diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2019-07-10 23:40:16 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2019-07-10 23:40:16 +0100 |
| commit | 51af5f0eb4cddbe6aa7953717873691d77aae9ff (patch) | |
| tree | 1541525274162b033ebbc3ed38abaf335fbbd49a /sys-apps/systemd | |
| parent | 7014a5a3ea0feffab9701fdd6b64cc7667a985af (diff) | |
gentoo resync : 11.07.2019
Diffstat (limited to 'sys-apps/systemd')
| -rw-r--r-- | sys-apps/systemd/Manifest | 11 | ||||
| -rw-r--r-- | sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch | 76 | ||||
| -rw-r--r-- | sys-apps/systemd/files/242-network-domains.patch | 57 | ||||
| -rw-r--r-- | sys-apps/systemd/files/242-networkd-ipv6-token.patch | 152 | ||||
| -rw-r--r-- | sys-apps/systemd/files/242-rdrand-ryzen.patch | 353 | ||||
| -rw-r--r-- | sys-apps/systemd/files/CVE-2019-6454.patch | 198 | ||||
| -rw-r--r-- | sys-apps/systemd/systemd-241-r4.ebuild (renamed from sys-apps/systemd/systemd-241-r2.ebuild) | 4 | ||||
| -rw-r--r-- | sys-apps/systemd/systemd-242-r6.ebuild (renamed from sys-apps/systemd/systemd-242-r3.ebuild) | 52 | ||||
| -rw-r--r-- | sys-apps/systemd/systemd-9999.ebuild | 47 |
9 files changed, 693 insertions, 257 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest index 330e9045301a..71f2d463071b 100644 --- a/sys-apps/systemd/Manifest +++ b/sys-apps/systemd/Manifest @@ -1,9 +1,12 @@ AUX 241-version-dep.patch 5015 BLAKE2B 63a2f591c6199787cabc5af4c0df14c76e8dba189ca2d69cf539b13a0187fb7f29f7d6a2550b7eee046859d99c9b4de4af11573c624787968a8041e210d8bc75 SHA512 22667683fdec5b92d9dd7afe40930d7483f3025b24152a6d0f9497ac81e9e2a75b467d2b02770d2321ea53236444b5d01217b6f97d725913974ebd2522c6ac58 +AUX 241-wrapper-msan-unpoinson.patch 2248 BLAKE2B fe5ae8e9b770ff973b6a8ac6afa694a920ff1f731b97b93198307c8d0068571e799f21d53acf4c1c5d8b50562a4c1aaa0d176ad7d56eab6fd4fefec9f63c8483 SHA512 93719736a4847d210dc57f92c10b6dd1b18c2ddf0c9885c83ba729466088a54df9709605e5c81e2bb7c528e03523ba5f2af08682cc9e8af1cd9d750c63d4c578 AUX 242-file-max.patch 1314 BLAKE2B 3057d95ff701e188da4fba3b72b8a6e17dec2350a67e056cf1a2e0fa216d0b3aec22cbfbacd11e6ee17331cbda27dbf201fbc9ba2aa794fec9efbe0f612b3b43 SHA512 508a0b56b55839bccef3b3dc48f054e3d2876936cd8a36009dbadaa9a0ae85a5897f95de5c9c4b0e48d80d176e788fa342bd4235224e8cf3adacbe04dfbcebd0 AUX 242-gcc-9.patch 7672 BLAKE2B 1cd98213f70e6813582706e7b523925fd7956507bd5bf113889189d3a5da3e0eb287163449d023755269827e3b5dc8db758a51cd9f37c3f3a69510de31b43109 SHA512 57add7e3215f25ec5547a905c7257ca06adca30d2f4a031eee9882ac16586ea5c5c9d3b50206674dffdb182c78f048834b6c73ab1490253a1ddae15c35878554 +AUX 242-network-domains.patch 2373 BLAKE2B cc9253d3d8f579ef61c2eae0e5e2446afa68a339233b10b3d184cfaa21e6b6c7c53e9d2aa824b80f46ba31a9bded0b55b9a84a8463806edf9ebed0de13f937f5 SHA512 9a3f86e306f69237ae2e3572ac2f0eba1603adff622304e676a06b51ae6f41f68e269f69bdcbbdf537c99b6a9decfdfebe0527d7c500566ae72b8170011f2e26 +AUX 242-networkd-ipv6-token.patch 6525 BLAKE2B 4bbf64154f96419df91caf03f827f37bfb84db6367cb0e618d4a1f34910c3e84793b188d85330c21005dc25300f4b7ae7182d95fe1e0b6c61168dd9d63b2a36d SHA512 e1d230c9b2f1938ff9ca22452ba88ec71454eab6d797f51110d1e80719900dbc7fcb81baced914ac2499878340723183694aca3bb00c956d8fee5cf3f0ad841c +AUX 242-rdrand-ryzen.patch 16177 BLAKE2B 7d1d3709098a233ba58727788b77c30025c0497fff9abb1df007e21160da3f93a7e9d14b0eeb7e6855bbe5fa93abfeda118156cbba355fc2976c83debcbb91d4 SHA512 38d00535a118b060accb8ed4e87681bab5e547270ef7e0abcdcf4766367e22761ffc35d0db7c829e86e0ad45f13cf4c761e71cfdfc70c2675056ef217c85618d AUX 242-socket-util-flush-accept.patch 2123 BLAKE2B 74bfbe440ae548b96d90b41ac45c440b21a63c61ae75a9d2b725d2bdec74a03aeca7b673a656821eb925e6740d6728a41d0dc30275287a92519b47d9c477c487 SHA512 7dd0daa70de4ee264d0b3dfe6f80b5e0c563e5bb5255ca2a92f26c4a993fca178f275f85c9048305b82b258d41c9bcbb28d74f9e2b6c2a0e77748464890cb907 AUX 242-wireguard-listenport.patch 1598 BLAKE2B 3266fe600db530ebb5b8eb726822daf14ee87292b035c09a1eb9a46638cc2dc3b8a3f11dd74684a79f3e521d3999b6b8c3a641f8f7475a5d45706567e00d26f6 SHA512 69e047000eb5ed36850bcbc6b8ef37a646b60a642a07a68547624e81aa6e49c77b848745ca4daad883151ddcaee9e7957ea6430f5a0c0c67ffc7887778f536e9 -AUX CVE-2019-6454.patch 6017 BLAKE2B 8feefe11f44e4136c5fcf87160197bfbc0557d5097bc12275411887005bed1fe56a532d114e2e49527a7f35016a6b5fc04cb1086b33445402ace21eb880c02e9 SHA512 ff84ae9a043f17fd78c7fc499fe532c4d3b46dbe34f24c8289c209a026c1eda20de3ba46b67c8a5b14e9889e6362a4fb2097d550e6bcdb5182455fc569e23224 AUX CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch 1848 BLAKE2B 348c35881ce039f92d8fc8dc8c87af2efa95696afbe79ad8fc4e01129524bdf28b529ab86ec611d08446e589176c0678018d94d8c5fc068c65ab4eb429746cf9 SHA512 693afe328ebc20d34cbf07c632a8da90ee293147e793a599a4d2aac6f757738bfab93048a2f8ed6e68d16f865e9b4112e737c692ad01c7d4946f8c430714161d AUX CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch 6660 BLAKE2B 45acb2595245a5cbd10c2a9c7ffa2db0c4bd5b03ef8dc25eb51fc35dd51a49b3acd18bf4cf8db7f639e7a4e61592f3ce0bcb031bf27b0bf3ae6fc96c74445f77 SHA512 7c082ab4effc36543bab08700b84a3ccddfba5d5e87b324d6b935d75f5debb7a5f7be1c2e21208e8d1715f5d40619c8f775629acdde40d3c7b2f406b5c6d9460 AUX gentoo-Dont-enable-audit-by-default.patch 1027 BLAKE2B 9193a409db4e5c1dec6f6b66ee6e0a4cc1ada49d41ab758c788cf12534fffb67bd7370b8558a6af56572d7f2b73cf47db255fef105e56362c15f0a426f80b256 SHA512 44e512d8bbadbc5714192896a3ba262e460af034846e4e9b9832b4143fff772e2734e655316fd88d1ef386509bd234c195dce2087348f220836b3bf4f26790e0 @@ -13,7 +16,7 @@ AUX gentoo-uucp-group-r1.patch 562 BLAKE2B 98b629d9b20e4fedfb017864dca1346aa1766 AUX nsswitch.conf 734 BLAKE2B 5f5a7821a84f6c8aa31fe9a68c29a1a0f24be578d427a623f14a9ef795e7da481f226efe5511d92932b5edf5638fa719808a0c3a0b8fd340799dd6bcb703a0a1 SHA512 dcbd51dacaaebdff32edb3840cc7b9b47b6521009b8786690e3673a2e78bc60bfd8e591b1048c5d452117c6659b9917ae2864462f5057cc39b704b0130522e60 DIST systemd-241.tar.gz 7640538 BLAKE2B 69d7196fee0d0ad06ea8d7c78b0299cc17517ecce3ca4c0b1181a3fbb13bc2627629156785051e2ff427dcc21414f7a078724c6409ebaa431618e4799ebcd50a SHA512 a7757574590e8aa37e1291ea0b2c5eb03a8d8062fe9462fa5b0bf50830c933e2b301d106c70d904f94afc0aa8e43a8acfd11926dfa25b1b89174580e491e545e DIST systemd-242.tar.gz 7831435 BLAKE2B 288e65d0a8e133ef5885689eb16118a83d93c730e342da63115cea0892fc999104c3a4856c83f3e7ef909ba2f3311146730b05ee02d84cc0400851ccbdcd54cd SHA512 578f68a3c8f2d454198fc04ff8d943abcfb390531d57f9603d185857f7afa7f4dc641dafecf49ce50fe22f5837b252b181400891e8efd4459fd4f69bb4283cb4 -EBUILD systemd-241-r2.ebuild 13842 BLAKE2B b5d00f7241a5481fc7201675c3a7e5bf03f4689d6e9128d1236134e576faed3db92c7eb813ad334ed7b00d9e3c5f3796f1d43181c1f29e7db86e8cf5eaafbc28 SHA512 1216ae355a4c122feeafb1f66900de82c641d0ac5d087695531f558deb4a44bdc29b8a37f5c2521e1db71b2d1fbf0c2287f50a43215710f52f556b2a031f88d5 -EBUILD systemd-242-r3.ebuild 13838 BLAKE2B 41bb4c44967ef31883d455e0ef49ee6dca5f210882043c8db2b82c33fc117a26f945ee6283aef6feea2ab2e0238521113d29e1d612a189575be29d6a498737b8 SHA512 c7bf697a8c24af40807efb4d4d5baf9de65d1c3ff460dee1956557f2ca04941ca1be2425290e23b525301ee8749d68d9a453830ac25a00dc0ce29bd5e8defc80 -EBUILD systemd-9999.ebuild 13673 BLAKE2B d23c5d7f2963f102d98d388ba249400f52a96c95bf6d0e7471f4cae627ac5120289d5cb8c06c4d0c21667d513ac86fbaf4e4ec2bb274c37cc564b32afa239af4 SHA512 9ab3f1e0f6a7735a08dea7df7902427b9318b0edb2d4ed2c6717fb08c06bddd6b7ae7365dd2c88cbc8a36e2f93851769302e2deb2b6c6112affb9d4bdd871565 +EBUILD systemd-241-r4.ebuild 14022 BLAKE2B 673468293f5e17f4342b328f04328cbeff4e0a36c6c72c20a279c2cdd14f31c02d6488d0ad3e92cd95a48d0525c56e0c886522ff1ff8f4d6f2603ec5cd5f178d SHA512 1c92a1c62a282258be1bbb1086cd67a2c01c2b7793239a8bc6c5f01886984eaa65b84a9802efa76548b7cead099808f63168aebc85a4d7a941da9284bc86edd6 +EBUILD systemd-242-r6.ebuild 13934 BLAKE2B 49b1d29b1db73e622d25f3b3e451da57cca6abdb8e9a9c6afb24defd660c30d1842d6c61a86a844c9db7d5e17bb20de1a6c98b9f422efebf51b800b5202223e3 SHA512 caaad0318cab70e09eaf0bceb1aef00641ac721c8494aa756653fe8b50c4888d1407b182dd9ab98159dbd7b2d1a45b4165bd8f35768fae91b683cad20ea93016 +EBUILD systemd-9999.ebuild 13643 BLAKE2B 1651cf9850198e9b5222da34d5bbedbee838fe318bfc3eb752deed3164f10e6a8c4165d77458bef6c24234232d4bccccad44670b597e2c4e0ab30bdeac92df08 SHA512 5cac3833cbb0437878250df43050b2db5ddbd7792b75ff5cb79288f4d67d404df2ad66d7320d153ee056e4c730ec68a232b3b3ba720fc66cdae57798b2a7fa14 MISC metadata.xml 2125 BLAKE2B fed24f3b56a79016c4df8554626c7ae67ff50f97adb9af809a726b226c52690642f9df71b22eab320d3964d764dec1439009d8b8bf6979e407a5704e843829d2 SHA512 414d069185451f72eb1e803da7019da8800b08eade46824620632d795007bdec0e9201af93bb895674e3c48907593062610eb2f22f20ac15d099a593b450b8de diff --git a/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch b/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch new file mode 100644 index 000000000000..e337b4f4ca52 --- /dev/null +++ b/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch @@ -0,0 +1,76 @@ +From c322f379e6ca972f1c4d3409ac97828b1b838d5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl> +Date: Fri, 22 Feb 2019 13:07:00 +0100 +Subject: [PATCH] Add wrapper for __msan_unpoinson() to reduce #ifdeffery + +This isn't really necessary for the subsequent commit, but I expect that we'll +need to unpoison more often once we turn on msan in CI, so I think think this +change makes sense in the long run. +--- + src/basic/alloc-util.h | 10 ++++++++++ + src/basic/random-util.c | 11 ++--------- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h +index 893a1238ff..78ee34bb71 100644 +--- a/src/basic/alloc-util.h ++++ b/src/basic/alloc-util.h +@@ -8,6 +8,10 @@ + + #include "macro.h" + ++#if HAS_FEATURE_MEMORY_SANITIZER ++# include <sanitizer/msan_interface.h> ++#endif ++ + typedef void (*free_func_t)(void *p); + + /* If for some reason more than 4M are allocated on the stack, let's abort immediately. It's better than +@@ -160,3 +164,9 @@ void* greedy_realloc0(void **p, size_t *allocated, size_t need, size_t size); + (ptr) = NULL; \ + _ptr_; \ + }) ++ ++#if HAS_FEATURE_MEMORY_SANITIZER ++# define msan_unpoison(r, s) __msan_unpoison(r, s) ++#else ++# define msan_unpoison(r, s) ++#endif +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index f7decf60b6..ca25fd2420 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -23,16 +23,13 @@ + # include <linux/random.h> + #endif + ++#include "alloc-util.h" + #include "fd-util.h" + #include "io-util.h" + #include "missing.h" + #include "random-util.h" + #include "time-util.h" + +-#if HAS_FEATURE_MEMORY_SANITIZER +-#include <sanitizer/msan_interface.h> +-#endif +- + int rdrand(unsigned long *ret) { + + #if defined(__i386__) || defined(__x86_64__) +@@ -58,11 +55,7 @@ int rdrand(unsigned long *ret) { + "setc %1" + : "=r" (*ret), + "=qm" (err)); +- +-#if HAS_FEATURE_MEMORY_SANITIZER +- __msan_unpoison(&err, sizeof(err)); +-#endif +- ++ msan_unpoison(&err, sizeof(err)); + if (!err) + return -EAGAIN; + +-- +2.22.0 + diff --git a/sys-apps/systemd/files/242-network-domains.patch b/sys-apps/systemd/files/242-network-domains.patch new file mode 100644 index 000000000000..166a8ee5b76f --- /dev/null +++ b/sys-apps/systemd/files/242-network-domains.patch @@ -0,0 +1,57 @@ +From fe0e16db093a7da09fcb52a2bc7017197047443d Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Mon, 13 May 2019 05:40:31 +0900 +Subject: [PATCH] network: do not use ordered_set_printf() for DOMAINS= or + ROUTE_DOMAINS= + +This partially reverts 5e2a51d588dde4b52c6017ea80b75c16e6e23431. + +Fixes #12531. +--- + src/network/networkd-link.