... + if [[ -e ${envd_locale} ]]; then + # ...either copy env.d/??locale if there's one + ebegin "Moving ${envd_locale} to ${locale_conf}" + mv "${envd_locale}" "${locale_conf}" + eend ${?} || FAIL=1 + else + # ...or create a dummy default + ebegin "Creating ${locale_conf}" + cat > "${locale_conf}" <<-EOF + # This file has been created by the sys-apps/systemd ebuild. + # See locale.conf(5) and localectl(1). + + # LANG=${LANG} + EOF + eend ${?} || FAIL=1 + fi + fi + + if [[ ! -L ${envd_locale} ]]; then + # now, if env.d/??locale is not a symlink (to locale.conf)... + if [[ -e ${envd_locale} ]]; then + # ...warn the user that he has duplicate locale settings + ewarn + ewarn "To ensure consistent behavior, you should replace ${envd_locale}" + ewarn "with a symlink to ${locale_conf}. Please migrate your settings" + ewarn "and create the symlink with the following command:" + ewarn "ln -s -n -f ../locale.conf ${envd_locale}" + ewarn + else + # ...or just create the symlink if there's nothing here + ebegin "Creating ${envd_locale_def} -> ../locale.conf symlink" + ln -n -s ../locale.conf "${envd_locale_def}" + eend ${?} || FAIL=1 + fi + fi +} + +pkg_preinst() { + if [[ -e ${EROOT}/etc/sysctl.conf ]]; then + # Symlink /etc/sysctl.conf for easy migration. + dosym ../../../etc/sysctl.conf /usr/lib/sysctl.d/99-sysctl.conf + fi + + if ! use split-usr; then + local dir + for dir in bin sbin lib usr/sbin; do + if [[ ! -L ${EROOT}/${dir} ]]; then + eerror "'${EROOT}/${dir}' is not a symbolic link." + FAIL=1 + fi + done + if [[ ${FAIL} ]]; then + eerror "Migration to system layout with merged directories must be performed before" + eerror "installing ${CATEGORY}/${PN} with USE=\"-split-usr\" to avoid run-time breakage." + die "System layout with split directories still used" + fi + fi + if ! use boot && has_version "sys-apps/systemd[gnuefi(-)]"; then + ewarn "The 'gnuefi' USE flag has been renamed to 'boot'." + ewarn "Make sure to enable the 'boot' USE flag if you use systemd-boot." + fi +} + +pkg_postinst() { + systemd_update_catalog + + # Keep this here in case the database format changes so it gets updated + # when required. + systemd-hwdb --root="${ROOT}" update + + udev_reload || FAIL=1 + + # Bug 465468, make sure locales are respected, and ensure consistency + # between OpenRC & systemd + migrate_locale + + if [[ -z ${REPLACING_VERSIONS} ]]; then + if type systemctl &>/dev/null; then + systemctl --root="${ROOT:-/}" enable [email protected] remote-fs.target || FAIL=1 + fi + elog "To enable a useful set of services, run the following:" + elog " systemctl preset-all --preset-mode=enable-only" + fi + + if [[ -L ${EROOT}/var/lib/systemd/timesync ]]; then + rm "${EROOT}/var/lib/systemd/timesync" + fi + + if [[ ${FAIL} ]]; then + eerror "One of the postinst commands failed. Please check the postinst output" + eerror "for errors. You may need to clean up your system and/or try installing" + eerror "systemd again." + eerror + fi +} + +pkg_prerm() { + # If removing systemd completely, remove the catalog database. + if [[ ! ${REPLACED_BY_VERSION} ]]; then + rm -f -v "${EROOT}"/var/lib/systemd/catalog/database + fi +}
