Hello community, here is the log from the commit of package systemd for openSUSE:Factory checked in at 2018-02-05 10:50:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/systemd (Old) and /work/SRC/openSUSE:Factory/.systemd.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "systemd" Mon Feb 5 10:50:36 2018 rev:270 rq:571964 version:234 Changes: -------- --- /work/SRC/openSUSE:Factory/systemd/systemd-mini.changes 2018-01-30 15:38:49.710221886 +0100 +++ /work/SRC/openSUSE:Factory/.systemd.new/systemd-mini.changes 2018-02-05 10:50:43.266736808 +0100 @@ -1,0 +2,39 @@ +Fri Feb 2 08:56:04 UTC 2018 - [email protected] + +- Import commit 8ec9f58d334c76e736957812d9e57151502a6f63 + + 07c6ee3eb compat-rules: get rid of scsi_id when generating compat symlinks for NVMe devices (bsc#1051465) + 261a4ef38 compat-rules: generate compat by-id symlinks with 'nvme' prefix missing (bsc#1063249) + +------------------------------------------------------------------- +Fri Feb 2 08:44:57 UTC 2018 - [email protected] + +- Drop 0001-compat-rules-get-rid-of-scsi_id-when-generating-comp.patch + + It's been imported in branch "compats/udev-compat-symlinks" which + has been merged in branch "openSUSE-Factory" in its turn. + +------------------------------------------------------------------- +Fri Feb 2 08:17:41 UTC 2018 - [email protected] + +- Import commit c516268845b0fd0683cef2e491b84077371e8f01 + + 37da1facb core: disable session keyring per system sevice entirely for now (bnc#1045886) + 8a1ae0449 strv: fix buffer size calculation in strv_join_quoted() + +------------------------------------------------------------------- +Fri Feb 2 08:14:03 UTC 2018 - [email protected] + +- Drop 0001-core-disable-session-keyring-per-system-sevice-entir.patch + + It's been merged in branch "SUSE/v234". + +------------------------------------------------------------------- +Wed Jan 31 15:14:55 UTC 2018 - [email protected] + +- Import commit 2087a80d56bb6f8c7fb74a19172259bc9d9af866 + + 2b8971b8a tmpfiles: refuse to chown()/chmod() files which are hardlinked, unless protected_hardlinks sysctl is on (bsc#1077925 CVE-2017-18078) + 8c2bcac25 tmpfiles: change ownership of symlinks too + +------------------------------------------------------------------- systemd.changes: same change Old: ---- 0001-compat-rules-get-rid-of-scsi_id-when-generating-comp.patch 0001-core-disable-session-keyring-per-system-sevice-entir.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ systemd-mini.spec ++++++ --- /var/tmp/diff_new_pack.XIDqls/_old 2018-02-05 10:50:44.730668277 +0100 +++ /var/tmp/diff_new_pack.XIDqls/_new 2018-02-05 10:50:44.734668090 +0100 @@ -162,8 +162,8 @@ # broken in upstream and need an urgent fix. Even in this case, the # patches are temporary and should be removed as soon as a fix is # merged by upstream. -Patch1: 0001-core-disable-session-keyring-per-system-sevice-entir.patch -Patch2: 0001-compat-rules-get-rid-of-scsi_id-when-generating-comp.patch + +# Empty %description Systemd is a system and service manager, compatible with SysV and LSB @@ -408,7 +408,7 @@ %prep %setup -q -n systemd-%{version} -%autopatch -p1 +# %autopatch -p1 # only needed for bootstrap %if 0%{?bootstrap} ++++++ systemd.spec ++++++ --- /var/tmp/diff_new_pack.XIDqls/_old 2018-02-05 10:50:44.762666779 +0100 +++ /var/tmp/diff_new_pack.XIDqls/_new 2018-02-05 10:50:44.766666592 +0100 @@ -160,8 +160,8 @@ # broken in upstream and need an urgent fix. Even in this case, the # patches are temporary and should be removed as soon as a fix is # merged by upstream. -Patch1: 0001-core-disable-session-keyring-per-system-sevice-entir.patch -Patch2: 0001-compat-rules-get-rid-of-scsi_id-when-generating-comp.patch + +# Empty %description Systemd is a system and service manager, compatible with SysV and LSB @@ -406,7 +406,7 @@ %prep %setup -q -n systemd-%{version} -%autopatch -p1 +# %autopatch -p1 # only needed for bootstrap %if 0%{?bootstrap} ++++++ systemd-234.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/systemd-234/rules/61-persistent-storage-compat.rules new/systemd-234/rules/61-persistent-storage-compat.rules --- old/systemd-234/rules/61-persistent-storage-compat.rules 2018-01-26 15:40:25.000000000 +0100 +++ new/systemd-234/rules/61-persistent-storage-compat.rules 2018-02-02 09:54:37.000000000 +0100 @@ -16,6 +16,10 @@ # doesn't rely on them and they could be disabled permanently. # # Thanks ! +# +# Note: this rules file can rely on all ID_* variables (set by +# 60-persistent-storage.rule) but should not overwrite them, see +# bsc#1048679 for details. ACTION=="remove", GOTO="persistent_storage_end" @@ -49,14 +53,46 @@ # ENV{COMPAT_SYMLINK_GENERATION}!="1", GOTO="generation_2" -# NVMe links were introduced first via a SUSE specific commit +# NVMe symlinks were introduced first via a SUSE specific commit # (bsc#944132) and upstream gained support later but of course using a -# different scheme. Also note that ID_SERIAL is already used by the -# contemporary rules, see bsc#1048679 for details. -KERNEL=="nvme*", ENV{DEVTYPE}=="disk", ENV{ID_NVME_SERIAL_COMPAT}!="?*", PROGRAM="scsi_id --whitelisted --replace-whitespace -d $devnode", RESULT=="?*", ENV{ID_NVME_SERIAL_COMPAT}="$result" +# different scheme. + +# The SCSI translation layer for NVMe devices has been removed from +# the kernel since 4.13, therefore we switched from scsi_id to the +# sysfs interface to generate the name of the compat symlinks. +# Unfortunately we can't use %s{model} to retrieve the model string +# because udev strips any trailing whitespaces and some plateforms +# (QEMU does that) might append such chars. In those cases scsi_id was +# replacing them with a single trailing '_'. Therefore the currently +# code retrieves the model string manually making sure to preserve all +# characters so trailing whitespaces are still converted when the +# symlink is created. + +# KERNEL=="nvme*", ENV{DEVTYPE}=="disk", ENV{ID_NVME_SERIAL_COMPAT}!="?*", ATTRS{model}=="?*", ATTRS{serial}=="?*" \ +# PROGRAM=="/bin/sh -c 'MODEL=\"%s{model}\"; echo \"${MODEL:0:16}\"'", ENV{ID_NVME_SERIAL_COMPAT}="SNVMe_%c%s{serial}" + +KERNEL=="nvme*", ENV{DEVTYPE}=="disk", ENV{ID_NVME_SERIAL_COMPAT}!="?*", ATTRS{model}=="?*", ATTRS{serial}=="?*" \ + PROGRAM=="/bin/sh -c ' \ + cd /sys/%p; \ + while ! [ -f model ]; do \ + cd ..; \ + [ $(pwd) = %S ] && exit 1; \ + done; \ + cut -c 1-16 model'", ENV{ID_NVME_SERIAL_COMPAT}="SNVMe_%c%s{serial}" + KERNEL=="nvme*", ENV{DEVTYPE}=="disk", ENV{ID_NVME_SERIAL_COMPAT}=="?