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index f8ee48802cb..1dc10c65a1b 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -3495,12 +3495,11 @@ int link_save(Link *link) { + admin_state, oper_state); + + if (link->network) { +- bool space; ++ char **dhcp6_domains = NULL, **dhcp_domains = NULL; ++ const char *dhcp_domainname = NULL, *p; + sd_dhcp6_lease *dhcp6_lease = NULL; +- const char *dhcp_domainname = NULL; +- char **dhcp6_domains = NULL; +- char **dhcp_domains = NULL; + unsigned j; ++ bool space; + + fprintf(f, "REQUIRED_FOR_ONLINE=%s\n", + yes_no(link->network->required_for_online)); +@@ -3617,7 +3616,10 @@ int link_save(Link *link) { + (void) sd_dhcp6_lease_get_domains(dhcp6_lease, &dhcp6_domains); + } + +- ordered_set_print(f, "DOMAINS=", link->network->search_domains); ++ fputs("DOMAINS=", f); ++ space = false; ++ ORDERED_SET_FOREACH(p, link->network->search_domains, i) ++ fputs_with_space(f, p, NULL, &space); + + if (link->network->dhcp_use_domains == DHCP_USE_DOMAINS_YES) { + NDiscDNSSL *dd; +@@ -3635,7 +3637,10 @@ int link_save(Link *link) { + + fputc('\n', f); + +- ordered_set_print(f, "ROUTE_DOMAINS=", link->network->route_domains); ++ fputs("ROUTE_DOMAINS=", f); ++ space = false; ++ ORDERED_SET_FOREACH(p, link->network->route_domains, i) ++ fputs_with_space(f, p, NULL, &space); + + if (link->network->dhcp_use_domains == DHCP_USE_DOMAINS_ROUTE) { + NDiscDNSSL *dd; diff --git a/sys-apps/systemd/files/242-networkd-ipv6-token.patch b/sys-apps/systemd/files/242-networkd-ipv6-token.patch new file mode 100644 index 000000000000..87a85f6f6ab0 --- /dev/null +++ b/sys-apps/systemd/files/242-networkd-ipv6-token.patch @@ -0,0 +1,152 @@ +From 4eb086a38712ea98faf41e075b84555b11b54362 Mon Sep 17 00:00:00 2001 +From: Susant Sahani <ssahani@gmail.com> +Date: Thu, 9 May 2019 07:35:35 +0530 +Subject: [PATCH] networkd: fix link_up() (#12505) + +Fillup IFLA_INET6_ADDR_GEN_MODE while we do link_up. + +Fixes the following error: +``` +dummy-test: Could not bring up interface: Invalid argument +``` + +After reading the kernel code when we do a link up +``` +net/core/rtnetlink.c +IFLA_AF_SPEC + af_ops->set_link_af(dev, af); + inet6_set_link_af + if (tb[IFLA_INET6_ADDR_GEN_MODE]) + Here it looks for IFLA_INET6_ADDR_GEN_MODE +``` +Since link up we didn't filling up that it's failing. + +Closes #12504. +--- + src/network/networkd-link.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 3c8b5c5cb43..4db9f3f980f 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -2031,6 +2031,8 @@ static int link_up(Link *link) { + } + + if (link_ipv6_enabled(link)) { ++ uint8_t ipv6ll_mode; ++ + r = sd_netlink_message_open_container(req, IFLA_AF_SPEC); + if (r < 0) + return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m"); +@@ -2046,6 +2048,19 @@ static int link_up(Link *link) { + return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m"); + } + ++ if (!link_ipv6ll_enabled(link)) ++ ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE; ++ else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0) ++ /* The file may not exist. And event if it exists, when stable_secret is unset, ++ * reading the file fails with EIO. */ ++ ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64; ++ else ++ ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; ++ ++ r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode); ++ if (r < 0) ++ return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m"); ++ + r = sd_netlink_message_close_container(req); + if (r < 0) + return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m"); +From 9f6e82e6eb3b6e73d66d00d1d6eee60691fb702f Mon Sep 17 00:00:00 2001 +From: Yu Watanabe <watanabe.yu+github@gmail.com> +Date: Thu, 9 May 2019 14:39:46 +0900 +Subject: [PATCH] network: do not send ipv6 token to kernel + +We disabled kernel RA support. Then, we should not send +IFLA_INET6_TOKEN. +Thus, we do not need to send IFLA_INET6_ADDR_GEN_MODE twice. + +Follow-up for 0e2fdb83bb5e22047e0c7cc058b415d0e93f02cf and +4eb086a38712ea98faf41e075b84555b11b54362. +--- + src/network/networkd-link.c | 51 +++++-------------------------------- + 1 file changed, 6 insertions(+), 45 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 2b6ff2b6c58..b6da4ea70b7 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1954,6 +1954,9 @@ static int link_configure_addrgen_mode(Link *link) { + assert(link->manager); + assert(link->manager->rtnl); + ++ if (!socket_ipv6_is_supported()) ++ return 0; ++ + log_link_debug(link, "Setting address genmode for link"); + + r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex); +@@ -2047,46 +2050,6 @@ static int link_up(Link *link) { + return log_link_error_errno(link, r, "Could not set MAC address: %m"); + } + +- if (link_ipv6_enabled(link)) { +- uint8_t ipv6ll_mode; +- +- r = sd_netlink_message_open_container(req, IFLA_AF_SPEC); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m"); +- +- /* if