diffstat for systemd-237 systemd-237 changelog | 671 +++ control | 6 extra/dhclient-enter-resolved-hook | 72 extra/modprobe.d-udeb/scsi-mod-scan-sync.conf | 4 extra/systemd-sysv-install | 3 extra/units/systemd-resolved.service.d/resolvconf.conf | 8 extra/write_persistent_net_s390x_virtio | 41 gbp.conf | 2 libnss-resolve.postrm | 4 patches/Gettextize-policy-files.patch | 895 +++++ patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch | 27 patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch | 28 patches/debian/UBUNTU-Introduce-suspend-to-hibernate-8274.patch | 900 +++++ patches/debian/UBUNTU-Rename-suspend-to-hibernate-to-suspend-then-hibernat.patch | 671 +++ patches/debian/UBUNTU-core-use-setreuid-setregid-trick-to-create-session-k.patch | 181 + patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch | 42 patches/debian/UBUNTU-drop-using-kvm-for-qemu-tests-as-this-current.patch | 24 patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch | 22 patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch | 66 patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch | 50 patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch | 40 patches/debian/UBUNTU-shared-sleep-config-fix-unitialized-variable-and-use.patch | 53 patches/debian/UBUNTU-test-fs-utils-detect-container.patch | 33 patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch | 26 patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch | 45 patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch | 23 patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch | 42 patches/debian/Ubuntu-UseDomains-by-default.patch | 75 patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch | 39 patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch | 22 patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch | 8 patches/install-detect-masked-unit-with-drop-ins.patch | 26 patches/l10n-Update-POTFILES.in-and-POTFILES.skip.patch | 52 patches/l10n-update-POTFILES.in-8163.patch | 20 patches/meson-drop-double-.in-suffix-for-o.fd.systemd1.policy-fil.patch | 185 + patches/meson-drop-unnecessary-transformation-of-policy-files.patch | 1695 ++++++++++ patches/meson-fix-systemd-pot-target-when-polkit-devel-is-not-ins.patch | 37 patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch | 79 patches/series | 32 patches/test-masked-unit-with-drop-ins.patch | 30 patches/test-test-functions-Debian-Ubuntu-now-ship-95-dm-notify.r.patch | 27 patches/test-test-functions-on-PP64-use-vmlinux.patch | 33 patches/test-test-functions-on-PPC64-use-hvc0-console.patch | 39 rules | 3 systemd.postinst | 42 systemd.prerm | 15 tests/boot-and-services | 11 tests/boot-smoke | 49 tests/control | 21 tests/root-unittests | 9 tests/systemd-fsckd | 29 tests/upstream | 17 udev-udeb.install | 1 udev.postinst | 8 54 files changed, 6519 insertions(+), 64 deletions(-) diff -Nru systemd-237/debian/changelog systemd-237/debian/changelog --- systemd-237/debian/changelog 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/changelog 2018-04-20 16:55:56.000000000 +0000 @@ -1,3 +1,103 @@ +systemd (237-3ubuntu10) bionic; urgency=medium + + * Create tmpfiles for persistent journal in postinst only when running + systemd (LP: #1748659) + + -- Balint Reczey Fri, 20 Apr 2018 18:55:56 +0200 + +systemd (237-3ubuntu9) bionic; urgency=medium + + * networkd: if RA was implicit, do not await ndisc_configured. + If RA was iplicit, meaning not otherwise requested, and a kernel default was in + use. Do not prevent link entering configured state, whilst ndisc configuration + is pending. Implicit kernel RA, is expected to be asynchronous and + non-blocking. (LP: #1765173) + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + This ensures that all scans are completed, before installer reaches + partitioning stage. (LP: #1751813) + + -- Dimitri John Ledkov Fri, 20 Apr 2018 04:35:33 +0100 + +systemd (237-3ubuntu8) bionic; urgency=medium + + * Workaround captive portals not responding to EDNS0 queries (DVE-2018-0001). + (LP: #1727237) + * resolved: Listen on both TCP and UDP by default. (LP: #1731522) + * Recommend networkd-dispatcher (LP: #1762386) + * Refresh patches + + -- Dimitri John Ledkov Thu, 12 Apr 2018 12:12:24 +0100 + +systemd (237-3ubuntu7) bionic; urgency=medium + + * Introduce suspend then hibernate (LP: #1756006) + + -- Mario Limonciello Mon, 02 Apr 2018 14:25:04 -0500 + +systemd (237-3ubuntu6) bionic; urgency=medium + + * Adjust the new dropin test, for v237 systemd. + * Refresh the keyring patch, to the one merged. + + -- Dimitri John Ledkov Tue, 27 Mar 2018 13:40:09 +0100 + +systemd (237-3ubuntu5) bionic; urgency=medium + + * Drop old keyring/invocation_id patch, which made keyring setup be skipped in containers. + * Use new patch, which sets up session keyring without relying on chown operation. + * Drop systemd.prerm safety check. + On Ubuntu, systemd is the only choice, and is essential, via init -> + systemd-sysv -> systemd dependency chain, thus removing systemd is already + quite hard, and appropriate warnings are emitted by dpkg. (LP: #1758438) + * Detect Masked unit with drop-ins. (LP: #1752722) + * wait-online: do not wait, if no links are managed (neither configured, or failed). + (LP: #1728181) + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + (LP: #1696970) + * Refresh all patches. + + -- Dimitri John Ledkov Mon, 26 Mar 2018 15:55:25 +0100 + +systemd (237-3ubuntu4) bionic; urgency=medium + + * systemd-sysv-install: fix name initialisation. + Only initialise NAME, after --root optional argument has been parsed, otherwise + NAME is initialized to e.g. `enable', instead of to the `unit-name`, resulting + in failures. (LP: #1752882) + + -- Dimitri John Ledkov Mon, 05 Mar 2018 09:57:58 +0100 + +systemd (237-3ubuntu3) bionic; urgency=medium + + * tests/control: drop qemu-system-ppc. + Whilst some tests pass, many regress / fail to boot. This is not a regression, + as qemu-based tests were not run previously. + + -- Dimitri John Ledkov Tue, 20 Feb 2018 17:40:02 +0000 + +systemd (237-3ubuntu2) bionic; urgency=medium + + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + * tests/control: ensure boot-smoke uses latest systemd & udev. + * test/test-functions: on PPC64 use hvc0 console. + + -- Dimitri John Ledkov Tue, 20 Feb 2018 12:03:14 +0000 + +systemd (237-3ubuntu1) bionic; urgency=medium + + [ Gunnar Hjalmarsson ] + * Fix PO template creation. + Cherry-pick upstream patches to build a correct systemd.pot including + the polkit policy files even without policykit-1 being installed. + (LP: #1707898) + + [ Dimitri John Ledkov ] + * Blacklist TEST-16-EXTEND-TIMEOUT + * test/test-functions: use vmlinux for ppc64 tests. + + -- Dimitri John Ledkov Mon, 19 Feb 2018 21:15:23 +0000 + systemd (237-3) unstable; urgency=medium [ Martin Pitt ] @@ -20,6 +120,52 @@ -- Michael Biebl Wed, 14 Feb 2018 23:07:17 +0100 +systemd (237-2ubuntu3) bionic; urgency=medium + + * test/test-fs-util: detect container, in addition to root. + On armhf, during autopkgtests, whilst root is avilable, full capabilities in + parent namespace are not, since the tests are run in an LXD container. + This should resolve armhf autopkgtest failure. + * test/test-functions: launch qemu-system with -vga none. + Should resolve booting qemu-system-ppc64 without seabios. + * tests/upstream: skip parts of extend time out tests, regressed. + (LP: #1750364) + + -- Dimitri John Ledkov Mon, 19 Feb 2018 13:32:07 +0000 + +systemd (237-2ubuntu2) bionic; urgency=medium + + * Fix cryptsetup tests by shipping 95-dm-notify udev rule. (LP: #1749432) + * debian/tests/systemd-fsckd: update assertions expectations for v237 + fsck got rewritten to use "safe_fork" and whilst previously it would ignore the + error, when fsck is terminated by signal PIPE, it no longer does so. Thus one + should expect systemd-fsck-root.service to have failed in certain test cases. + + -- Dimitri John Ledkov Thu, 15 Feb 2018 00:32:54 +0000 + +systemd (237-2ubuntu1) bionic; urgency=medium + + [ Michael Vogt ] + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file + (LP: #1749000) + + [ Martin Pitt ] + * debian/tests/boot-smoke: More robust journal checking. + Also fail the test if calling journalctl fails, and avoid calling it + twice. See https://github.com/systemd/systemd/pull/8032 + + [ Gunnar Hjalmarsson ] + * Fix creation of translation template + - State the gettext package domain "systemd" explicitly, as with the + move to meson it ended up as "untitled.pot" + - Call xgettext to extract strings from polkit *.policy.in files, which + intltool-update ignores. (LP: #1707898) + + [ Dimitri John Ledkov ] + * Enable qemu tests on all architectures LP: #1749540 + + -- Dimitri John Ledkov Wed, 14 Feb 2018 16:43:12 +0000 + systemd (237-2) unstable; urgency=medium * Drop debian/extra/rules/70-debian-uaccess.rules. @@ -32,6 +178,47 @@ -- Michael Biebl Fri, 09 Feb 2018 23:35:31 +0100 +systemd (237-1ubuntu3) bionic; urgency=medium + + * Re-enable gnu-efi on arm64, binutils is fixed + * Cherrpick PR8133 to resolve too strict PidFile handling, which breaks + services starting with potentially insecure pidfiles e.g. munin + * Disable LLMNR and MulticastDNS by default LP: #1739672 + + -- Dimitri John Ledkov Fri, 09 Feb 2018 15:49:01 +0000 + +systemd (237-1ubuntu2) bionic; urgency=medium + + * Disable gnu-efi on arm64, due to FTBFS. LP: #1746765 + + -- Dimitri John Ledkov Fri, 02 Feb 2018 23:30:05 +0000 + +systemd (237-1ubuntu1) bionic; urgency=medium + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - Use stub-resolv.conf as the default provider of /etc/resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remount fs in containers, for non-degrated boot + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + - Cherry-pick a few testsuite fixes + - Do not use nested kvm during ADT tests + - Fix ADT systemd-fsckd tests to work on s390x too + - Enable persistent journal by default + + -- Dimitri John Ledkov Tue, 30 Jan 2018 13:52:27 +0000 + systemd (237-1) unstable; urgency=medium * New upstream version 237 @@ -140,6 +327,51 @@ -- Michael Biebl Sun, 17 Dec 2017 21:45:51 +0100 +systemd (235-3ubuntu3) bionic; urgency=medium + + * netwokrd: add support for RequiredForOnline stanza. (LP: #1737570) + * resolved.service: set DefaultDependencies=no (LP: #1734167) + * systemd.postinst: enable persistent journal. (LP: #1618188) + * core: add support for non-writable unified cgroup hierarchy for container support. + (LP: #1734410) + + -- Dimitri John Ledkov Tue, 12 Dec 2017 13:25:32 +0000 + +systemd (235-3ubuntu2) bionic; urgency=medium + + * systemd-fsckd: Fix ADT tests to work on s390x too. + + -- Dimitri John Ledkov Tue, 21 Nov 2017 16:41:15 +0000 + +systemd (235-3ubuntu1) bionic; urgency=medium + + * Merge 235-3 from debian: + - Drop UBUNTU-CVE-2017-15908 included in Debian. + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - ship resolvconf integration via stub-resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remote fs in containers, for non-degrated boot + - CVE-2017-15908 in resolved fix loop on packets with pseudo dns types + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + - Cherry-pick a few testsuite fixes + + * UBUNTU Do not use nested kvm during ADT tests. + + -- Dimitri John Ledkov Tue, 21 Nov 2017 09:34:14 +0000 + systemd (235-3) unstable; urgency=medium [ Michael Biebl ] @@ -180,6 +412,63 @@ -- Martin Pitt Wed, 15 Nov 2017 09:34:00 +0100 +systemd (235-2ubuntu3) bionic; urgency=medium + + * Revert "Skip test-bpf in autopkgtest, currently is failing." + This reverts commit 75cf986e450e062a3d5780d1976e9efef41e6c4c. + * Fix test-bpf test case on ubuntu. + * Skip rename tests in containers, crude fix for now. + + -- Dimitri John Ledkov Mon, 13 Nov 2017 00:06:42 +0000 + +systemd (235-2ubuntu2) bionic; urgency=medium + + * Fix test-functions failing with Ubuntu units. + * tests: switch to using ext4 by default, instead of ext3. + * Skip test-bpf in autopkgtest, currently is failing. + + -- Dimitri John Ledkov Mon, 06 Nov 2017 18:33:39 +0000 + +systemd (235-2ubuntu1) bionic; urgency=medium + + [ Dimitri John Ledkov ] + * Merge 235-2 from debian: + - Drop all upstream cherry-picks + - Drop test-copy dh_strip size override, fixed upstream + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - ship resolvconf integration via stub-resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remote fs in containers, for non-degrated boot + - CVE-2017-15908 in resolved fix loop on packets with pseudo dns types + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + + * Fix up write_persistent_net_s390x for nullglob + + * Ship systemd sysctl settings. + Patch systemd's default sysctl settings to drop things that are set + elsewhere already. The promote secondary IP addresses is required for + networkd to successfully renew DHCP leases with a change of an IP address. + Set default package scheduler to Fair Queue CoDel. (LP: #1721223) + + [ Michael Biebl ] + * Install modprobe configuration file to /lib/modprobe.d. + Otherwise it is not read by kmod. (Closes: #879191) + + -- Dimitri John Ledkov Mon, 30 Oct 2017 17:20:54 +0000 + systemd (235-2) unstable; urgency=medium * Revert "tests: when running a manager object in a test, migrate to private @@ -289,6 +578,187 @@ -- Cyril Brulebois Wed, 23 Aug 2017 20:41:33 +0200 +systemd (234-2ubuntu12.1) artful-security; urgency=medium + + * SECURITY UPDATE: remote DoS in resolve (LP: #1725351) + - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo + dns types in src/resolve/resolved-dns-packet.c. + - CVE-2017-15908 + + -- Marc Deslauriers Thu, 26 Oct 2017 07:56:42 -0400 + +systemd (234-2ubuntu12) artful; urgency=medium + + [ Dimitri John Ledkov ] + * debian/rules: do not strip test-copy. + This insures test-copy is large enough for test-copy tests to pass. + (LP: #1721203) + + [ Michael Biebl ] + * Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf. + All major NTP implementations ship a native service file nowadays with a + Conflicts=systemd-timesyncd.service so this drop-in is no longer + necessary. (Closes: #873185) (LP: #1721204) + + -- Dimitri John Ledkov Wed, 04 Oct 2017 13:28:34 +0100 + +systemd (234-2ubuntu11) artful; urgency=medium + + * Ubuntu/extra: ship dhclient-enter hook. + This allows isc-dhcp dhclient to set search domains and nameservers via + resolved. + * Disable systemd-networkd-wait-online by default. + Currently it is not fit for purpose, as it leads to long boot times when + networking is unplugged or not yet configured on boot. (LP: #1714301) + * networkd: change UseMTU default to true. + Cherry-pick upstream change. (LP: #1717471) + * postinst: drop empty/stock /etc/rc.local (LP: #1716979) + * Imporve resolvconf integration. + Make the .path|.service unit that feed resolved data into resolvconf not + generate failures if resolvconf is not installed. + Add a check to make sure that resolved does not read /etc/resolv.conf when that + is symlinked to stub-resolv.conf. (LP: #1717995) + * core: gracefully bail out keyring operations when chown fails (LP: #1691096) + + -- Dimitri John Ledkov Tue, 26 Sep 2017 11:38:02 -0400 + +systemd (234-2ubuntu10) artful; urgency=medium + + * Do not fail debootstrap if /etc/resolv.conf is immutable. (LP: #1713212) + * Revert "Create /etc/resolv.conf on resolved start, if it is an empty file." + As it is ineffective, and correct creation of /etc/resolv.conf has been fixed. + This reverts commit ccba42504f216f6ffbc54eb2c9af347355f8d86b. + * initramfs-tools: trigger udevadm add actions with subsystems first. + This updates the initramfs-tools init-top udev script to trigger udevadm + actions with type specified. This mimicks the + systemd-udev-trigger.service. Without type specified only devices are + triggered, but triggering subsystems may also be required and should happen + before triggering the devices. This is the case for example on s390x with zdev + generated udev rules. (LP: #1713536) + + -- Dimitri John Ledkov Wed, 30 Aug 2017 11:22:41 +0100 + +systemd (234-2ubuntu9) artful; urgency=medium + + * boot-and-services: skip gdm3 tests when absent, as it is on s390x. + + -- Dimitri John Ledkov Wed, 23 Aug 2017 11:58:57 +0100 + +systemd (234-2ubuntu8) artful; urgency=medium + + * Enable systemd-networkd by default. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 17:50:59 +0100 + +systemd (234-2ubuntu7) artful; urgency=medium + + * Always setup /etc/resolv.conf on new installations. + On new installations, /etc/resolv.conf will always exist. Move it to /run + and replace it with the desired final symlink. (LP: #1712283) + * Create /etc/resolv.conf on resolved start, if it is an empty file. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 16:13:35 +0100 + +systemd (234-2ubuntu6) artful; urgency=medium + + * Disable KillUserProcesses, yet again, with meson this time. + * Re-enable reboot tests. + + -- Dimitri John Ledkov Thu, 17 Aug 2017 15:22:35 +0100 + +systemd (234-2ubuntu5) artful; urgency=medium + + * debian/tests: disable i386 & amd64 systemd-fsck test, and add environment + overrides to allow force execution of those tests locally. LP: #1708051. + + -- Dimitri John Ledkov Wed, 16 Aug 2017 13:04:48 +0100 + +systemd (234-2ubuntu4) artful; urgency=medium + + * debian/tests: disable i386 & amd64 boot-smoke, passes locally. LP: + #1708051. + + -- Dimitri John Ledkov Tue, 15 Aug 2017 14:20:12 +0100 + +systemd (234-2ubuntu3) artful; urgency=medium + + * debian/tests: Switch to gdm, enforce udev upgrade. + + -- Dimitri John Ledkov Mon, 14 Aug 2017 12:02:37 +0100 + +systemd (234-2ubuntu2) artful; urgency=medium + + * Ignore failures to set Nice priority on services in containers. + * Disable execute test on armhf. + * units: set ConditionVirtualization=!private-users on journald audit socket. + It fails to start in unprivileged containers. + * boot-smoke: refactor ADT test. + Wait for system to settle down and get to either running or degraded state, + then collect all metrics, and exit with an error if any of the tests failed. + + -- Dimitri John Ledkov Wed, 02 Aug 2017 03:02:03 +0100 + +systemd (234-2ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + * modprobe.d: set max_bonds=0 for bonding module to prevent bond0 creation. + This prevents confusing networkd, and allows networkd to manage bond0. + * Cherrypick upstream networkd-test.py assertion/check fixes. + This resolves ADT test suite failures, when running tests under lxc/lxd + providers. + * Cherrypick arm* seccomp fixes. + This should resolve ADT test failures, on arm64, when running as root. + * Re-enable seccomp and execute tests on arm. + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + [ Michael Biebl ] + * selinux: Enable labeling and access checks for unprivileged users. + Revert commit that inadvertently broke a lot of SELinux related + functionality for both unprivileged users and systemd instances running + as MANAGER_USER and instead deal with the auditd issue by checking for + the CAP_AUDIT_WRITE capability before opening an audit netlink socket. + (Closes: #863800) + + -- Dimitri John Ledkov Tue, 25 Jul 2017 13:30:58 +0100 + systemd (234-2) unstable; urgency=medium [ Martin Pitt ] @@ -309,6 +779,64 @@ -- Michael Biebl Thu, 20 Jul 2017 15:13:42 +0200 +systemd (234-1ubuntu2) artful; urgency=medium + + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + + -- Dimitri John Ledkov Fri, 21 Jul 2017 17:07:17 +0100 + +systemd (234-1ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * Merge with debian, outstanding delta below. + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Mon, 17 Jul 2017 10:59:34 +0100 + systemd (234-1) unstable; urgency=medium [ Michael Biebl ] @@ -390,6 +918,52 @@ -- Michael Biebl Mon, 19 Jun 2017 15:10:14 +0200 +systemd (233-8ubuntu2) artful; urgency=medium + + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + * SECURITY UPDATE: Out-of-bounds write in systemd-resolved. + CVE-2017-9445 (LP: #1695546) + + -- Dimitri John Ledkov Wed, 28 Jun 2017 13:27:28 +0100 + +systemd (233-8ubuntu1) artful; urgency=medium + + Merge from experimental. Existing Ubuntu cherry-picks: + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + * Cherrypick upstream commit to enable system use kernel maximum limit for RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + + Ubuntu cherry-picks, now also applied in Debian: + * resolved: fix null pointer dereference crash + + Remaining Ubuntu delta: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. + + New Ubuntu cherry-picks: + * loginctl: Chrerry-pick upstream fix to not ignore multiple session ids. + (LP: #1682154) + + -- Dimitri John Ledkov Mon, 19 Jun 2017 15:24:30 +0100 + systemd (233-8) experimental; urgency=medium * Bump debhelper compatibility level to 10 @@ -428,6 +1002,57 @@ -- Michael Biebl Wed, 24 May 2017 12:26:18 +0200 +systemd (233-6ubuntu3) artful; urgency=medium + + * resolved: fix null pointer dereference crash (LP: #1621396) + + -- Dimitri John Ledkov Mon, 22 May 2017 09:29:22 +0100 + +systemd (233-6ubuntu2) artful; urgency=medium + + [ Michael Biebl ] + * basic/journal-importer: Fix unaligned access in get_data_size() + (Closes: #862062) + + [ Dimitri John Ledkov ] + * ubuntu: disable dnssec on any ubuntu releases (LP: #1690605) + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + (LP: #1686784) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Wed, 17 May 2017 19:24:03 +0100 + +systemd (233-6ubuntu1) artful; urgency=medium + + Merge from Debian, existing changes: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + New changes: + * Cherrypick upstream commit to enable system use kernel maximum limit for + RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + + -- Dimitri John Ledkov Tue, 02 May 2017 11:23:19 +0100 + systemd (233-6) experimental; urgency=medium [ Felipe Sateler ] @@ -468,6 +1093,52 @@ -- Michael Biebl Fri, 28 Apr 2017 21:47:14 +0200 +systemd (233-5ubuntu1) artful; urgency=medium + + [ Felipe Sateler ] + * Backport upstream PR #5531. + This delays opening the mdns and llmnr sockets until a network has enabled them. + This silences annoying messages when networkd receives such packets without + expecting them: + Got mDNS UDP packet on unknown scope. + + [ Martin Pitt ] + * resolved: Disable DNSSEC by default on stretch and zesty. + Both Debian stretch and Ubuntu zesty are close to releasing, switch to + DNSSEC=off by default for those. Users can still turn it back on with + DNSSEC=allow-downgrade (or even "yes"). + + [ Michael Biebl ] + * Add Conflicts against hal. + Since v183, udev no longer supports RUN+="socket:". This feature is + still used by hal, but now generates vast amounts of errors in the + journal. Thus force the removal of hal by adding a Conflicts to the udev + package. This is safe, as hal is long dead and no longer useful. + * Drop systemd-ui Suggests + systemd-ui is unmaintained upstream and not particularly useful anymore. + * journal: fix up syslog facility when forwarding native messages. + Native journal messages (_TRANSPORT=journal) typically don't have a + syslog facility attached to it. As a result when forwarding the + messages to syslog they ended up with facility 0 (LOG_KERN). + Apply syslog_fixup_facility() so we use LOG_USER instead. (Closes: #837893) + * Split upstream tests into systemd-tests binary package (Closes: #859152) + * Get PACKAGE_VERSION from config.h. + This also works with meson and is not autotools specific. + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + -- Dimitri John Ledkov Fri, 21 Apr 2017 14:36:34 +0100 + systemd (233-5) experimental; urgency=medium * Do not throw a warning in emergency and rescue mode if plymouth is not diff -Nru systemd-237/debian/control systemd-237/debian/control --- systemd-237/debian/control 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/control 2018-04-20 16:55:56.000000000 +0000 @@ -1,7 +1,8 @@ Source: systemd Section: admin Priority: optional -Maintainer: Debian systemd Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian systemd Maintainers Uploaders: Michael Biebl , Marco d'Itri , Sjoerd Simons , @@ -62,7 +63,8 @@ Section: admin Priority: important Recommends: libpam-systemd, - dbus + dbus, + networkd-dispatcher Suggests: systemd-container, policykit-1 Pre-Depends: ${shlibs:Pre-Depends}, diff -Nru systemd-237/debian/extra/dhclient-enter-resolved-hook systemd-237/debian/extra/dhclient-enter-resolved-hook --- systemd-237/debian/extra/dhclient-enter-resolved-hook 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/extra/dhclient-enter-resolved-hook 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,72 @@ +# +# Script fragment to make dhclient supply nameserver information to resolvconf +# + +# Tips: +# * Be careful about changing the environment since this is sourced +# * This script fragment uses bash features +# * As of isc-dhcp-client 4.2 the "reason" (for running the script) can be one of the following. +# (Listed on man page:) MEDIUM(0) PREINIT(0) BOUND(M) RENEW(M) REBIND(M) REBOOT(M) EXPIRE(D) FAIL(D) RELEASE(D) STOP(D) NBI(-) TIMEOUT(M) +# (Also used in master script:) ARPCHECK(0), ARPSEND(0) +# (Also used in master script:) PREINIT6(0) BOUND6(M) RENEW6(M) REBIND6(M) DEPREF6(0) EXPIRE6(D) RELEASE6(D) STOP6(D) +# (0) = master script does not run make_resolv_conf +# (M) = master script runs make_resolv_conf +# (D) = master script downs interface +# (-) = master script does nothing with this + +if [ -x /lib/systemd/systemd-resolved ] ; then + # For safety, first undefine the nasty default make_resolv_conf() + make_resolv_conf() { : ; } + case "$reason" in + BOUND|RENEW|REBIND|REBOOT|TIMEOUT|BOUND6|RENEW6|REBIND6) + # Define a resolvconf-compatible m_r_c() function + # It gets run later (or, in the TIMEOUT case, MAY get run later) + make_resolv_conf() { + local statedir + if [ ! "$interface" ] ; then + return + fi + statedir="/run/systemd/resolved.conf.d" + mkdir -p $statedir + if [ -n "$new_domain_name_servers" ] ; then + cat <$statedir/isc-dhcp-v4-$interface.conf +[Resolve] +DNS=$new_domain_name_servers +EOF + if [ -n "$new_domain_name" ] || [ -n "$new_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v4-$interface.conf +Domains=$new_domain_search $new_domain_name +EOF + fi + fi + if [ -n "$new_dhcp6_name_servers" ] ; then + cat <$statedir/isc-dhcp-v6-$interface.conf +[Resolve] +DNS=$new_dhcp6_name_servers +EOF + if [ -n "$new_dhcp6_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v6-$interface.conf +Domains=$new_dhcp6_domain_search +EOF + fi + fi + systemctl try-reload-or-restart