*", SYMLINK+="disk/by-id/nvme-$env{ID_NVME_SERIAL_COMPAT}" KERNEL=="nvme*", ENV{DEVTYPE}=="partition", ENV{ID_NVME_SERIAL_COMPAT}=="?*", SYMLINK+="disk/by-id/nvme-$env{ID_NVME_SERIAL_COMPAT}-part%n" +# Leap 42.3 ISO has a version of udev which suffers from bsc#1048679 +# (ID_SERIAL is set by the upstream rules making ID_BUS empty instead +# of "nvme"). This lead to those odd symlinks with the "nvme" prefix +# missing (bsc#1063249). +# +# They are actually only used by systems with Leap 42.3 initially +# installed and with NVMe encrypted partitions. +KERNEL=="nvme*", ENV{DEVTYPE}=="disk", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/-$env{ID_SERIAL}" +KERNEL=="nvme*", ENV{DEVTYPE}=="partition", ENV{ID_SERIAL}=="?*", SYMLINK+="disk/by-id/-$env{ID_SERIAL}-part%n" + # SCSI compat links for ATA devices, removed by f6ba1a468cea (boo#769002) KERNEL=="sd*[!0-9]", ENV{ID_BUS}=="ata", PROGRAM="scsi_id --whitelisted --replace-whitespace -p0x80 -d $devnode", RESULT=="?*", ENV{ID_SCSI_COMPAT}="$result", SYMLINK+="disk/by-id/scsi-$env{ID_SCSI_COMPAT}" KERNEL=="sd*[0-9]", ENV{ID_SCSI_COMPAT}=="?*", SYMLINK+="disk/by-id/scsi-$env{ID_SCSI_COMPAT}-part%n" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/systemd-234/src/basic/strv.c new/systemd-234/src/basic/strv.c --- old/systemd-234/src/basic/strv.c 2018-01-26 15:40:25.000000000 +0100 +++ new/systemd-234/src/basic/strv.c 2018-02-02 09:54:37.000000000 +0100 @@ -398,21 +398,18 @@ size_t allocated = 0, len = 0; STRV_FOREACH(s, l) { - /* assuming here that escaped string cannot be more - * than twice as long, and reserving space for the - * separator and quotes. - */ _cleanup_free_ char *esc = NULL; size_t needed; - if (!GREEDY_REALLOC(buf, allocated, - len + strlen(*s) * 2 + 3)) - goto oom; - esc = cescape(*s); if (!esc) goto oom; + /* reserving space for the escaped text, separator, quotes and NULL terminator. */ + if (!GREEDY_REALLOC(buf, allocated, + len + strlen(esc) + 4)) + goto oom; + needed = snprintf(buf + len, allocated - len, "%s\"%s\"", len > 0 ? " " : "", esc); assert(needed < allocated - len); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/systemd-234/src/core/service.c new/systemd-234/src/core/service.c --- old/systemd-234/src/core/service.c 2018-01-26 15:40:25.000000000 +0100 +++ new/systemd-234/src/core/service.c 2018-02-02 09:54:37.000000000 +0100 @@ -1352,7 +1352,6 @@ } else path = UNIT(s)->cgroup_path; - exec_params.flags |= MANAGER_IS_SYSTEM(UNIT(s)->manager) ? EXEC_NEW_KEYRING : 0; exec_params.argv = c->argv; exec_params.environment = final_env; exec_params.fds = fds; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/systemd-234/src/tmpfiles/tmpfiles.c new/systemd-234/src/tmpfiles/tmpfiles.c --- old/systemd-234/src/tmpfiles/tmpfiles.c 2018-01-26 15:40:25.000000000 +0100 +++ new/systemd-234/src/tmpfiles/tmpfiles.c 2018-02-02 09:54:37.000000000 +0100 @@ -668,7 +668,41 @@ return r; } +static bool dangerous_hardlinks(void) { + _cleanup_free_ char *value = NULL; + static int cached = -1; + int r; + + /* Check whether the fs.protected_hardlinks sysctl is on. If we can't determine it we assume its