the kernel lacks ipv6 support setting IFF_UP fails if any ipv6 options are passed */ +- r = sd_netlink_message_open_container(req, AF_INET6); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not open AF_INET6 container: %m"); +- +- if (!in_addr_is_null(AF_INET6, &link->network->ipv6_token)) { +- r = sd_netlink_message_append_in6_addr(req, IFLA_INET6_TOKEN, &link->network->ipv6_token.in6); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m"); +- } +- +- if (!link_ipv6ll_enabled(link)) +- ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE; +- else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0) +- /* The file may not exist. And event if it exists, when stable_secret is unset, +- * reading the file fails with EIO. */ +- ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64; +- else +- ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY; +- +- r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m"); +- +- r = sd_netlink_message_close_container(req); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m"); +- +- r = sd_netlink_message_close_container(req); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not close IFLA_AF_SPEC container: %m"); +- } +- + r = netlink_call_async(link->manager->rtnl, NULL, req, link_up_handler, + link_netlink_destroy_callback, link); + if (r < 0) +@@ -3226,11 +3189,9 @@ static int link_configure(Link *link) { + if (r < 0) + return r; + +- if (socket_ipv6_is_supported()) { +- r = link_configure_addrgen_mode(link); +- if (r < 0) +- return r; +- } ++ r = link_configure_addrgen_mode(link); ++ if (r < 0) ++ return r; + + return link_configure_after_setting_mtu(link); + } diff --git a/sys-apps/systemd/files/242-rdrand-ryzen.patch b/sys-apps/systemd/files/242-rdrand-ryzen.patch new file mode 100644 index 000000000000..ec690c1b3f6c --- /dev/null +++ b/sys-apps/systemd/files/242-rdrand-ryzen.patch @@ -0,0 +1,353 @@ +From d351699739471734666230ae3c6f9ba56ce5ce45 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 16:18:13 -0400 +Subject: [PATCH 1/6] =?UTF-8?q?random-util:=20rename=20RANDOM=5FDONT=5FDRA?= + =?UTF-8?q?IN=20=E2=86=92=20RANDOM=5FMAY=5FFAIL?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The old flag name was a bit of a misnomer, as /dev/urandom cannot be +"drained". Once it's initialized it's initialized and then is good +forever. (Only /dev/random has a concept of 'draining', but we never use +that, as it's an obsolete interface). + +The flag is still useful though, since it allows us to suppress accesses +to the random pool while it is not initialized, as that trips up the +kernel and it logs about any such attempts, which we really don't want. + +(cherry picked from commit 1a0ffa1e737e65312abac63dcf4b44e1ac0e1642) +--- + src/basic/random-util.c | 36 +++++++++++++++++++----------------- + src/basic/random-util.h | 4 ++-- + 2 files changed, 21 insertions(+), 19 deletions(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index ca25fd2420..de29e07549 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -71,21 +71,22 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + bool got_some = false; + int r; + +- /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't +- * block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random +- * pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether +- * the random pool is fully initialized or not. */ ++ /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This ++ * call won't block, unless the RANDOM_BLOCK flag is set. If RANDOM_MAY_FAIL is set, an error is ++ * returned if the random pool is not initialized. Otherwise it will always return some data from the ++ * kernel, regardless of whether the random pool is fully initialized or not. */ + + if (n == 0) + return 0; + + if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND)) +- /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not +- * required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here, +- * even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's +- * because we don't really care about the quality here. We generally prefer using RDRAND if the caller +- * allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the +- * pool's entropy is scarce. */ ++ /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is ++ * not required, as we don't trust it (who does?). Note that we only do a single iteration of ++ * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10 ++ * invocations or so. That's because we don't really care about the quality here. We ++ * generally prefer using RDRAND if the caller allows us to, since this way we won't upset ++ * the kernel's random subsystem by accessing it before the pool is initialized (after all it ++ * will kmsg log about every attempt to do so)..