systemd-resolved.service + } + ;; + + EXPIRE|FAIL|RELEASE|STOP) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v4-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + EXPIRE6|RELEASE6|STOP6) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v6-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + esac +fi diff -Nru systemd-237/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf systemd-237/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf --- systemd-237/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,4 @@ +# Use synchronous scanning, to block update-dev in d-i/hw-detect until after the scan is done +# This ensures that partitioning stage has all the drives detected + +options scsi_mod scan=sync diff -Nru systemd-237/debian/extra/systemd-sysv-install systemd-237/debian/extra/systemd-sysv-install --- systemd-237/debian/extra/systemd-sysv-install 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/extra/systemd-sysv-install 2018-04-20 16:55:56.000000000 +0000 @@ -12,7 +12,6 @@ } ROOT= -NAME="${2:-}" # parse options eval set -- "$(getopt -o r: --long root: -- "$@")" @@ -26,6 +25,8 @@ esac done +NAME="${2:-}" + run() { if [ -n "$ROOT" ] && [ "$ROOT" != "/" ]; then chroot "$ROOT" /usr/sbin/update-rc.d "$@" diff -Nru systemd-237/debian/extra/units/systemd-resolved.service.d/resolvconf.conf systemd-237/debian/extra/units/systemd-resolved.service.d/resolvconf.conf --- systemd-237/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -# tell resolvconf about resolved's builtin DNS server, so that DNS servers -# picked up via networkd are respected when using resolvconf, and that software -# like Chrome that does not do NSS (libnss-resolve) still gets proper DNS -# resolution; do not remove the entry after stop though, as that leads to -# timeouts on shutdown via the resolvconf hooks (see LP: #1648068) -[Service] -ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved' -ReadWritePaths=-/run/resolvconf diff -Nru systemd-237/debian/extra/write_persistent_net_s390x_virtio systemd-237/debian/extra/write_persistent_net_s390x_virtio --- systemd-237/debian/extra/write_persistent_net_s390x_virtio 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/extra/write_persistent_net_s390x_virtio 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,41 @@ +#!/bin/sh +set -e + +# +# udevd since 232-20 learned to generate stable interface names for network +# interfaces in kvm/qemu. However, existing machines upgrading will be using +# the ethX names instead. The most risk-averse action is to encode +# "persistent-net-rules" like rules to keep the ethX names on upgrades, since +# the interface names (ethX) may be in use not only in /etc/network/interfaces +# but in other configurations too (daemons, firewalls, etc). +# +# This is a one time action, and can be removed after the next stable & LTS +# releases. (~ May 2018) +# + +rulesfile=/etc/udev/rules.d/70-persistent-net.rules + +if [ `uname -m` != 's390x' ] +then + exit 0 +fi + +if [ `systemd-detect-virt` != 'kvm' ] +then + exit 0 +fi + +if [ -f $rulesfile ] +then + exit 0 +fi + +for interface in /sys/class/net/eth* +do + [ -d $interface ] || continue + name=$(basename $interface) + address=$(cat $interface/address) + cat <>$rulesfile +SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$address", KERNEL=="eth*", NAME="$name" +EOF +done diff -Nru systemd-237/debian/gbp.conf systemd-237/debian/gbp.conf --- systemd-237/debian/gbp.conf 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/gbp.conf 2018-04-20 16:55:56.000000000 +0000 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = master +debian-branch = ubuntu-bionic [dch] full = True diff -Nru systemd-237/debian/libnss-resolve.postrm systemd-237/debian/libnss-resolve.postrm --- systemd-237/debian/libnss-resolve.postrm 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/libnss-resolve.postrm 2018-04-20 16:55:56.000000000 +0000 @@ -23,10 +23,6 @@ if [ "$1" = remove ]; then remove_nss_entry /etc/nsswitch.conf libnss-resolve resolve - systemctl disable systemd-resolved.service - if [ -d /run/systemd/system ]; then - deb-systemd-invoke stop systemd-resolved.service || true - fi fi #DEBHELPER# diff -Nru systemd-237/debian/patches/Gettextize-policy-files.patch systemd-237/debian/patches/Gettextize-policy-files.patch --- systemd-237/debian/patches/Gettextize-policy-files.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/Gettextize-policy-files.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,895 @@ +From: Gunnar Hjalmarsson +Date: Thu, 15 Feb 2018 21:21:58 +0100 +Subject: Gettextize policy files + +* Don't merge translations into the files +* Add gettext-domain="systemd" to description and message + +Closes #8162, replaces #8118. + +(cherry picked from commit 264d8dcc161e276d31dcde98a088d15cebbebbef) +--- + src/core/meson.build | 15 +-- + src/core/org.freedesktop.systemd1.policy.in.in | 20 ++-- + src/hostname/meson.build | 10 +- + src/hostname/org.freedesktop.hostname1.policy.in | 12 +-- + src/import/meson.build | 10 +- + src/import/org.freedesktop.import1.policy.in | 12 +-- + src/locale/meson.build | 10 +- + src/locale/org.freedesktop.locale1.policy.in | 8 +- + src/login/meson.build | 10 +- + src/login/org.freedesktop.login1.policy.in | 128 +++++++++++------------ + src/machine/meson.build | 10 +- + src/machine/org.freedesktop.machine1.policy.in | 32 +++--- + src/resolve/meson.build | 10 +- + src/resolve/org.freedesktop.resolve1.policy.in | 8 +- + src/timedate/meson.build | 10 +- + src/timedate/org.freedesktop.timedate1.policy.in | 16 +-- + 16 files changed, 150 insertions(+), 171 deletions(-) + +diff --git a/src/core/meson.build b/src/core/meson.build +index bc03408..c58893b 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -211,19 +211,12 @@ install_data('org.freedesktop.systemd1.conf', + install_data('org.freedesktop.systemd1.service', + install_dir : dbussystemservicedir) + +-policy_in = configure_file( ++policy = configure_file( + input : 'org.freedesktop.systemd1.policy.in.in', +- output : 'org.freedesktop.systemd1.policy.in', +- configuration : substs) +- +-i18n.merge_file( +- 'org.freedesktop.systemd1.policy', +- input : policy_in, + output : 'org.freedesktop.systemd1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++install_data(policy, ++ install_dir : polkitpolicydir) + + install_data('system.conf', + 'user.conf', +diff --git a/src/core/org.freedesktop.systemd1.policy.in.in b/src/core/org.freedesktop.systemd1.policy.in.in +index 2c6ed74..648221b 100644 +--- a/src/core/org.freedesktop.systemd1.policy.in.in ++++ b/src/core/org.freedesktop.systemd1.policy.in.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Send passphrase back to system +- Authentication is required to send the entered passphrase back to the system. ++ Send passphrase back to system ++ Authentication is required to send the entered passphrase back to the system. + + no + no +@@ -30,8 +30,8 @@ + + + +- Manage system services or other units +- Authentication is required to manage system services or other units. ++ Manage system services or other units ++ Authentication is required to manage system services or other units. + + auth_admin + auth_admin +@@ -40,8 +40,8 @@ + + + +- Manage system service or unit files +- Authentication is required to manage system service or unit files. ++ Manage system service or unit files ++ Authentication is required to manage system service or unit files. + + auth_admin + auth_admin +@@ -50,8 +50,8 @@ + + + +- Set or unset system and service manager environment variables +- Authentication is required to set or unset system and service manager environment variables. ++ Set or unset system and service manager environment variables ++ Authentication is required to set or unset system and service manager environment variables. + + auth_admin + auth_admin +@@ -60,8 +60,8 @@ + + + +- Reload the systemd state +- Authentication is required to reload the systemd state. ++ Reload the systemd state ++ Authentication is required to reload the systemd state. + + auth_admin + auth_admin +diff --git a/src/hostname/meson.build b/src/hostname/meson.build +index 75cc948..c35c668 100644 +--- a/src/hostname/meson.build ++++ b/src/hostname/meson.build +@@ -21,12 +21,10 @@ if conf.get('ENABLE_HOSTNAMED') == 1 + install_data('org.freedesktop.hostname1.service', + install_dir : dbussystemservicedir) + +- i18n.merge_file( +- 'org.freedesktop.hostname1.policy', ++ policy = configure_file( + input : 'org.freedesktop.hostname1.policy.in', + output : 'org.freedesktop.hostname1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++ install_data(policy, ++ install_dir : polkitpolicydir) + endif +diff --git a/src/hostname/org.freedesktop.hostname1.policy.in b/src/hostname/org.freedesktop.hostname1.policy.in +index b10ca31..4ac82c6 100644 +--- a/src/hostname/org.freedesktop.hostname1.policy.in ++++ b/src/hostname/org.freedesktop.hostname1.policy.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Set host name +- Authentication is required to set the local host name. ++ Set host name ++ Authentication is required to set the local host name. + + auth_admin_keep + auth_admin_keep +@@ -29,8 +29,8 @@ + + + +- Set static host name +- Authentication is required to set the statically configured local host name, as well as the pretty host name. ++ Set static host name ++ Authentication is required to set the statically configured local host name, as well as the pretty host name. + + auth_admin_keep + auth_admin_keep +@@ -40,8 +40,8 @@ + + + +- Set machine information +- Authentication is required to set local machine information. ++ Set machine information ++ Authentication is required to set local machine information. + + auth_admin_keep + auth_admin_keep +diff --git a/src/import/meson.build b/src/import/meson.build +index 2dcc0bc..e5088b3 100644 +--- a/src/import/meson.build ++++ b/src/import/meson.build +@@ -71,14 +71,12 @@ if conf.get('ENABLE_IMPORTD') == 1 + install_data('org.freedesktop.import1.service', + install_dir : dbussystemservicedir) + +- i18n.merge_file( +- 'org.freedesktop.import1.policy', ++ policy = configure_file( + input : 'org.freedesktop.import1.policy.in', + output : 'org.freedesktop.import1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++ install_data(policy, ++ install_dir : polkitpolicydir) + + install_data('import-pubring.gpg', + install_dir : rootlibexecdir) +diff --git a/src/import/org.freedesktop.import1.policy.in b/src/import/org.freedesktop.import1.policy.in +index d96ca2d..beea5fe 100644 +--- a/src/import/org.freedesktop.import1.policy.in ++++ b/src/import/org.freedesktop.import1.policy.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Import a VM or container image +- Authentication is required to import a VM or container image ++ Import a VM or container image ++ Authentication is required to import a VM or container image + + auth_admin + auth_admin +@@ -29,8 +29,8 @@ + + + +- Export a VM or container image +- Authentication is required to export a VM or container image ++ Export a VM or container image ++ Authentication is required to export a VM or container image + + auth_admin + auth_admin +@@ -39,8 +39,8 @@ + + + +- Download a VM or container image +- Authentication is required to download a VM or container image ++ Download a VM or container image ++ Authentication is required to download a VM or container image + + auth_admin + auth_admin +diff --git a/src/locale/meson.build b/src/locale/meson.build +index dca2c51..30882cc 100644 +--- a/src/locale/meson.build ++++ b/src/locale/meson.build +@@ -29,14 +29,12 @@ if conf.get('ENABLE_LOCALED') == 1 + install_data('org.freedesktop.locale1.service', + install_dir : dbussystemservicedir) + +- i18n.merge_file( +- 'org.freedesktop.locale1.policy', ++ policy = configure_file( + input : 'org.freedesktop.locale1.policy.in', + output : 'org.freedesktop.locale1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++ install_data(policy, ++ install_dir : polkitpolicydir) + endif + + # If you know a way that allows the same variables to be used +diff --git a/src/locale/org.freedesktop.locale1.policy.in b/src/locale/org.freedesktop.locale1.policy.in +index 4c1c34d..f924174 100644 +--- a/src/locale/org.freedesktop.locale1.policy.in ++++ b/src/locale/org.freedesktop.locale1.policy.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Set system locale +- Authentication is required to set the system locale. ++ Set system locale ++ Authentication is required to set the system locale. + + auth_admin_keep + auth_admin_keep +@@ -30,8 +30,8 @@ + + + +- Set system keyboard settings +- Authentication is required to set the system keyboard settings. ++ Set system keyboard settings ++ Authentication is required to set the system keyboard settings. + + auth_admin_keep + auth_admin_keep +diff --git a/src/login/meson.build b/src/login/meson.build +index e8e4f7b..599c44e 100644 +--- a/src/login/meson.build ++++ b/src/login/meson.build +@@ -88,14 +88,12 @@ if conf.get('ENABLE_LOGIND') == 1 + install_data('org.freedesktop.login1.service', + install_dir : dbussystemservicedir) + +- i18n.merge_file( +- 'org.freedesktop.login1.policy', ++ policy = configure_file( + input : 'org.freedesktop.login1.policy.in', + output : 'org.freedesktop.login1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++ install_data(policy, ++ install_dir : polkitpolicydir) + + install_data('70-power-switch.rules', install_dir : udevrulesdir) + +diff --git a/src/login/org.freedesktop.login1.policy.in b/src/login/org.freedesktop.login1.policy.in +index 4716202..f1d1f95 100644 +--- a/src/login/org.freedesktop.login1.policy.in ++++ b/src/login/org.freedesktop.login1.policy.