off, as that's + * what the upstream default is. */ + + if (cached >= 0) + return cached; + + r = read_one_line_file("/proc/sys/fs/protected_hardlinks", &value); + if (r < 0) { + log_debug_errno(r, "Failed to read fs.protected_hardlinks sysctl: %m"); + return true; + } + + r = parse_boolean(value); + if (r < 0) { + log_debug_errno(r, "Failed to parse fs.protected_hardlinks sysctl: %m"); + return true; + } + + cached = r == 0; + return cached; +} + +static bool hardlink_vulnerable(struct stat *st) { + assert(st); + + return !S_ISDIR(st->st_mode) && st->st_nlink > 1 && dangerous_hardlinks(); +} + static int path_set_perms(Item *i, const char *path) { + char fn[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; _cleanup_close_ int fd = -1; struct stat st; @@ -687,14 +721,17 @@ if (fstatat(fd, "", &st, AT_EMPTY_PATH) < 0) return log_error_errno(errno, "Failed to fstat() file %s: %m", path); - if (S_ISLNK(st.st_mode)) - log_debug("Skipping mode an owner fix for symlink %s.", path); - else { - char fn[strlen("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; - xsprintf(fn, "/proc/self/fd/%i", fd); + if (hardlink_vulnerable(&st)) { + log_error("Refusing to set permissions on hardlinked file %s while the fs.protected_hardlinks sysctl is turned off.", path); + return -EPERM; + } + + xsprintf(fn, "/proc/self/fd/%i", fd); - /* not using i->path directly because it may be a glob */ - if (i->mode_set) { + if (i->mode_set) { + if (S_ISLNK(st.st_mode)) + log_debug("Skipping mode fix for symlink %s.", path); + else { mode_t m = i->mode; if (i->mask_perms) { @@ -709,25 +746,27 @@ } if (m == (st.st_mode & 07777)) - log_debug("\"%s\" has right mode %o", path, st.st_mode); + log_debug("\"%s\" has correct mode %o already.", path, st.st_mode); else { - log_debug("chmod \"%s\" to mode %o", path, m); + log_debug("Changing \"%s\" to mode %o.", path, m); + if (chmod(fn, m) < 0) return log_error_errno(errno, "chmod() of %s via %s failed: %m", path, fn); } } + } - if ((i->uid != st.st_uid || i->gid != st.st_gid) && - (i->uid_set || i->gid_set)) { - log_debug("chown \"%s\" to "UID_FMT"."GID_FMT, - path, - i->uid_set ? i->uid : UID_INVALID, - i->gid_set ? i->gid : GID_INVALID); - if (chown(fn, - i->uid_set ? i->uid : UID_INVALID, - i->gid_set ? i->gid : GID_INVALID) < 0) - return log_error_errno(errno, "chown() of %s via %s failed: %m", path, fn); - } + if ((i->uid != st.st_uid || i->gid != st.st_gid) && + (i->uid_set || i->gid_set)) { + log_debug("Changing \"%s\" to owner "UID_FMT":"GID_FMT, + path, + i->uid_set ? i->uid : UID_INVALID, + i->gid_set ? i->gid : GID_INVALID); + + if (chown(fn, + i->uid_set ? i->uid : UID_INVALID, + i->gid_set ? i->gid : GID_INVALID) < 0) + return log_error_errno(errno, "chown() of %s via %s failed: %m", path, fn); } fd = safe_close(fd); @@ -873,6 +912,11 @@ if (fstatat(fd, "", &st, AT_EMPTY_PATH) < 0) return log_error_errno(errno, "Failed to fstat() file %s: %m", path); + if (hardlink_vulnerable(&st)) { + log_error("Refusing to set ACLs on hardlinked file %s while the fs.protected_hardlinks sysctl is turned off.", path); + return -EPERM; + } + if (S_ISLNK(st.st_mode)) { log_debug("Skipping ACL fix for symlink %s.", path); return 0;