*/ + for (;;) { + unsigned long u; + size_t m; +@@ -153,12 +154,13 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + break; + + } else if (errno == EAGAIN) { +- /* The kernel has no entropy whatsoever. Let's remember to use the syscall the next +- * time again though. ++ /* The kernel has no entropy whatsoever. Let's remember to use the syscall ++ * the next time again though. + * +- * If RANDOM_DONT_DRAIN is set, return an error so that random_bytes() can produce some +- * pseudo-random bytes instead. Otherwise, fall back to /dev/urandom, which we know is empty, +- * but the kernel will produce some bytes for us on a best-effort basis. */ ++ * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can ++ * produce some pseudo-random bytes instead. Otherwise, fall back to ++ * /dev/urandom, which we know is empty, but the kernel will produce some ++ * bytes for us on a best-effort basis. */ + have_syscall = true; + + if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) { +@@ -167,7 +169,7 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) { + return 0; + } + +- if (FLAGS_SET(flags, RANDOM_DONT_DRAIN)) ++ if (FLAGS_SET(flags, RANDOM_MAY_FAIL)) + return -ENODATA; + + /* Use /dev/urandom instead */ +@@ -250,7 +252,7 @@ void pseudo_random_bytes(void *p, size_t n) { + + void random_bytes(void *p, size_t n) { + +- if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN|RANDOM_ALLOW_RDRAND) >= 0) ++ if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND) >= 0) + return; + + /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */ +diff --git a/src/basic/random-util.h b/src/basic/random-util.h +index 3e8c288d3d..148b6c7813 100644 +--- a/src/basic/random-util.h ++++ b/src/basic/random-util.h +@@ -8,11 +8,11 @@ + typedef enum RandomFlags { + RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */ + RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */ +- RANDOM_DONT_DRAIN = 1 << 2, /* If we can't get any randomness at all, return early with -EAGAIN */ ++ RANDOM_MAY_FAIL = 1 << 2, /* If we can't get any randomness at all, return early with -ENODATA */ + RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */ + } RandomFlags; + +-int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled upwith pseudo random, if not enough is available */ ++int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled up with pseudo random, if not enough is available */ + void pseudo_random_bytes(void *p, size_t n); /* returns only pseudo-randommess (but possibly seeded from something better) */ + void random_bytes(void *p, size_t n); /* returns genuine randomness if cheaply available, and pseudo randomness if not. */ + +-- +2.22.0 + + +From 1f492b9ecc31aa3782f9ce82058d8fb72a5c323f Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 16:21:44 -0400 +Subject: [PATCH 2/6] random-util: use gcc's bit_RDRND definition if it exists + +(cherry picked from commit cc28145d51f62711fdc4b4c229aecd5778806419) +--- + src/basic/random-util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index de29e07549..205d5501e5 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -45,7 +45,12 @@ int rdrand(unsigned long *ret) { + return -EOPNOTSUPP; + } + +- have_rdrand = !!(ecx & (1U << 30)); ++/* Compat with old gcc where bit_RDRND didn't exist yet */ ++#ifndef bit_RDRND ++#define bit_RDRND (1U << 30) ++#endif ++ ++ have_rdrand = !!(ecx & bit_RDRND); + } + + if (have_rdrand == 0) +-- +2.22.0 + + +From 6460c540e6183dd19de89b7f0672b3b47c4d41cc Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 17:26:55 -0400 +Subject: [PATCH 3/6] random-util: hash AT_RANDOM getauxval() value before + using it + +Let's be a bit paranoid and hash the 16 bytes we get from getauxval() +before using them. AFter all they might be used by other stuff too (in +particular ASLR), and we probably shouldn't end up leaking that seed +though our crappy pseudo-random numbers. + +(cherry picked from commit 80eb560a5bd7439103036867d5e09a5e0393e5d3) +--- + src/basic/random-util.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index 205d5501e5..40f1928936 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -28,6 +28,7 @@ + #include "io-util.h" + #include "missing.h" + #include "random-util.h" ++#include "siphash24.h" + #include "time-util.h" + + int rdrand(unsigned long *ret) { +@@ -203,14 +204,19 @@ void initialize_srand(void) { + return; + + #if HAVE_SYS_AUXV_H +- /* The kernel provides us with 16 bytes of entropy in auxv, so let's +- * try to make use of that to seed the pseudo-random generator. It's +- * better than nothing... */ ++ /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed ++ * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder ++ * to recover the original value by watching any pseudo-random bits we generate. After all the ++ * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't ++ * leak the seed for that. */ + +- auxv = (const void*) getauxval(AT_RANDOM); ++ auxv = ULONG_TO_PTR(getauxval(AT_RANDOM)); + if (auxv) { +- assert_cc(sizeof(x) <= 16); +- memcpy(&x, auxv, sizeof(x)); ++ static const uint8_t auxval_hash_key[16] = { ++ 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f ++ }; ++ ++ x = (unsigned) siphash24(auxv, 16, auxval_hash_key); + } else + #endif + x = 0; +-- +2.22.0 + + +From 17d52f6320b45d1728af6007b4df4aaccc6fdaf4 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Tue, 7 May 2019 18:51:26 -0400 +Subject: [PATCH 4/6] random-util: rename "err" to "success" + +After all rdrand returns 1 on success, and 0 on failure, hence let's +name this accordingly. + +(cherry picked from commit 328f850e36e86d14ab06d11fa8f2397e9575a7f9) +--- + src/basic/random-util.