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Allow applications to inhibit system shutdown +- Authentication is required for an application to inhibit system shutdown. ++ Allow applications to inhibit system shutdown ++ Authentication is required for an application to inhibit system shutdown. + + no + yes +@@ -30,8 +30,8 @@ + + + +- Allow applications to delay system shutdown +- Authentication is required for an application to delay system shutdown. ++ Allow applications to delay system shutdown ++ Authentication is required for an application to delay system shutdown. + + yes + yes +@@ -41,8 +41,8 @@ + + + +- Allow applications to inhibit system sleep +- Authentication is required for an application to inhibit system sleep. ++ Allow applications to inhibit system sleep ++ Authentication is required for an application to inhibit system sleep. + + no + yes +@@ -52,8 +52,8 @@ + + + +- Allow applications to delay system sleep +- Authentication is required for an application to delay system sleep. ++ Allow applications to delay system sleep ++ Authentication is required for an application to delay system sleep. + + yes + yes +@@ -62,8 +62,8 @@ + + + +- Allow applications to inhibit automatic system suspend +- Authentication is required for an application to inhibit automatic system suspend. ++ Allow applications to inhibit automatic system suspend ++ Authentication is required for an application to inhibit automatic system suspend. + + yes + yes +@@ -72,8 +72,8 @@ + + + +- Allow applications to inhibit system handling of the power key +- Authentication is required for an application to inhibit system handling of the power key. ++ Allow applications to inhibit system handling of the power key ++ Authentication is required for an application to inhibit system handling of the power key. + + no + yes +@@ -83,8 +83,8 @@ + + + +- Allow applications to inhibit system handling of the suspend key +- Authentication is required for an application to inhibit system handling of the suspend key. ++ Allow applications to inhibit system handling of the suspend key ++ Authentication is required for an application to inhibit system handling of the suspend key. + + no + yes +@@ -94,8 +94,8 @@ + + + +- Allow applications to inhibit system handling of the hibernate key +- Authentication is required for an application to inhibit system handling of the hibernate key. ++ Allow applications to inhibit system handling of the hibernate key ++ Authentication is required for an application to inhibit system handling of the hibernate key. + + no + yes +@@ -104,8 +104,8 @@ + + + +- Allow applications to inhibit system handling of the lid switch +- Authentication is required for an application to inhibit system handling of the lid switch. ++ Allow applications to inhibit system handling of the lid switch ++ Authentication is required for an application to inhibit system handling of the lid switch. + + no + yes +@@ -114,8 +114,8 @@ + + + +- Allow non-logged-in user to run programs +- Explicit request is required to run programs as a non-logged-in user. ++ Allow non-logged-in user to run programs ++ Explicit request is required to run programs as a non-logged-in user. + + yes + yes +@@ -124,8 +124,8 @@ + + + +- Allow non-logged-in users to run programs +- Authentication is required to run programs as a non-logged-in user. ++ Allow non-logged-in users to run programs ++ Authentication is required to run programs as a non-logged-in user. + + auth_admin_keep + auth_admin_keep +@@ -134,8 +134,8 @@ + + + +- Allow attaching devices to seats +- Authentication is required for attaching a device to a seat. ++ Allow attaching devices to seats ++ Authentication is required for attaching a device to a seat. + + auth_admin_keep + auth_admin_keep +@@ -145,8 +145,8 @@ + + + +- Flush device to seat attachments +- Authentication is required for resetting how devices are attached to seats. ++ Flush device to seat attachments ++ Authentication is required for resetting how devices are attached to seats. + + auth_admin_keep + auth_admin_keep +@@ -155,8 +155,8 @@ + + + +- Power off the system +- Authentication is required for powering off the system. ++ Power off the system ++ Authentication is required for powering off the system. + + auth_admin_keep + auth_admin_keep +@@ -166,8 +166,8 @@ + + + +- Power off the system while other users are logged in +- Authentication is required for powering off the system while other users are logged in. ++ Power off the system while other users are logged in ++ Authentication is required for powering off the system while other users are logged in. + + auth_admin_keep + auth_admin_keep +@@ -177,8 +177,8 @@ + + + +- Power off the system while an application asked to inhibit it +- Authentication is required for powering off the system while an application asked to inhibit it. ++ Power off the system while an application asked to inhibit it ++ Authentication is required for powering off the system while an application asked to inhibit it. + + auth_admin_keep + auth_admin_keep +@@ -188,8 +188,8 @@ + + + +- Reboot the system +- Authentication is required for rebooting the system. ++ Reboot the system ++ Authentication is required for rebooting the system. + + auth_admin_keep + auth_admin_keep +@@ -199,8 +199,8 @@ + + + +- Reboot the system while other users are logged in +- Authentication is required for rebooting the system while other users are logged in. ++ Reboot the system while other users are logged in ++ Authentication is required for rebooting the system while other users are logged in. + + auth_admin_keep + auth_admin_keep +@@ -210,8 +210,8 @@ + + + +- Reboot the system while an application asked to inhibit it +- Authentication is required for rebooting the system while an application asked to inhibit it. ++ Reboot the system while an application asked to inhibit it ++ Authentication is required for rebooting the system while an application asked to inhibit it. + + auth_admin_keep + auth_admin_keep +@@ -221,8 +221,8 @@ + + + +- Halt the system +- Authentication is required for halting the system. ++ Halt the system ++ Authentication is required for halting the system. + + auth_admin_keep + auth_admin_keep +@@ -232,8 +232,8 @@ + + + +- Halt the system while other users are logged in +- Authentication is required for halting the system while other users are logged in. ++ Halt the system while other users are logged in ++ Authentication is required for halting the system while other users are logged in. + + auth_admin_keep + auth_admin_keep +@@ -243,8 +243,8 @@ + + + +- Halt the system while an application asked to inhibit it +- Authentication is required for halting the system while an application asked to inhibit it. ++ Halt the system while an application asked to inhibit it ++ Authentication is required for halting the system while an application asked to inhibit it. + + auth_admin_keep + auth_admin_keep +@@ -254,8 +254,8 @@ + + + +- Suspend the system +- Authentication is required for suspending the system. ++ Suspend the system ++ Authentication is required for suspending the system. + + auth_admin_keep + auth_admin_keep +@@ -264,8 +264,8 @@ + + + +- Suspend the system while other users are logged in +- Authentication is required for suspending the system while other users are logged in. ++ Suspend the system while other users are logged in ++ Authentication is required for suspending the system while other users are logged in. + + auth_admin_keep + auth_admin_keep +@@ -275,8 +275,8 @@ + + + +- Suspend the system while an application asked to inhibit it +- Authentication is required for suspending the system while an application asked to inhibit it. ++ Suspend the system while an application asked to inhibit it ++ Authentication is required for suspending the system while an application asked to inhibit it. + + auth_admin_keep + auth_admin_keep +@@ -286,8 +286,8 @@ + + + +- Hibernate the system +- Authentication is required for hibernating the system. ++ Hibernate the system ++ Authentication is required for hibernating the system. + + auth_admin_keep + auth_admin_keep +@@ -296,8 +296,8 @@ + + + +- Hibernate the system while other users are logged in +- Authentication is required for hibernating the system while other users are logged in. ++ Hibernate the system while other users are logged in ++ Authentication is required for hibernating the system while other users are logged in. + + auth_admin_keep + auth_admin_keep +@@ -307,8 +307,8 @@ + + + +- Hibernate the system while an application asked to inhibit it +- Authentication is required for hibernating the system while an application asked to inhibit it. ++ Hibernate the system while an application asked to inhibit it ++ Authentication is required for hibernating the system while an application asked to inhibit it. + + auth_admin_keep + auth_admin_keep +@@ -318,8 +318,8 @@ + + + +- Manage active sessions, users and seats +- Authentication is required for managing active sessions, users and seats. ++ Manage active sessions, users and seats ++ Authentication is required for managing active sessions, users and seats. + + auth_admin_keep + auth_admin_keep +@@ -328,8 +328,8 @@ + + + +- Lock or unlock active sessions +- Authentication is required to lock or unlock active sessions. ++ Lock or unlock active sessions ++ Authentication is required to lock or unlock active sessions. + + auth_admin_keep + auth_admin_keep +@@ -338,8 +338,8 @@ + + + +- Allow indication to the firmware to boot to setup interface +- Authentication is required to indicate to the firmware to boot to setup interface. ++ Allow indication to the firmware to boot to setup interface ++ Authentication is required to indicate to the firmware to boot to setup interface. + + auth_admin_keep + auth_admin_keep +@@ -348,8 +348,8 @@ + + + +- Set a wall message +- Authentication is required to set a wall message ++ Set a wall message ++ Authentication is required to set a wall message + + auth_admin_keep + auth_admin_keep +diff --git a/src/machine/meson.build b/src/machine/meson.build +index 7ea5d9d..0f2944c 100644 +--- a/src/machine/meson.build ++++ b/src/machine/meson.build +@@ -44,14 +44,12 @@ if conf.get('ENABLE_MACHINED') == 1 + install_data('org.freedesktop.machine1.service', + install_dir : dbussystemservicedir) + +- i18n.merge_file( +- 'org.freedesktop.machine1.policy', ++ policy = configure_file( + input : 'org.freedesktop.machine1.policy.in', + output : 'org.freedesktop.machine1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++ install_data(policy, ++ install_dir : polkitpolicydir) + endif + + tests += [ +diff --git a/src/machine/org.freedesktop.machine1.policy.in b/src/machine/org.freedesktop.machine1.policy.in +index eeeeb4c..039c3d4 100644 +--- a/src/machine/org.freedesktop.machine1.policy.in ++++ b/src/machine/org.freedesktop.machine1.policy.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Log into a local container +- Authentication is required to log into a local container. ++ Log into a local container ++ Authentication is required to log into a local container. + + auth_admin + auth_admin +@@ -29,8 +29,8 @@ + + + +- Log into the local host +- Authentication is required to log into the local host. ++ Log into the local host ++ Authentication is required to log into the local host. + + auth_admin + auth_admin +@@ -39,8 +39,8 @@ + + + +- Acquire a shell in a local container +- Authentication is required to acquire a shell in a local container. ++ Acquire a shell in a local container ++ Authentication is required to acquire a shell in a local container. + + auth_admin + auth_admin +@@ -50,8 +50,8 @@ + + + +- Acquire a shell on the local host +- Authentication is required to acquire a shell on the local host. ++ Acquire a shell on the local host ++ Authentication is required to acquire a shell on the local host. + + auth_admin + auth_admin +@@ -61,8 +61,8 @@ + + + +- Acquire a pseudo TTY in a local container +- Authentication is required to acquire a pseudo TTY in a local container. ++ Acquire a pseudo TTY in a local container ++ Authentication is required to acquire a pseudo TTY in a local container. + + auth_admin + auth_admin +@@ -71,8 +71,8 @@ + + + +- Acquire a pseudo TTY on the local host +- Authentication is required to acquire a pseudo TTY on the local host. ++ Acquire a pseudo TTY on the local host ++ Authentication is required to acquire a pseudo TTY on the local host. + + auth_admin + auth_admin +@@ -81,8 +81,8 @@ + + + +- Manage local virtual machines and containers +- Authentication is required to manage local virtual machines and containers. ++ Manage local virtual machines and containers ++ Authentication is required to manage local virtual machines and containers. + + auth_admin + auth_admin +@@ -92,8 +92,8 @@ + + + +- Manage local virtual machine and container images +- Authentication is required to manage local virtual machine and container images. ++ Manage local virtual machine and container images ++ Authentication is required to manage local virtual machine and container images. + + auth_admin + auth_admin +diff --git a/src/resolve/meson.build b/src/resolve/meson.build +index 15752d2..7e7876d 100644 +--- a/src/resolve/meson.build ++++ b/src/resolve/meson.build +@@ -165,14 +165,12 @@ if conf.get('ENABLE_RESOLVE') == 1 + install_data('resolv.conf', + install_dir : rootlibexecdir) + +- i18n.merge_file( +- 'org.freedesktop.resolve1.policy', ++ policy = configure_file( + input : 'org.freedesktop.resolve1.policy.in', + output : 'org.freedesktop.resolve1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++ install_data(policy, ++ install_dir : polkitpolicydir) + endif + + tests += [ +diff --git a/src/resolve/org.freedesktop.resolve1.policy.in b/src/resolve/org.freedesktop.resolve1.policy.in +index da948eb..b65ba3e 100644 +--- a/src/resolve/org.freedesktop.resolve1.policy.in ++++ b/src/resolve/org.freedesktop.resolve1.policy.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Register a DNS-SD service +- Authentication is required to register a DNS-SD service ++ Register a DNS-SD service ++ Authentication is required to register a DNS-SD service + + auth_admin + auth_admin +@@ -30,8 +30,8 @@ + + + +- Unregister a DNS-SD service +- Authentication is required to unregister a DNS-SD service ++ Unregister a DNS-SD service ++ Authentication is required to unregister a DNS-SD service + + auth_admin + auth_admin +diff --git a/src/timedate/meson.build b/src/timedate/meson.build +index 80e5cd2..6892596 100644 +--- a/src/timedate/meson.build ++++ b/src/timedate/meson.build +@@ -21,12 +21,10 @@ if conf.get('ENABLE_TIMEDATED') == 1 + install_data('org.freedesktop.timedate1.service', + install_dir : dbussystemservicedir) + +- i18n.merge_file( +- 'org.freedesktop.timedate1.policy', ++ policy = configure_file( + input : 'org.freedesktop.timedate1.policy.in', + output : 'org.freedesktop.timedate1.policy', +- po_dir : po_dir, +- data_dirs : po_dir, +- install : install_polkit, +- install_dir : polkitpolicydir) ++ configuration : substs) ++ install_data(policy, ++ install_dir : polkitpolicydir) + endif +diff --git a/src/timedate/org.freedesktop.timedate1.policy.in b/src/timedate/org.freedesktop.timedate1.policy.in +index cc2e165..d488572 100644 +--- a/src/timedate/org.freedesktop.timedate1.policy.in ++++ b/src/timedate/org.freedesktop.timedate1.policy.in +@@ -19,8 +19,8 @@ + http://www.freedesktop.org/wiki/Software/systemd + + +- Set system time +- Authentication is required to set the system time. ++ Set system time ++ Authentication is required to set the system time. + + auth_admin_keep + auth_admin_keep +@@ -30,8 +30,8 @@ + + + +- Set system timezone +- Authentication is required to set the system timezone. ++ Set system timezone ++ Authentication is required to set the system timezone. + + auth_admin_keep + auth_admin_keep +@@ -40,8 +40,8 @@ + + + +- Set RTC to local timezone or UTC +- Authentication is required to control whether ++ Set RTC to local timezone or UTC ++ Authentication is required to control whether + the RTC stores the local or UTC time. + + auth_admin_keep +@@ -51,8 +51,8 @@ + + + +- Turn network time synchronization on or off +- Authentication is required to control whether ++ Turn network time synchronization on or off ++ Authentication is required to control whether + network time synchronization shall be enabled. + + auth_admin_keep diff -Nru systemd-237/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch systemd-237/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch --- systemd-237/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,27 @@ +From: Balint Reczey +Date: Mon, 8 May 2017 17:02:03 +0200 +Subject: Skip starting systemd-remount-fs.service in containers + +even when /etc/fstab is present. + +This allows entering fully running state even when /etc/fstab +lists / to be mounted from a device which is not present in the +container. + +LP: #1576341 +--- + units/systemd-remount-fs.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in +index 2e5b75e..fb3e30b 100644 +--- a/units/systemd-remount-fs.service.in ++++ b/units/systemd-remount-fs.service.in +@@ -17,6 +17,7 @@ After=systemd-fsck-root.service + Before=local-fs-pre.target local-fs.target shutdown.target + Wants=local-fs-pre.target + ConditionPathExists=/etc/fstab ++ConditionVirtualization=!container + + [Service] + Type=oneshot diff -Nru systemd-237/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch systemd-237/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch --- systemd-237/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,28 @@ +From: Michael Vogt +Date: Wed, 14 Feb 2018 16:38:13 +0000 +Subject: Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file + +A change in apparmor mediates auto-activation attempts now through +AppArmor: https://cgit.freedesktop.org/dbus/dbus/commit/?id=dc25979eb + +This breaks the snapd time{zone,server}-control interfaces which limt +sending dbus message to a (label=unconfined) org.freedesktop.timedate1 +peers. + +By adding the AssumedApparmorLabel=unconfined label the snapd interfaces +work again. + +LP: #1749000 +--- + src/timedate/org.freedesktop.timedate1.service | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/timedate/org.freedesktop.timedate1.service b/src/timedate/org.freedesktop.timedate1.service +index 1a15dcd..62802a5 100644 +--- a/src/timedate/org.freedesktop.timedate1.service ++++ b/src/timedate/org.freedesktop.timedate1.service +@@ -12,3 +12,4 @@ Name=org.freedesktop.timedate1 + Exec=/lib/systemd/systemd-timedated + User=root + SystemdService=dbus-org.freedesktop.timedate1.service ++AssumedAppArmorLabel=unconfined diff -Nru systemd-237/debian/patches/debian/UBUNTU-Introduce-suspend-to-hibernate-8274.patch systemd-237/debian/patches/debian/UBUNTU-Introduce-suspend-to-hibernate-8274.patch --- systemd-237/debian/patches/debian/UBUNTU-Introduce-suspend-to-hibernate-8274.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-Introduce-suspend-to-hibernate-8274.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,900 @@ +From: Mario Limonciello +Date: Thu, 8 Mar 2018 21:17:33 +0800 +Subject: [PATCH] Introduce suspend-to-hibernate (#8274) + +Suspend to Hibernate is a new sleep method that invokes suspend +for a predefined period of time before automatically waking up +and hibernating the system. + +It's similar to HybridSleep however there isn't a performance +impact on every suspend cycle. + +It's intended to use with systems that may have a higher power +drain in their supported suspend states to prevent battery and +data loss over an extended suspend cycle. + +Signed-off-by: Mario Limonciello +--- + man/logind.conf.xml | 6 +- + man/rules/meson.build | 1 + + man/systemd-sleep.conf.xml | 33 ++++++++-- + man/systemd-suspend.service.xml | 17 +++-- + man/systemd.special.xml | 10 +++ + shell-completion/bash/systemctl.in | 5 +- + shell-completion/zsh/_systemctl.in | 1 + + src/basic/special.h | 1 + + src/login/logind-action.c | 13 +++- + src/login/logind-action.h | 1 + + src/login/logind-dbus.c | 29 +++++++++ + src/login/org.freedesktop.login1.conf | 8 +++ + src/shared/sleep-config.c | 54 +++++++++++++-- + src/shared/sleep-config.h | 4 +- + src/sleep/sleep.c | 94 +++++++++++++++++++++++++-- + src/systemctl/systemctl.c | 46 ++++++++----- + src/test/test-sleep.c | 1 + + units/meson.build | 2 + + units/suspend-to-hibernate.target | 16 +++++ + units/systemd-suspend-to-hibernate.service.in | 19 ++++++ + 20 files changed, 315 insertions(+), 46 deletions(-) + create mode 100644 units/suspend-to-hibernate.target + create mode 100644 units/systemd-suspend-to-hibernate.service.in + +diff --git a/man/logind.conf.xml b/man/logind.conf.xml +index 8d2bfc5..5fb430f 100644 +--- a/man/logind.conf.xml ++++ b/man/logind.conf.xml +@@ -175,7 +175,8 @@ + kexec, + suspend, + hibernate, +- hybrid-sleep, and ++ hybrid-sleep, ++ suspend-to-hibernate, and + lock. + Defaults to ignore. + +@@ -223,7 +224,8 @@ + kexec, + suspend, + hibernate, +- hybrid-sleep, and ++ hybrid-sleep, ++ suspend-to-hibernate, and + lock. + If ignore, logind will never handle these + keys. If lock, all running sessions will be +diff --git a/man/rules/meson.build b/man/rules/meson.build +index 79fc914..5e584cc 100644 +--- a/man/rules/meson.build ++++ b/man/rules/meson.build +@@ -626,6 +626,7 @@ manpages = [ + '8', + ['systemd-hibernate.service', + 'systemd-hybrid-sleep.service', ++ 'systemd-suspend-to-hibernate.service', + 'systemd-sleep'], + ''], + ['systemd-sysctl.service', '8', ['systemd-sysctl'], ''], +diff --git a/man/systemd-sleep.conf.xml b/man/systemd-sleep.conf.xml +index 7fecd66..6ad9ff4 100644 +--- a/man/systemd-sleep.conf.xml ++++ b/man/systemd-sleep.conf.xml +@@ -60,7 +60,7 @@ + + Description + +- systemd supports three general ++ systemd supports four general + power-saving modes: + + +@@ -102,6 +102,17 @@ + suspend-to-both by the kernel. + + ++ ++ ++ suspend-to-hibernate ++ ++ A low power state where the system is initially suspended ++ (the state is stored in RAM). If not interrupted within the delay specified by ++ HibernateDelaySec=, the system will be woken using an RTC ++ alarm and hibernated (the state is then stored on disk). ++ ++ ++ + + + Settings in these files determine what strings +@@ -134,8 +145,9 @@ + /sys/power/disk by, + respectively, + systemd-suspend.service8, +- systemd-hibernate.service8, or +- systemd-hybrid-sleep.service8. ++ systemd-hibernate.service8, ++ systemd-hybrid-sleep.service8, or ++ systemd-suspend-to-hibernate.service8. + More than one value can be specified by separating + multiple values with whitespace. They will be tried + in turn, until one is written without error. If +@@ -152,14 +164,24 @@ + /sys/power/state by, + respectively, + systemd-suspend.service8, +- systemd-hibernate.service8, or +- systemd-hybrid-sleep.service8. ++ systemd-hibernate.service8, ++ systemd-hybrid-sleep.service8, or ++ systemd-suspend-to-hibernate.service8. + More than one value can be specified by separating + multiple values with whitespace. They will be tried + in turn, until one is written without error. If + neither succeeds, the operation will be aborted. + + ++ ++ HibernateDelaySec= ++ ++ The amount of time in seconds ++ that will pass before the system is automatically ++ put into hibernate when using ++ systemd-suspend-to-hibernate.service8. ++ ++ + + + +@@ -180,6 +202,7 @@ SuspendState=freeze + systemd-suspend.service8, + systemd-hibernate.service8, + systemd-hybrid-sleep.service8, ++ systemd-suspend-to-hibernate.service8, + systemd1, + systemd.directives7 + +diff --git a/man/systemd-suspend.service.xml b/man/systemd-suspend.service.xml +index 24c213e..2455baa 100644 +--- a/man/systemd-suspend.service.xml ++++ b/man/systemd-suspend.service.xml +@@ -50,6 +50,7 @@ + systemd-suspend.service + systemd-hibernate.service + systemd-hybrid-sleep.service ++ systemd-suspend-to-hibernate.service + systemd-sleep + System sleep state logic + +@@ -58,6 +59,7 @@ + systemd-suspend.service + systemd-hibernate.service + systemd-hybrid-sleep.service ++ systemd-suspend-to-hibernate.service + /usr/lib/systemd/system-sleep + + +@@ -72,7 +74,9 @@ + hibernation. Finally, + systemd-hybrid-sleep.service is pulled in by + hybrid-sleep.target to execute hybrid +- hibernation with system suspend. ++ hibernation with system suspend and pulled in by ++ suspend-to-hibernate.target to execute system suspend ++ with a timeout that will activate hibernate later. + + Immediately before entering system suspend and/or + hibernation systemd-suspend.service (and the +@@ -80,8 +84,9 @@ + /usr/lib/systemd/system-sleep/ and pass two + arguments to them. The first argument will be + pre, the second either +- suspend, hibernate, or +- hybrid-sleep depending on the chosen action. ++ suspend, hibernate, ++ hybrid-sleep, or suspend-to-hibernate ++ depending on the chosen action. + Immediately after leaving system suspend and/or hibernation the + same executables are run, but the first argument is now + post. All executables in this directory are +@@ -100,6 +105,7 @@ + systemd-suspend.service, + systemd-hibernate.service, and + systemd-hybrid-sleep.service ++ systemd-suspend-to-hibernate.service + should never be executed directly. Instead, trigger system sleep + states with a command such as systemctl suspend + or similar. +@@ -128,9 +134,10 @@ + + + ++ + +- Suspend, hibernate, or put the system to +- hybrid sleep. ++ Suspend, hibernate, suspend to hibernate, or put the ++ system to hybrid sleep. + + + +diff --git a/man/systemd.special.xml b/man/systemd.special.xml +index 2810d6f..75e3027 100644 +--- a/man/systemd.special.xml ++++ b/man/systemd.special.xml +@@ -65,6 +65,7 @@ + halt.target, + hibernate.target, + hybrid-sleep.target, ++ suspend-to-hibernate.target, + initrd-fs.target, + initrd-root-device.target, + initrd-root-fs.target, +@@ -307,6 +308,15 @@ + sleep.target. + + ++ ++ suspend-to-hibernate.target ++ ++ A special target unit for suspending the system for a period ++ of time, waking it and putting it into hibernate. This pulls in ++ sleep.target. ++ ++ ++ + + halt.target + +diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in +index 080deea..de2648a 100644 +--- a/shell-completion/bash/systemctl.in ++++ b/shell-completion/bash/systemctl.in +@@ -205,8 +205,9 @@ _systemctl () { + [JOBS]='cancel' + [ENVS]='set-environment unset-environment import-environment' + [STANDALONE]='daemon-reexec daemon-reload default +- emergency exit halt hibernate hybrid-sleep kexec list-jobs +- list-sockets list-timers list-units list-unit-files poweroff ++ emergency exit halt hibernate hybrid-sleep ++ suspend-to-hibernate kexec list-jobs list-sockets ++ list-timers list-units list-unit-files poweroff + reboot rescue show-environment suspend get-default + is-system-running preset-all' + [FILE]='link switch-root' +diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in +index a3df9a0..ca07444 100644 +--- a/shell-completion/zsh/_systemctl.in ++++ b/shell-completion/zsh/_systemctl.in +@@ -18,6 +18,7 @@ + "force-reload:Reload one or more units if possible, otherwise restart if active" + "hibernate:Hibernate the system" + "hybrid-sleep:Hibernate and suspend the system" ++ "suspend-to-hibernate:Suspend the system for a period of time, and then hibernate it" + "try-reload-or-restart:Reload one or more units if possible, otherwise restart if active" + "isolate:Start one unit and stop all others" + "kill:Send signal to processes of a unit" +diff --git a/src/basic/special.h b/src/basic/special.h +index c058b1d..81078ff 100644 +--- a/src/basic/special.h ++++ b/src/basic/special.h +@@ -37,6 +37,7 @@ + #define SPECIAL_SUSPEND_TARGET "suspend.target" + #define SPECIAL_HIBERNATE_TARGET "hibernate.target" + #define SPECIAL_HYBRID_SLEEP_TARGET "hybrid-sleep.target" ++#define SPECIAL_SUSPEND_TO_HIBERNATE_TARGET "suspend-to-hibernate.target" + + /* Special boot targets */ + #define SPECIAL_RESCUE_TARGET "rescue.target" +diff --git a/src/login/logind-action.c b/src/login/logind-action.c +index 852ea9f..0e8e0b2 100644 +--- a/src/login/logind-action.c ++++ b/src/login/logind-action.c +@@ -47,7 +47,8 @@ int manager_handle_action( + [HANDLE_KEXEC] = "Rebooting via kexec...", + [HANDLE_SUSPEND] = "Suspending...", + [HANDLE_HIBERNATE] = "Hibernating...", +- [HANDLE_HYBRID_SLEEP] = "Hibernating and suspending..." ++ [HANDLE_HYBRID_SLEEP] = "Hibernating and suspending...", ++ [HANDLE_SUSPEND_TO_HIBERNATE] = "Suspending to hibernate...", + }; + + static const char * const target_table[_HANDLE_ACTION_MAX] = { +@@ -57,7 +58,8 @@ int manager_handle_action( + [HANDLE_KEXEC] = SPECIAL_KEXEC_TARGET, + [HANDLE_SUSPEND] = SPECIAL_SUSPEND_TARGET, + [HANDLE_HIBERNATE] = SPECIAL_HIBERNATE_TARGET, +- [HANDLE_HYBRID_SLEEP] = SPECIAL_HYBRID_SLEEP_TARGET ++ [HANDLE_HYBRID_SLEEP] = SPECIAL_HYBRID_SLEEP_TARGET, ++ [HANDLE_SUSPEND_TO_HIBERNATE] = SPECIAL_SUSPEND_TO_HIBERNATE_TARGET, + }; + + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +@@ -110,6 +112,8 @@ int manager_handle_action( + supported = can_sleep("hibernate") > 0; + else if (handle == HANDLE_HYBRID_SLEEP) + supported = can_sleep("hybrid-sleep") > 0; ++ else if (handle == HANDLE_SUSPEND_TO_HIBERNATE) ++ supported = can_sleep("suspend-to-hibernate") > 0; + else if (handle == HANDLE_KEXEC) + supported = access(KEXEC, X_OK) >= 0; + else +@@ -125,7 +129,9 @@ int manager_handle_action( + return -EALREADY; + } + +- inhibit_operation = IN_SET(handle, HANDLE_SUSPEND, HANDLE_HIBERNATE, HANDLE_HYBRID_SLEEP) ? INHIBIT_SLEEP : INHIBIT_SHUTDOWN; ++ inhibit_operation = IN_SET(handle, HANDLE_SUSPEND, HANDLE_HIBERNATE, ++ HANDLE_HYBRID_SLEEP, ++ HANDLE_SUSPEND_TO_HIBERNATE) ? INHIBIT_SLEEP : INHIBIT_SHUTDOWN; + + /* If the actual operation is inhibited, warn and fail */ + if (!ignore_inhibited && +@@ -172,6 +178,7 @@ static const char* const handle_action_table[_HANDLE_ACTION_MAX] = { + [HANDLE_SUSPEND] = "suspend", + [HANDLE_HIBERNATE] = "hibernate", + [HANDLE_HYBRID_SLEEP] = "hybrid-sleep", ++ [HANDLE_SUSPEND_TO_HIBERNATE] = "suspend-to-hibernate", + [HANDLE_LOCK] = "lock" + }; + +diff --git a/src/login/logind-action.h b/src/login/logind-action.h +index 8c31ec4..1ee8c81 100644 +--- a/src/login/logind-action.h ++++ b/src/login/logind-action.h +@@ -29,6 +29,7 @@ typedef enum HandleAction { + HANDLE_SUSPEND, + HANDLE_HIBERNATE, + HANDLE_HYBRID_SLEEP, ++ HANDLE_SUSPEND_TO_HIBERNATE, + HANDLE_LOCK, + _HANDLE_ACTION_MAX, + _HANDLE_ACTION_INVALID = -1 +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index ae36ece..51617d6 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -1924,6 +1924,20 @@ static int method_hybrid_sleep(sd_bus_message *message, void *userdata, sd_bus_e + error); + } + ++static int method_suspend_to_hibernate(sd_bus_message *message, void *userdata, sd_bus_error *error) { ++ Manager *m = userdata; ++ ++ return method_do_shutdown_or_sleep( ++ m, message, ++ SPECIAL_SUSPEND_TO_HIBERNATE_TARGET, ++ INHIBIT_SLEEP, ++ "org.freedesktop.login1.hibernate", ++ "org.freedesktop.login1.hibernate-multiple-sessions", ++ "org.freedesktop.login1.hibernate-ignore-inhibit", ++ "hybrid-sleep", ++ error); ++} ++ + static int nologin_timeout_handler( + sd_event_source *s, + uint64_t usec, +@@ -2381,6 +2395,19 @@ static int method_can_hybrid_sleep(sd_bus_message *message, void *userdata, sd_b + error); + } + ++static int method_can_suspend_to_hibernate(sd_bus_message *message, void *userdata, sd_bus_error *error) { ++ Manager *m = userdata; ++ ++ return method_can_shutdown_or_sleep( ++ m, message, ++ INHIBIT_SLEEP, ++ "org.freedesktop.login1.hibernate", ++ "org.freedesktop.login1.hibernate-multiple-sessions", ++ "org.freedesktop.login1.hibernate-ignore-inhibit", ++ "suspend-to-hibernate", ++ error); ++} ++ + static int property_get_reboot_to_firmware_setup( + sd_bus *bus, + const char *path, +@@ -2700,12 +2727,14 @@ const sd_bus_vtable manager_vtable[] = { + SD_BUS_METHOD("Suspend", "b", NULL, method_suspend, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("Hibernate", "b", NULL, method_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("HybridSleep", "b", NULL, method_hybrid_sleep, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SuspendToHibernate", "b", NULL, method_suspend_to_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanPowerOff", NULL, "s", method_can_poweroff, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanReboot", NULL, "s", method_can_reboot, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanHalt", NULL, "s", method_can_halt, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanSuspend", NULL, "s", method_can_suspend, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanHibernate", NULL, "s", method_can_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanHybridSleep", NULL, "s", method_can_hybrid_sleep, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("CanSuspendToHibernate", NULL, "s", method_can_suspend_to_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ScheduleShutdown", "st", NULL, method_schedule_shutdown, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CancelScheduledShutdown", NULL, "b", method_cancel_scheduled_shutdown, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("Inhibit", "ssss", "h", method_inhibit, SD_BUS_VTABLE_UNPRIVILEGED), +diff --git a/src/login/org.freedesktop.login1.conf b/src/login/org.freedesktop.login1.conf +index d842411..970a217 100644 +--- a/src/login/org.freedesktop.login1.conf ++++ b/src/login/org.freedesktop.login1.conf +@@ -150,6 +150,10 @@ + send_interface="org.freedesktop.login1.Manager" + send_member="HybridSleep"/> + ++ ++ + +@@ -174,6 +178,10 @@ + send_interface="org.freedesktop.login1.Manager" + send_member="CanHybridSleep"/> + ++ ++ + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index 8b091c4..4a365b1 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -3,6 +3,7 @@ + This file is part of systemd. + + Copyright 2013 Zbigniew Jędrzejewski-Szmek ++ Copyright 2018 Dell Inc. + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by +@@ -41,13 +42,14 @@ + + #define USE(x, y) do { (x) = (y); (y) = NULL; } while (0) + +-int parse_sleep_config(const char *verb, char ***_modes, char ***_states) { ++int parse_sleep_config(const char *verb, char ***_modes, char ***_states, usec_t *_delay) { + + _cleanup_strv_free_ char + **suspend_mode = NULL, **suspend_state = NULL, + **hibernate_mode = NULL, **hibernate_state = NULL, + **hybrid_mode = NULL, **hybrid_state = NULL; + char **modes, **states; ++ usec_t delay; + + const ConfigTableItem items[] = { + { "Sleep", "SuspendMode", config_parse_strv, 0, &suspend_mode }, +@@ -56,6 +58,7 @@ int parse_sleep_config(const char *verb, char ***_modes, char ***_states) { + { "Sleep", "HibernateState", config_parse_strv, 0, &hibernate_state }, + { "Sleep", "HybridSleepMode", config_parse_strv, 0, &hybrid_mode }, + { "Sleep", "HybridSleepState", config_parse_strv, 0, &hybrid_state }, ++ { "Sleep", "HibernateDelaySec", config_parse_sec, 0, &delay}, + {} + }; + +@@ -94,18 +97,26 @@ int parse_sleep_config(const char *verb, char ***_modes, char ***_states) { + USE(states, hybrid_state); + else + states = strv_new("disk", NULL); +- ++ } else if (streq(verb, "suspend-to-hibernate")) { ++ if (delay == 0) ++ delay = 180 * USEC_PER_MINUTE; + } else + assert_not_reached("what verb"); + +- if ((!modes && !streq(verb, "suspend")) || !states) { ++ if ((!modes && (streq(verb, "hibernate") || streq(verb, "hybrid-sleep"))) || ++ (!states && !streq(verb, "suspend-to-hibernate"))) { + strv_free(modes); + strv_free(states); + return log_oom(); + } + +- *_modes = modes; +- *_states = states; ++ if (_modes) ++ *_modes = modes; ++ if (_states) ++ *_states = states; ++ if (_delay) ++ *_delay = delay; ++ + return 0; + } + +@@ -266,15 +277,44 @@ static bool enough_memory_for_hibernation(void) { + return r; + } + ++static bool can_s2h(void) { ++ int r; ++ ++ r = access("/sys/class/rtc/rtc0/wakealarm", W_OK); ++ if (r < 0) { ++ log_full(errno == ENOENT ? LOG_DEBUG : LOG_WARNING, ++ "/sys/class/rct/rct0/wakealarm is not writable %m"); ++ return false; ++ } ++ ++ r = can_sleep("suspend"); ++ if (r < 0) { ++ log_debug_errno(r, "Unable to suspend system."); ++ return false; ++ } ++ ++ r = can_sleep("hibernate"); ++ if (r < 0) { ++ log_debug_errno(r, "Unable to hibernate system."); ++ return false; ++ } ++ ++ return true; ++} ++ + int can_sleep(const char *verb) { + _cleanup_strv_free_ char **modes = NULL, **states = NULL; + int r; + + assert(streq(verb, "suspend") || + streq(verb, "hibernate") || +- streq(verb, "hybrid-sleep")); ++ streq(verb, "hybrid-sleep") || ++ streq(verb, "suspend-to-hibernate")); ++ ++ if (streq(verb, "suspend-to-hibernate")) ++ return can_s2h(); + +- r = parse_sleep_config(verb, &modes, &states); ++ r = parse_sleep_config(verb, &modes, &states, NULL); + if (r < 0) + return false; + +diff --git a/src/shared/sleep-config.h b/src/shared/sleep-config.h +index fc5a81d..3dacda0 100644 +--- a/src/shared/sleep-config.h ++++ b/src/shared/sleep-config.h +@@ -20,7 +20,9 @@ + along with systemd; If not, see . + ***/ + +-int parse_sleep_config(const char *verb, char ***modes, char ***states); ++#include "time-util.h" ++ ++int parse_sleep_config(const char *verb, char ***modes, char ***states, usec_t *delay); + + int can_sleep(const char *verb); + int can_sleep_disk(char **types); +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index 518032e..48e7c38 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -4,6 +4,7 @@ + + Copyright 2012 Lennart Poettering + Copyright 2013 Zbigniew Jędrzejewski-Szmek ++ Copyright 2018 Dell Inc. + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by +@@ -25,12 +26,14 @@ + + #include "sd-messages.h" + ++#include "parse-util.h" + #include "def.h" + #include "exec-util.h" + #include "fd-util.h" + #include "fileio.h" + #include "log.h" + #include "sleep-config.h" ++#include "stdio-util.h" + #include "string-util.h" + #include "strv.h" + #include "util.h" +@@ -135,6 +138,83 @@ static int execute(char **modes, char **states) { + return r; + } + ++static int read_wakealarm(uint64_t *result) { ++ _cleanup_free_ char *t = NULL; ++ ++ if (read_one_line_file("/sys/class/rtc/rtc0/since_epoch", &t) >= 0) ++ return safe_atou64(t, result); ++ return -EBADF; ++} ++ ++static int write_wakealarm(const char *str) { ++ ++ _cleanup_fclose_ FILE *f = NULL; ++ int r; ++ ++ f = fopen("/sys/class/rtc/rtc0/wakealarm", "we"); ++ if (!f) ++ return log_error_errno(errno, "Failed to open /sys/class/rtc/rtc0/wakealarm: %m"); ++ ++ r = write_string_stream(f, str, 0); ++ if (r < 0) ++ return log_error_errno(r, "Failed to write '%s' to /sys/class/rtc/rtc0/wakealarm: %m", str); ++ ++ return 0; ++} ++ ++static int execute_s2h(usec_t hibernate_delay_sec) { ++ ++ _cleanup_strv_free_ char **hibernate_modes = NULL, **hibernate_states = NULL, ++ **suspend_modes = NULL, **suspend_states = NULL; ++ usec_t orig_time, cmp_time; ++ char time_str[DECIMAL_STR_MAX(uint64_t)]; ++ int r; ++ ++ r = parse_sleep_config("suspend", &suspend_modes, &suspend_states, ++ NULL); ++ if (r < 0) ++ return r; ++ ++ r = parse_sleep_config("hibernate", &hibernate_modes, ++ &hibernate_states, NULL); ++ if (r < 0) ++ return r; ++ ++ r = read_wakealarm(&orig_time); ++ if (r < 0) ++ return log_error_errno(errno, "Failed to read time: %d", r); ++ ++ orig_time += hibernate_delay_sec / USEC_PER_SEC; ++ xsprintf(time_str, "%" PRIu64, orig_time); ++ ++ r = write_wakealarm(time_str); ++ if (r < 0) ++ return r; ++ ++ log_debug("Set RTC wake alarm for %s", time_str); ++ ++ r = execute(suspend_modes, suspend_states); ++ if (r < 0) ++ return r; ++ ++ r = read_wakealarm(&cmp_time); ++ if (r < 0) ++ return log_error_errno(errno, "Failed to read time: %d", r); ++ ++ /* reset RTC */ ++ r = write_wakealarm("0"); ++ if (r < 0) ++ return r; ++ ++ log_debug("Woke up at %"PRIu64, cmp_time); ++ ++ /* if woken up after alarm time, hibernate */ ++ if (cmp_time >= orig_time) ++ r = execute(hibernate_modes, hibernate_states); ++ ++ return r; ++} ++ + static void help(void) { + printf("%s COMMAND\n\n" + "Suspend the system, hibernate the system, or both.