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index 40f1928936..7c64857592 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -35,7 +35,7 @@ int rdrand(unsigned long *ret) { + + #if defined(__i386__) || defined(__x86_64__) + static int have_rdrand = -1; +- unsigned char err; ++ uint8_t success; + + if (have_rdrand < 0) { + uint32_t eax, ebx, ecx, edx; +@@ -60,9 +60,9 @@ int rdrand(unsigned long *ret) { + asm volatile("rdrand %0;" + "setc %1" + : "=r" (*ret), +- "=qm" (err)); +- msan_unpoison(&err, sizeof(err)); +- if (!err) ++ "=qm" (success)); ++ msan_unpoison(&success, sizeof(sucess)); ++ if (!success) + return -EAGAIN; + + return 0; +-- +2.22.0 + + +From a6c72245ba5ba688cd6544650b9c6e313b39b53e Mon Sep 17 00:00:00 2001 +From: Evgeny Vereshchagin <evvers@ya.ru> +Date: Wed, 8 May 2019 15:50:53 +0200 +Subject: [PATCH 5/6] util-lib: fix a typo in rdrand + +Otherwise, the fuzzers will fail to compile with MSan: +``` +../../src/systemd/src/basic/random-util.c:64:40: error: use of undeclared identifier 'sucess'; did you mean 'success'? + msan_unpoison(&success, sizeof(sucess)); + ^~~~~~ + success +../../src/systemd/src/basic/alloc-util.h:169:50: note: expanded from macro 'msan_unpoison' + ^ +../../src/systemd/src/basic/random-util.c:38:17: note: 'success' declared here + uint8_t success; + ^ +1 error generated. +[80/545] Compiling C object 'src/basic/a6ba3eb@@basic@sta/process-util.c.o'. +ninja: build stopped: subcommand failed. +Fuzzers build failed +``` + +(cherry picked from commit 7f2cdceaed4d37c4e601e531c7d863fca1bd1460) +--- + src/basic/random-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index 7c64857592..b8bbf2d418 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -61,7 +61,7 @@ int rdrand(unsigned long *ret) { + "setc %1" + : "=r" (*ret), + "=qm" (success)); +- msan_unpoison(&success, sizeof(sucess)); ++ msan_unpoison(&success, sizeof(success)); + if (!success) + return -EAGAIN; + +-- +2.22.0 + + +From 47eec0ae61c887cb8cc05ce8d49b8d151bc4ef25 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering <lennart@poettering.net> +Date: Fri, 10 May 2019 15:16:16 -0400 +Subject: [PATCH 6/6] random-util: eat up bad RDRAND values seen on AMD CPUs + +An ugly, ugly work-around for #11810. And no, we shouldn't have to do +this. This is something for AMD, the firmware or the kernel to +fix/work-around, not us. But nonetheless, this should do it for now. + +Fixes: #11810 +(cherry picked from commit 1c53d4a070edbec8ad2d384ba0014d0eb6bae077) +--- + src/basic/random-util.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git a/src/basic/random-util.c b/src/basic/random-util.c +index b8bbf2d418..0561f0cb22 100644 +--- a/src/basic/random-util.c ++++ b/src/basic/random-util.c +@@ -35,6 +35,7 @@ int rdrand(unsigned long *ret) { + + #if defined(__i386__) || defined(__x86_64__) + static int have_rdrand = -1; ++ unsigned long v; + uint8_t success; + + if (have_rdrand < 0) { +@@ -59,12 +60,24 @@ int rdrand(unsigned long *ret) { + + asm volatile("rdrand %0;" + "setc %1" +- : "=r" (*ret), ++ : "=r" (v), + "=qm" (success)); + msan_unpoison(&success, sizeof(success)); + if (!success) + return -EAGAIN; + ++ /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success ++ * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be ++ * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking ++ * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around ++ * only however and something AMD really should fix properly. The Linux kernel should probably work ++ * around this issue by turning off RDRAND altogether on those CPUs. See: ++ * https://github.com/systemd/systemd/issues/11810 */ ++ if (v == 0 || v == ULONG_MAX) ++ return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN), ++ "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v); ++ ++ *ret = v; + return 0; + #else + return -EOPNOTSUPP; +-- +2.22.0 + diff --git a/sys-apps/systemd/files/CVE-2019-6454.patch b/sys-apps/systemd/files/CVE-2019-6454.patch deleted file mode 100644 index 97b7d635e7d6..000000000000 --- a/sys-apps/systemd/files/CVE-2019-6454.patch +++ /dev/null @@ -1,198 +0,0 @@ ---- a/src/libsystemd/sd-bus/bus-internal.c -+++ b/src/libsystemd/sd-bus/bus-internal.c -@@ -45,7 +45,7 @@ - if (slash) - return false; - -- return true; -+ return (q - p) <= BUS_PATH_SIZE_MAX; - } - - char* object_path_startswith(const char *a, const char *b) { ---- a/src/libsystemd/sd-bus/bus-internal.h -+++ b/src/libsystemd/sd-bus/bus-internal.h -@@ -333,6 +333,10 @@ - - #define BUS_MESSAGE_SIZE_MAX (128*1024*1024) - #define BUS_AUTH_SIZE_MAX (64*1024) -+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one -+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however, -+ * to not clash unnecessarily with real-life applications. */ -+#define BUS_PATH_SIZE_MAX (64*1024) - - #define BUS_CONTAINER_DEPTH 128 - ---- a/src/libsystemd/sd-bus/bus-objects.c -+++ b/src/libsystemd/sd-bus/bus-objects.c -@@ -1134,7 +1134,8 @@ - const char *path, - sd_bus_error *error) { - -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -1150,7 +1151,12 @@ - return 0; - - /* Second, add fallback vtables registered for any of the prefixes */ -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_manager_serialize_path(bus, reply, prefix, path, true, error); - if (r < 0) -@@ -1346,6 +1352,7 @@ - } - - int bus_process_object(sd_bus *bus, sd_bus_message *m) { -+ _cleanup_free_ char *prefix = NULL; - int r; - size_t pl; - bool found_object = false; -@@ -1370,9 +1377,12 @@ - assert(m->member); - - pl = strlen(m->path); -- do { -- char prefix[pl+1]; -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; - -+ do { - bus->nodes_modified = false; - - r = object_find_and_run(bus, m, m->path, false, &found_object); -@@ -1499,9 +1509,15 @@ - - n = hashmap_get(bus->nodes, path); - if (!n) { -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; -+ -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; - -- prefix = alloca(strlen(path) + 1); - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - n = hashmap_get(bus->nodes, prefix); - if (n) -@@ -2091,8 +2107,9 @@ - char **names) { - - BUS_DONT_DESTROY(bus); -+ _cleanup_free_ char *prefix = NULL; - bool found_interface = false; -- char *prefix; -+ size_t pl; - int r; - - assert_return(bus, -EINVAL); -@@ -2111,6 +2128,12 @@ - if (names && names[0] == NULL) - return 0; - -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - do { - bus->nodes_modified = false; - -@@ -2120,7 +2143,6 @@ - if (bus->nodes_modified) - continue; - -- prefix = alloca(strlen(path) + 1); - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names); - if (r != 0) -@@ -2252,7 +2274,8 @@ - - static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { - _cleanup_set_free_ Set *s = NULL; -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2297,7 +2320,12 @@ - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_added_append_all_prefix(bus, m, s, prefix, path, true); - if (r < 0) -@@ -2436,7 +2464,8 @@ - - static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) { - _cleanup_set_free_ Set *s = NULL; -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2468,7 +2497,12 @@ - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = object_removed_append_all_prefix(bus, m, s, prefix, path, true); - if (r < 0) -@@ -2618,7 +2652,8 @@ - const char *path, - const char *interface) { - -- char *prefix; -+ _cleanup_free_ char *prefix = NULL; -+ size_t pl; - int r; - - assert(bus); -@@ -2632,7 +2667,12 @@ - if (bus->nodes_modified) - return 0; - -- prefix = alloca(strlen(path) + 1); -+ pl = strlen(path); -+ assert(pl <= BUS_PATH_SIZE_MAX); -+ prefix = new(char, pl + 1); -+ if (!prefix) -+ return -ENOMEM; -+ - OBJECT_PATH_FOREACH_PREFIX(prefix, path) { - r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true); - if (r != 0) - - - diff --git a/sys-apps/systemd/systemd-241-r2.ebuild b/sys-apps/systemd/systemd-241-r4.ebuild index f1d8b6296e60..9ea26e0dc874 100644 --- a/sys-apps/systemd/systemd-241-r2.ebuild +++ b/sys-apps/systemd/systemd-241-r4.ebuild @@ -171,6 +171,9 @@ src_prepare() { "${FILESDIR}"/241-version-dep.patch "${FILESDIR}"/242-gcc-9.patch "${FILESDIR}"/242-file-max.patch + "${FILESDIR}"/241-wrapper-msan-unpoinson.patch + "${FILESDIR}"/242-rdrand-ryzen.patch + "${FILESDIR}"/242-networkd-ipv6-token.patch ) if ! use vanilla; then @@ -217,6 +220,7 @@ meson_multilib_native_use() { multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" + -Dsupport-url="https://gentoo.org/support/" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" diff --git a/sys-apps/systemd/systemd-242-r3.ebuild b/sys-apps/systemd/systemd-242-r6.ebuild index 4af6fc44b6e6..ee5c06d520ae 100644 --- a/sys-apps/systemd/systemd-242-r3.ebuild +++ b/sys-apps/systemd/systemd-242-r6.ebuild @@ -11,7 +11,7 @@ else MY_P=${PN}-${MY_PV} S=${WORKDIR}/${MY_P} SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 sparc ~x86" fi PYTHON_COMPAT=( python{3_5,3_6,3_7} ) @@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi gnutls http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb" +IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb" REQUIRED_USE="importd? ( curl gcrypt lzma )" RESTRICT="!test? ( test )" @@ -38,15 +38,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] audit? ( >=sys-process/audit-2:0= ) cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= ) curl? ( net-misc/curl:0= ) - dns-over-tls? ( - gnutls? ( >=net-libs/gnutls-3.5.3:0= ) - !gnutls? ( >=dev-libs/openssl-1.1.0:0= ) - ) + dns-over-tls? ( >=net-libs/gnutls-3.5.3:0= ) elfutils? ( >=dev-libs/elfutils-0.158:0= ) gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) http? ( - >=net-libs/libmicrohttpd-0.9.33:0= - gnutls? ( >=net-libs/gnutls-3.1.4:0= ) + >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] + >=net-libs/gnutls-3.1.4:0= ) idn? ( libidn2? ( net-dns/libidn2:= ) @@ -67,6 +64,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] selinux? ( sys-libs/libselinux:0= ) xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" +# Newer linux-headers needed by ia64, bug #480218 +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-${MINKV} + gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) +" + # baselayout-2.2 has /run RDEPEND="${COMMON_DEPEND} >=sys-apps/baselayout-2.2 @@ -91,12 +94,6 @@ PDEPEND=">=sys-apps/dbus-1.9.8[systemd] policykit? ( sys-auth/polkit ) !vanilla? ( sys-apps/gentoo-systemd-integration )" -# Newer linux-headers needed by ia64, bug #480218 -DEPEND=" - >=sys-kernel/linux-headers-${MINKV} - gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) -" - BDEPEND=" app-arch/xz-utils:0 dev-util/gperf @@ -174,6 +171,9 @@ src_prepare() { "${FILESDIR}"/242-socket-util-flush-accept.patch "${FILESDIR}"/242-wireguard-listenport.patch "${FILESDIR}"/242-file-max.patch + "${FILESDIR}"/242-rdrand-ryzen.patch + "${FILESDIR}"/242-networkd-ipv6-token.patch + "${FILESDIR}"/242-network-domains.patch ) if ! use vanilla; then @@ -220,6 +220,7 @@ meson_multilib_native_use() { multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" + -Dsupport-url="https://gentoo.org/support/" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" @@ -239,11 +240,11 @@ multilib_src_configure() { -Daudit=$(meson_multilib_native_use audit) -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup) -Dlibcurl=$(meson_multilib_native_use curl) + -Ddns-over-tls=$(meson_multilib_native_use dns-over-tls) -Delfutils=$(meson_multilib_native_use elfutils) -Dgcrypt=$(meson_use gcrypt) -Dgnu-efi=$(meson_multilib_native_use gnuefi) - -Dgnutls=$(meson_multilib_native_use gnutls) - -Defi-libdir="${EPREFIX}/usr/$(get_libdir)" + -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)" -Dmicrohttpd=$(meson_multilib_native_use http) -Dimportd=$(meson_multilib_native_use importd) -Dbzip2=$(meson_multilib_native_use importd) @@ -301,15 +302,6 @@ multilib_src_configure() { ) fi - if multilib_is_native_abi && use dns-over-tls; then - myconf+=( - -Ddns-over-tls=true - -Dopenssl=$(usex !gnutls true false) - ) - else - myconf+=( -Ddns-over-tls=false -Dopenssl=false ) - fi - meson_src_configure "${myconf[@]}" } @@ -351,9 +343,14 @@ multilib_src_install_all() { # Preserve empty dirs in /etc & /var, bug #437008 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} - keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,user} keepdir /etc/udev/{hwdb.d,rules.d} - keepdir /var/log/journal/remote + keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + rm -rf "${ED}"/var/log || die # Symlink /etc/sysctl.conf for easy migration. dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf @@ -438,7 +435,6 @@ pkg_postinst() { enewgroup kvm 78 enewgroup render enewgroup systemd-journal - newusergroup systemd-bus-proxy newusergroup systemd-coredump newusergroup systemd-journal-gateway newusergroup systemd-journal-remote diff --git a/sys-apps/systemd/systemd-9999.ebuild b/sys-apps/systemd/systemd-9999.ebuild index 201667ade310..27de1bc2e194 100644 --- a/sys-apps/systemd/systemd-9999.ebuild +++ b/sys-apps/systemd/systemd-9999.ebuild @@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd" LICENSE="GPL-2 LGPL-2.1 MIT public-domain" SLOT="0/2" -IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi gnutls http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb" +IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb" REQUIRED_USE="importd? ( curl gcrypt lzma )" RESTRICT="!test? ( test )" @@ -38,15 +38,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] audit? ( >=sys-process/audit-2:0= ) cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= ) curl? ( net-misc/curl:0= ) - dns-over-tls? ( - gnutls? ( >=net-libs/gnutls-3.5.3:0= ) - !gnutls? ( >=dev-libs/openssl-1.1.0:0= ) - ) + dns-over-tls? ( >=net-libs/gnutls-3.5.3:0= ) elfutils? ( >=dev-libs/elfutils-0.158:0= ) gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] ) http? ( - >=net-libs/libmicrohttpd-0.9.33:0= - gnutls? ( >=net-libs/gnutls-3.1.4:0= ) + >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)] + >=net-libs/gnutls-3.1.4:0= ) idn? ( libidn2? ( net-dns/libidn2:= ) @@ -67,6 +64,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}] selinux? ( sys-libs/libselinux:0= ) xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )" +# Newer linux-headers needed by ia64, bug #480218 +DEPEND="${COMMON_DEPEND} + >=sys-kernel/linux-headers-${MINKV} + gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) +" + # baselayout-2.2 has /run RDEPEND="${COMMON_DEPEND} >=sys-apps/baselayout-2.2 @@ -91,12 +94,6 @@ PDEPEND=">=sys-apps/dbus-1.9.8[systemd] policykit? ( sys-auth/polkit ) !vanilla? ( sys-apps/gentoo-systemd-integration )" -# Newer linux-headers needed by ia64, bug #480218 -DEPEND=" - >=sys-kernel/linux-headers-${MINKV} - gnuefi? ( >=sys-boot/gnu-efi-3.0.2 ) -" - BDEPEND=" app-arch/xz-utils:0 dev-util/gperf @@ -216,6 +213,7 @@ meson_multilib_native_use() { multilib_src_configure() { local myconf=( --localstatedir="${EPREFIX}/var" + -Dsupport-url="https://gentoo.org/support/" -Dpamlibdir="$(getpam_mod_dir)" # avoid bash-completion dep -Dbashcompletiondir="$(get_bashcompdir)" @@ -235,11 +233,11 @@ multilib_src_configure() { -Daudit=$(meson_multilib_native_use audit) -Dlibcryptsetup=$(meson_multilib_native_use cryptsetup) -Dlibcurl=$(meson_multilib_native_use curl) + -Ddns-over-tls=$(meson_multilib_native_use dns-over-tls) -Delfutils=$(meson_multilib_native_use elfutils) -Dgcrypt=$(meson_use gcrypt) -Dgnu-efi=$(meson_multilib_native_use gnuefi) - -Dgnutls=$(meson_multilib_native_use gnutls) - -Defi-libdir="${EPREFIX}/usr/$(get_libdir)" + -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)" -Dmicrohttpd=$(meson_multilib_native_use http) -Dimportd=$(meson_multilib_native_use importd) -Dbzip2=$(meson_multilib_native_use importd) @@ -297,15 +295,6 @@ multilib_src_configure() { ) fi - if multilib_is_native_abi && use dns-over-tls; then - myconf+=( - -Ddns-over-tls=true - -Dopenssl=$(usex !gnutls true false) - ) - else - myconf+=( -Ddns-over-tls=false -Dopenssl=false ) - fi - meson_src_configure "${myconf[@]}" } @@ -347,9 +336,14 @@ multilib_src_install_all() { # Preserve empty dirs in /etc & /var, bug #437008 keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d} - keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd + keepdir /etc/kernel/install.d + keepdir /etc/systemd/{network,user} keepdir /etc/udev/{hwdb.d,rules.d} - keepdir /var/log/journal/remote + keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown} + keepdir /usr/lib/{binfmt.d,modules-load.d} + keepdir /usr/lib/systemd/user-generators + keepdir /var/lib/systemd + rm -rf "${ED}"/var/log || die # Symlink /etc/sysctl.conf for easy migration. dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf @@ -434,7 +428,6 @@ pkg_postinst() { enewgroup kvm 78 enewgroup render enewgroup systemd-journal - newusergroup systemd-bus-proxy newusergroup systemd-coredump newusergroup systemd-journal-gateway newusergroup systemd-journal-remote |