\n\n" +@@ -144,6 +224,8 @@ static void help(void) { + " suspend Suspend the system\n" + " hibernate Hibernate the system\n" + " hybrid-sleep Both hibernate and suspend the system\n" ++ " suspend-to-hibernate Initially suspend and then hibernate\n" ++ " the system after a fixed period of time\n" + , program_invocation_short_name); + } + +@@ -189,7 +271,8 @@ static int parse_argv(int argc, char *argv[]) { + + if (!streq(arg_verb, "suspend") && + !streq(arg_verb, "hibernate") && +- !streq(arg_verb, "hybrid-sleep")) { ++ !streq(arg_verb, "hybrid-sleep") && ++ !streq(arg_verb, "suspend-to-hibernate")) { + log_error("Unknown command '%s'.", arg_verb); + return -EINVAL; + } +@@ -199,6 +282,7 @@ static int parse_argv(int argc, char *argv[]) { + + int main(int argc, char *argv[]) { + _cleanup_strv_free_ char **modes = NULL, **states = NULL; ++ usec_t delay = 0; + int r; + + log_set_target(LOG_TARGET_AUTO); +@@ -209,12 +293,14 @@ int main(int argc, char *argv[]) { + if (r <= 0) + goto finish; + +- r = parse_sleep_config(arg_verb, &modes, &states); ++ r = parse_sleep_config(arg_verb, &modes, &states, &delay); + if (r < 0) + goto finish; + +- r = execute(modes, states); +- ++ if (streq(arg_verb, "suspend-to-hibernate")) ++ r = execute_s2h(delay); ++ else ++ r = execute(modes, states); + finish: + return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS; + } +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index 75198a5..c27116f 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -160,6 +160,7 @@ static enum action { + ACTION_SUSPEND, + ACTION_HIBERNATE, + ACTION_HYBRID_SLEEP, ++ ACTION_SUSPEND_TO_HIBERNATE, + ACTION_RUNLEVEL2, + ACTION_RUNLEVEL3, + ACTION_RUNLEVEL4, +@@ -3032,21 +3033,22 @@ static const struct { + const char *verb; + const char *mode; + } action_table[_ACTION_MAX] = { +- [ACTION_HALT] = { SPECIAL_HALT_TARGET, "halt", "replace-irreversibly" }, +- [ACTION_POWEROFF] = { SPECIAL_POWEROFF_TARGET, "poweroff", "replace-irreversibly" }, +- [ACTION_REBOOT] = { SPECIAL_REBOOT_TARGET, "reboot", "replace-irreversibly" }, +- [ACTION_KEXEC] = { SPECIAL_KEXEC_TARGET, "kexec", "replace-irreversibly" }, +- [ACTION_RUNLEVEL2] = { SPECIAL_MULTI_USER_TARGET, NULL, "isolate" }, +- [ACTION_RUNLEVEL3] = { SPECIAL_MULTI_USER_TARGET, NULL, "isolate" }, +- [ACTION_RUNLEVEL4] = { SPECIAL_MULTI_USER_TARGET, NULL, "isolate" }, +- [ACTION_RUNLEVEL5] = { SPECIAL_GRAPHICAL_TARGET, NULL, "isolate" }, +- [ACTION_RESCUE] = { SPECIAL_RESCUE_TARGET, "rescue", "isolate" }, +- [ACTION_EMERGENCY] = { SPECIAL_EMERGENCY_TARGET, "emergency", "isolate" }, +- [ACTION_DEFAULT] = { SPECIAL_DEFAULT_TARGET, "default", "isolate" }, +- [ACTION_EXIT] = { SPECIAL_EXIT_TARGET, "exit", "replace-irreversibly" }, +- [ACTION_SUSPEND] = { SPECIAL_SUSPEND_TARGET, "suspend", "replace-irreversibly" }, +- [ACTION_HIBERNATE] = { SPECIAL_HIBERNATE_TARGET, "hibernate", "replace-irreversibly" }, +- [ACTION_HYBRID_SLEEP] = { SPECIAL_HYBRID_SLEEP_TARGET, "hybrid-sleep", "replace-irreversibly" }, ++ [ACTION_HALT] = { SPECIAL_HALT_TARGET, "halt", "replace-irreversibly" }, ++ [ACTION_POWEROFF] = { SPECIAL_POWEROFF_TARGET, "poweroff", "replace-irreversibly" }, ++ [ACTION_REBOOT] = { SPECIAL_REBOOT_TARGET, "reboot", "replace-irreversibly" }, ++ [ACTION_KEXEC] = { SPECIAL_KEXEC_TARGET, "kexec", "replace-irreversibly" }, ++ [ACTION_RUNLEVEL2] = { SPECIAL_MULTI_USER_TARGET, NULL, "isolate" }, ++ [ACTION_RUNLEVEL3] = { SPECIAL_MULTI_USER_TARGET, NULL, "isolate" }, ++ [ACTION_RUNLEVEL4] = { SPECIAL_MULTI_USER_TARGET, NULL, "isolate" }, ++ [ACTION_RUNLEVEL5] = { SPECIAL_GRAPHICAL_TARGET, NULL, "isolate" }, ++ [ACTION_RESCUE] = { SPECIAL_RESCUE_TARGET, "rescue", "isolate" }, ++ [ACTION_EMERGENCY] = { SPECIAL_EMERGENCY_TARGET, "emergency", "isolate" }, ++ [ACTION_DEFAULT] = { SPECIAL_DEFAULT_TARGET, "default", "isolate" }, ++ [ACTION_EXIT] = { SPECIAL_EXIT_TARGET, "exit", "replace-irreversibly" }, ++ [ACTION_SUSPEND] = { SPECIAL_SUSPEND_TARGET, "suspend", "replace-irreversibly" }, ++ [ACTION_HIBERNATE] = { SPECIAL_HIBERNATE_TARGET, "hibernate", "replace-irreversibly" }, ++ [ACTION_HYBRID_SLEEP] = { SPECIAL_HYBRID_SLEEP_TARGET, "hybrid-sleep", "replace-irreversibly" }, ++ [ACTION_SUSPEND_TO_HIBERNATE] = { SPECIAL_SUSPEND_TO_HIBERNATE_TARGET, "suspend-to-hibernate", "replace-irreversibly" }, + }; + + static enum action verb_to_action(const char *verb) { +@@ -3277,6 +3279,11 @@ static int logind_reboot(enum action a) { + description = "put system into hybrid sleep"; + break; + ++ case ACTION_SUSPEND_TO_HIBERNATE: ++ method = "SuspendToHibernate"; ++ description = "put system into suspend followed by hibernate"; ++ break; ++ + default: + return -EINVAL; + } +@@ -3628,7 +3635,8 @@ static int start_special(int argc, char *argv[], void *userdata) { + ACTION_HALT, + ACTION_SUSPEND, + ACTION_HIBERNATE, +- ACTION_HYBRID_SLEEP)) { ++ ACTION_HYBRID_SLEEP, ++ ACTION_SUSPEND_TO_HIBERNATE)) { + + r = logind_reboot(a); + if (r >= 0) +@@ -7305,7 +7313,9 @@ static void systemctl_help(void) { + " switch-root ROOT [INIT] Change to a different root file system\n" + " suspend Suspend the system\n" + " hibernate Hibernate the system\n" +- " hybrid-sleep Hibernate and suspend the system\n", ++ " hybrid-sleep Hibernate and suspend the system\n" ++ " suspend-to-hibernate Suspend the system, wake after a period of\n" ++ " time and put it into hibernate\n", + program_invocation_short_name); + } + +@@ -8397,6 +8407,7 @@ static int systemctl_main(int argc, char *argv[]) { + { "suspend", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "hibernate", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "hybrid-sleep", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, ++ { "suspend-to-hibernate", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "default", VERB_ANY, 1, VERB_ONLINE_ONLY, start_special }, + { "rescue", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "emergency", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, +@@ -8750,6 +8761,7 @@ int main(int argc, char*argv[]) { + case ACTION_SUSPEND: + case ACTION_HIBERNATE: + case ACTION_HYBRID_SLEEP: ++ case ACTION_SUSPEND_TO_HIBERNATE: + case ACTION_EMERGENCY: + case ACTION_DEFAULT: + /* systemctl verbs with no equivalent in the legacy commands. +diff --git a/src/test/test-sleep.c b/src/test/test-sleep.c +index 3c2b115..e49ecbe 100644 +--- a/src/test/test-sleep.c ++++ b/src/test/test-sleep.c +@@ -48,6 +48,7 @@ static void test_sleep(void) { + log_info("Suspend configured and possible: %s", yes_no(can_sleep("suspend") > 0)); + log_info("Hibernation configured and possible: %s", yes_no(can_sleep("hibernate") > 0)); + log_info("Hybrid-sleep configured and possible: %s", yes_no(can_sleep("hybrid-sleep") > 0)); ++ log_info("Suspend-to-Hibernate configured and possible: %s", yes_no(can_sleep("suspend-to-hibernate") > 0)); + } + + int main(int argc, char* argv[]) { +diff --git a/units/meson.build b/units/meson.build +index d58abfe..20fb90d 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -36,6 +36,7 @@ units = [ + ['halt.target', ''], + ['hibernate.target', 'ENABLE_HIBERNATE'], + ['hybrid-sleep.target', 'ENABLE_HIBERNATE'], ++ ['suspend-to-hibernate.target', 'ENABLE_HIBERNATE'], + ['initrd-fs.target', ''], + ['initrd-root-device.target', ''], + ['initrd-root-fs.target', ''], +@@ -158,6 +159,7 @@ in_units = [ + ['systemd-hibernate-resume@.service', 'ENABLE_HIBERNATE'], + ['systemd-hibernate.service', 'ENABLE_HIBERNATE'], + ['systemd-hybrid-sleep.service', 'ENABLE_HIBERNATE'], ++ ['systemd-suspend-to-hibernate.service', 'ENABLE_HIBERNATE'], + ['systemd-hostnamed.service', 'ENABLE_HOSTNAMED', + 'dbus-org.freedesktop.hostname1.service'], + ['systemd-hwdb-update.service', 'ENABLE_HWDB', +diff --git a/units/suspend-to-hibernate.target b/units/suspend-to-hibernate.target +new file mode 100644 +index 0000000..b9ab6d1 +--- /dev/null ++++ b/units/suspend-to-hibernate.target +@@ -0,0 +1,16 @@ ++# SPDX-License-Identifier: LGPL-2.1+ ++# ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++ ++[Unit] ++Description=Suspend; Idle into hibernate ++Documentation=man:systemd.special(7) ++DefaultDependencies=no ++Requires=systemd-suspend-to-hibernate.service ++After=systemd-suspend-to-hibernate.service ++StopWhenUnneeded=yes +diff --git a/units/systemd-suspend-to-hibernate.service.in b/units/systemd-suspend-to-hibernate.service.in +new file mode 100644 +index 0000000..9bec9f6 +--- /dev/null ++++ b/units/systemd-suspend-to-hibernate.service.in +@@ -0,0 +1,19 @@ ++# SPDX-License-Identifier: LGPL-2.1+ ++# ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++ ++[Unit] ++Description=Suspend; Idle into hibernate ++Documentation=man:systemd-suspend.service(8) ++DefaultDependencies=no ++Requires=sleep.target ++After=sleep.target ++ ++[Service] ++Type=oneshot ++ExecStart=@rootlibexecdir@/systemd-sleep suspend-to-hibernate diff -Nru systemd-237/debian/patches/debian/UBUNTU-Rename-suspend-to-hibernate-to-suspend-then-hibernat.patch systemd-237/debian/patches/debian/UBUNTU-Rename-suspend-to-hibernate-to-suspend-then-hibernat.patch --- systemd-237/debian/patches/debian/UBUNTU-Rename-suspend-to-hibernate-to-suspend-then-hibernat.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-Rename-suspend-to-hibernate-to-suspend-then-hibernat.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,671 @@ +From: Mario Limonciello +Date: Wed, 28 Mar 2018 11:00:06 -0500 +Subject: [PATCH] Rename suspend-to-hibernate to suspend-then-hibernate + +Per some discussion with Gnome folks, they would prefer this name +as it's more descriptive of what's happening. +--- + man/logind.conf.xml | 4 +-- + man/rules/meson.build | 2 +- + man/systemd-sleep.conf.xml | 10 +++--- + man/systemd-suspend.service.xml | 14 ++++---- + man/systemd.special.xml | 4 +-- + shell-completion/bash/systemctl.in | 2 +- + shell-completion/zsh/_systemctl.in | 2 +- + src/basic/special.h | 2 +- + src/login/logind-action.c | 12 +++---- + src/login/logind-action.h | 2 +- + src/login/logind-dbus.c | 12 +++---- + src/login/org.freedesktop.login1.conf | 4 +-- + src/shared/sleep-config.c | 8 ++--- + src/sleep/sleep.c | 6 ++-- + src/systemctl/systemctl.c | 46 ++++++++++++------------- + src/test/test-sleep.c | 2 +- + units/meson.build | 4 +-- + units/suspend-then-hibernate.target | 16 +++++++++ + units/suspend-to-hibernate.target | 16 --------- + units/systemd-suspend-then-hibernate.service.in | 19 ++++++++++ + units/systemd-suspend-to-hibernate.service.in | 19 ---------- + 21 files changed, 103 insertions(+), 103 deletions(-) + create mode 100644 units/suspend-then-hibernate.target + delete mode 100644 units/suspend-to-hibernate.target + create mode 100644 units/systemd-suspend-then-hibernate.service.in + delete mode 100644 units/systemd-suspend-to-hibernate.service.in + +diff --git a/man/logind.conf.xml b/man/logind.conf.xml +index 5fb430f..04b89b0 100644 +--- a/man/logind.conf.xml ++++ b/man/logind.conf.xml +@@ -176,7 +176,7 @@ + suspend, + hibernate, + hybrid-sleep, +- suspend-to-hibernate, and ++ suspend-then-hibernate, and + lock. + Defaults to ignore. + +@@ -225,7 +225,7 @@ + suspend, + hibernate, + hybrid-sleep, +- suspend-to-hibernate, and ++ suspend-then-hibernate, and + lock. + If ignore, logind will never handle these + keys. If lock, all running sessions will be +diff --git a/man/rules/meson.build b/man/rules/meson.build +index 5e584cc..67f3f17 100644 +--- a/man/rules/meson.build ++++ b/man/rules/meson.build +@@ -626,7 +626,7 @@ manpages = [ + '8', + ['systemd-hibernate.service', + 'systemd-hybrid-sleep.service', +- 'systemd-suspend-to-hibernate.service', ++ 'systemd-suspend-then-hibernate.service', + 'systemd-sleep'], + ''], + ['systemd-sysctl.service', '8', ['systemd-sysctl'], ''], +diff --git a/man/systemd-sleep.conf.xml b/man/systemd-sleep.conf.xml +index 6ad9ff4..3d94a45 100644 +--- a/man/systemd-sleep.conf.xml ++++ b/man/systemd-sleep.conf.xml +@@ -104,7 +104,7 @@ + + + +- suspend-to-hibernate ++ suspend-then-hibernate + + A low power state where the system is initially suspended + (the state is stored in RAM). If not interrupted within the delay specified by +@@ -147,7 +147,7 @@ + systemd-suspend.service8, + systemd-hibernate.service8, + systemd-hybrid-sleep.service8, or +- systemd-suspend-to-hibernate.service8. ++ systemd-suspend-then-hibernate.service8. + More than one value can be specified by separating + multiple values with whitespace. They will be tried + in turn, until one is written without error. If +@@ -166,7 +166,7 @@ + systemd-suspend.service8, + systemd-hibernate.service8, + systemd-hybrid-sleep.service8, or +- systemd-suspend-to-hibernate.service8. ++ systemd-suspend-then-hibernate.service8. + More than one value can be specified by separating + multiple values with whitespace. They will be tried + in turn, until one is written without error. If +@@ -179,7 +179,7 @@ + The amount of time in seconds + that will pass before the system is automatically + put into hibernate when using +- systemd-suspend-to-hibernate.service8. ++ systemd-suspend-then-hibernate.service8. + + + +@@ -202,7 +202,7 @@ SuspendState=freeze + systemd-suspend.service8, + systemd-hibernate.service8, + systemd-hybrid-sleep.service8, +- systemd-suspend-to-hibernate.service8, ++ systemd-suspend-then-hibernate.service8, + systemd1, + systemd.directives7 + +diff --git a/man/systemd-suspend.service.xml b/man/systemd-suspend.service.xml +index 2455baa..8b9a11c 100644 +--- a/man/systemd-suspend.service.xml ++++ b/man/systemd-suspend.service.xml +@@ -50,7 +50,7 @@ + systemd-suspend.service + systemd-hibernate.service + systemd-hybrid-sleep.service +- systemd-suspend-to-hibernate.service ++ systemd-suspend-then-hibernate.service + systemd-sleep + System sleep state logic + +@@ -59,7 +59,7 @@ + systemd-suspend.service + systemd-hibernate.service + systemd-hybrid-sleep.service +- systemd-suspend-to-hibernate.service ++ systemd-suspend-then-hibernate.service + /usr/lib/systemd/system-sleep + + +@@ -75,7 +75,7 @@ + systemd-hybrid-sleep.service is pulled in by + hybrid-sleep.target to execute hybrid + hibernation with system suspend and pulled in by +- suspend-to-hibernate.target to execute system suspend ++ suspend-then-hibernate.target to execute system suspend + with a timeout that will activate hibernate later. + + Immediately before entering system suspend and/or +@@ -85,7 +85,7 @@ + arguments to them. The first argument will be + pre, the second either + suspend, hibernate, +- hybrid-sleep, or suspend-to-hibernate ++ hybrid-sleep, or suspend-then-hibernate + depending on the chosen action. + Immediately after leaving system suspend and/or hibernation the + same executables are run, but the first argument is now +@@ -105,7 +105,7 @@ + systemd-suspend.service, + systemd-hibernate.service, and + systemd-hybrid-sleep.service +- systemd-suspend-to-hibernate.service ++ systemd-suspend-then-hibernate.service + should never be executed directly. Instead, trigger system sleep + states with a command such as systemctl suspend + or similar. +@@ -134,9 +134,9 @@ + + + +- ++ + +- Suspend, hibernate, suspend to hibernate, or put the ++ Suspend, hibernate, suspend then hibernate, or put the + system to hybrid sleep. + + +diff --git a/man/systemd.special.xml b/man/systemd.special.xml +index 75e3027..1ad2aff 100644 +--- a/man/systemd.special.xml ++++ b/man/systemd.special.xml +@@ -65,7 +65,7 @@ + halt.target, + hibernate.target, + hybrid-sleep.target, +- suspend-to-hibernate.target, ++ suspend-then-hibernate.target, + initrd-fs.target, + initrd-root-device.target, + initrd-root-fs.target, +@@ -309,7 +309,7 @@ + + + +- suspend-to-hibernate.target ++ suspend-then-hibernate.target + + A special target unit for suspending the system for a period + of time, waking it and putting it into hibernate. This pulls in +diff --git a/shell-completion/bash/systemctl.in b/shell-completion/bash/systemctl.in +index de2648a..c3b9769 100644 +--- a/shell-completion/bash/systemctl.in ++++ b/shell-completion/bash/systemctl.in +@@ -206,7 +206,7 @@ _systemctl () { + [ENVS]='set-environment unset-environment import-environment' + [STANDALONE]='daemon-reexec daemon-reload default + emergency exit halt hibernate hybrid-sleep +- suspend-to-hibernate kexec list-jobs list-sockets ++ suspend-then-hibernate kexec list-jobs list-sockets + list-timers list-units list-unit-files poweroff + reboot rescue show-environment suspend get-default + is-system-running preset-all' +diff --git a/shell-completion/zsh/_systemctl.in b/shell-completion/zsh/_systemctl.in +index ca07444..6957a84 100644 +--- a/shell-completion/zsh/_systemctl.in ++++ b/shell-completion/zsh/_systemctl.in +@@ -18,7 +18,7 @@ + "force-reload:Reload one or more units if possible, otherwise restart if active" + "hibernate:Hibernate the system" + "hybrid-sleep:Hibernate and suspend the system" +- "suspend-to-hibernate:Suspend the system for a period of time, and then hibernate it" ++ "suspend-then-hibernate:Suspend the system for a period of time, and then hibernate it" + "try-reload-or-restart:Reload one or more units if possible, otherwise restart if active" + "isolate:Start one unit and stop all others" + "kill:Send signal to processes of a unit" +diff --git a/src/basic/special.h b/src/basic/special.h +index 81078ff..808d889 100644 +--- a/src/basic/special.h ++++ b/src/basic/special.h +@@ -37,7 +37,7 @@ + #define SPECIAL_SUSPEND_TARGET "suspend.target" + #define SPECIAL_HIBERNATE_TARGET "hibernate.target" + #define SPECIAL_HYBRID_SLEEP_TARGET "hybrid-sleep.target" +-#define SPECIAL_SUSPEND_TO_HIBERNATE_TARGET "suspend-to-hibernate.target" ++#define SPECIAL_SUSPEND_THEN_HIBERNATE_TARGET "suspend-then-hibernate.target" + + /* Special boot targets */ + #define SPECIAL_RESCUE_TARGET "rescue.target" +diff --git a/src/login/logind-action.c b/src/login/logind-action.c +index 0e8e0b2..da38a2c 100644 +--- a/src/login/logind-action.c ++++ b/src/login/logind-action.c +@@ -48,7 +48,7 @@ int manager_handle_action( + [HANDLE_SUSPEND] = "Suspending...", + [HANDLE_HIBERNATE] = "Hibernating...", + [HANDLE_HYBRID_SLEEP] = "Hibernating and suspending...", +- [HANDLE_SUSPEND_TO_HIBERNATE] = "Suspending to hibernate...", ++ [HANDLE_SUSPEND_THEN_HIBERNATE] = "Suspending, then hibernating...", + }; + + static const char * const target_table[_HANDLE_ACTION_MAX] = { +@@ -59,7 +59,7 @@ int manager_handle_action( + [HANDLE_SUSPEND] = SPECIAL_SUSPEND_TARGET, + [HANDLE_HIBERNATE] = SPECIAL_HIBERNATE_TARGET, + [HANDLE_HYBRID_SLEEP] = SPECIAL_HYBRID_SLEEP_TARGET, +- [HANDLE_SUSPEND_TO_HIBERNATE] = SPECIAL_SUSPEND_TO_HIBERNATE_TARGET, ++ [HANDLE_SUSPEND_THEN_HIBERNATE] = SPECIAL_SUSPEND_THEN_HIBERNATE_TARGET, + }; + + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +@@ -112,8 +112,8 @@ int manager_handle_action( + supported = can_sleep("hibernate") > 0; + else if (handle == HANDLE_HYBRID_SLEEP) + supported = can_sleep("hybrid-sleep") > 0; +- else if (handle == HANDLE_SUSPEND_TO_HIBERNATE) +- supported = can_sleep("suspend-to-hibernate") > 0; ++ else if (handle == HANDLE_SUSPEND_THEN_HIBERNATE) ++ supported = can_sleep("suspend-then-hibernate") > 0; + else if (handle == HANDLE_KEXEC) + supported = access(KEXEC, X_OK) >= 0; + else +@@ -131,7 +131,7 @@ int manager_handle_action( + + inhibit_operation = IN_SET(handle, HANDLE_SUSPEND, HANDLE_HIBERNATE, + HANDLE_HYBRID_SLEEP, +- HANDLE_SUSPEND_TO_HIBERNATE) ? INHIBIT_SLEEP : INHIBIT_SHUTDOWN; ++ HANDLE_SUSPEND_THEN_HIBERNATE) ? INHIBIT_SLEEP : INHIBIT_SHUTDOWN; + + /* If the actual operation is inhibited, warn and fail */ + if (!ignore_inhibited && +@@ -178,7 +178,7 @@ static const char* const handle_action_table[_HANDLE_ACTION_MAX] = { + [HANDLE_SUSPEND] = "suspend", + [HANDLE_HIBERNATE] = "hibernate", + [HANDLE_HYBRID_SLEEP] = "hybrid-sleep", +- [HANDLE_SUSPEND_TO_HIBERNATE] = "suspend-to-hibernate", ++ [HANDLE_SUSPEND_THEN_HIBERNATE] = "suspend-then-hibernate", + [HANDLE_LOCK] = "lock" + }; + +diff --git a/src/login/logind-action.h b/src/login/logind-action.h +index 1ee8c81..9f5dee6 100644 +--- a/src/login/logind-action.h ++++ b/src/login/logind-action.h +@@ -29,7 +29,7 @@ typedef enum HandleAction { + HANDLE_SUSPEND, + HANDLE_HIBERNATE, + HANDLE_HYBRID_SLEEP, +- HANDLE_SUSPEND_TO_HIBERNATE, ++ HANDLE_SUSPEND_THEN_HIBERNATE, + HANDLE_LOCK, + _HANDLE_ACTION_MAX, + _HANDLE_ACTION_INVALID = -1 +diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c +index 51617d6..2222f19 100644 +--- a/src/login/logind-dbus.c ++++ b/src/login/logind-dbus.c +@@ -1924,12 +1924,12 @@ static int method_hybrid_sleep(sd_bus_message *message, void *userdata, sd_bus_e + error); + } + +-static int method_suspend_to_hibernate(sd_bus_message *message, void *userdata, sd_bus_error *error) { ++static int method_suspend_then_hibernate(sd_bus_message *message, void *userdata, sd_bus_error *error) { + Manager *m = userdata; + + return method_do_shutdown_or_sleep( + m, message, +- SPECIAL_SUSPEND_TO_HIBERNATE_TARGET, ++ SPECIAL_SUSPEND_THEN_HIBERNATE_TARGET, + INHIBIT_SLEEP, + "org.freedesktop.login1.hibernate", + "org.freedesktop.login1.hibernate-multiple-sessions", +@@ -2395,7 +2395,7 @@ static int method_can_hybrid_sleep(sd_bus_message *message, void *userdata, sd_b + error); + } + +-static int method_can_suspend_to_hibernate(sd_bus_message *message, void *userdata, sd_bus_error *error) { ++static int method_can_suspend_then_hibernate(sd_bus_message *message, void *userdata, sd_bus_error *error) { + Manager *m = userdata; + + return method_can_shutdown_or_sleep( +@@ -2404,7 +2404,7 @@ static int method_can_suspend_to_hibernate(sd_bus_message *message, void *userda + "org.freedesktop.login1.hibernate", + "org.freedesktop.login1.hibernate-multiple-sessions", + "org.freedesktop.login1.hibernate-ignore-inhibit", +- "suspend-to-hibernate", ++ "suspend-then-hibernate", + error); + } + +@@ -2727,14 +2727,14 @@ const sd_bus_vtable manager_vtable[] = { + SD_BUS_METHOD("Suspend", "b", NULL, method_suspend, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("Hibernate", "b", NULL, method_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("HybridSleep", "b", NULL, method_hybrid_sleep, SD_BUS_VTABLE_UNPRIVILEGED), +- SD_BUS_METHOD("SuspendToHibernate", "b", NULL, method_suspend_to_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("SuspendThenHibernate", "b", NULL, method_suspend_then_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanPowerOff", NULL, "s", method_can_poweroff, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanReboot", NULL, "s", method_can_reboot, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanHalt", NULL, "s", method_can_halt, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanSuspend", NULL, "s", method_can_suspend, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanHibernate", NULL, "s", method_can_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CanHybridSleep", NULL, "s", method_can_hybrid_sleep, SD_BUS_VTABLE_UNPRIVILEGED), +- SD_BUS_METHOD("CanSuspendToHibernate", NULL, "s", method_can_suspend_to_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), ++ SD_BUS_METHOD("CanSuspendThenHibernate", NULL, "s", method_can_suspend_then_hibernate, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("ScheduleShutdown", "st", NULL, method_schedule_shutdown, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("CancelScheduledShutdown", NULL, "b", method_cancel_scheduled_shutdown, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("Inhibit", "ssss", "h", method_inhibit, SD_BUS_VTABLE_UNPRIVILEGED), +diff --git a/src/login/org.freedesktop.login1.conf b/src/login/org.freedesktop.login1.conf +index 970a217..f880f3e 100644 +--- a/src/login/org.freedesktop.login1.conf ++++ b/src/login/org.freedesktop.login1.conf +@@ -152,7 +152,7 @@ + + ++ send_member="SuspendThenHibernate"/> + + ++ send_member="CanSuspendThenHibernate"/> + + = 0) +@@ -7314,7 +7314,7 @@ static void systemctl_help(void) { + " suspend Suspend the system\n" + " hibernate Hibernate the system\n" + " hybrid-sleep Hibernate and suspend the system\n" +- " suspend-to-hibernate Suspend the system, wake after a period of\n" ++ " suspend-then-hibernate Suspend the system, wake after a period of\n" + " time and put it into hibernate\n", + program_invocation_short_name); + } +@@ -8407,7 +8407,7 @@ static int systemctl_main(int argc, char *argv[]) { + { "suspend", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "hibernate", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "hybrid-sleep", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, +- { "suspend-to-hibernate", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, ++ { "suspend-then-hibernate",VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "default", VERB_ANY, 1, VERB_ONLINE_ONLY, start_special }, + { "rescue", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, + { "emergency", VERB_ANY, 1, VERB_ONLINE_ONLY, start_system_special }, +@@ -8761,7 +8761,7 @@ int main(int argc, char*argv[]) { + case ACTION_SUSPEND: + case ACTION_HIBERNATE: + case ACTION_HYBRID_SLEEP: +- case ACTION_SUSPEND_TO_HIBERNATE: ++ case ACTION_SUSPEND_THEN_HIBERNATE: + case ACTION_EMERGENCY: + case ACTION_DEFAULT: + /* systemctl verbs with no equivalent in the legacy commands. +diff --git a/src/test/test-sleep.c b/src/test/test-sleep.c +index e49ecbe..cea511d 100644 +--- a/src/test/test-sleep.c ++++ b/src/test/test-sleep.c +@@ -48,7 +48,7 @@ static void test_sleep(void) { + log_info("Suspend configured and possible: %s", yes_no(can_sleep("suspend") > 0)); + log_info("Hibernation configured and possible: %s", yes_no(can_sleep("hibernate") > 0)); + log_info("Hybrid-sleep configured and possible: %s", yes_no(can_sleep("hybrid-sleep") > 0)); +- log_info("Suspend-to-Hibernate configured and possible: %s", yes_no(can_sleep("suspend-to-hibernate") > 0)); ++ log_info("Suspend-then-Hibernate configured and possible: %s", yes_no(can_sleep("suspend-then-hibernate") > 0)); + } + + int main(int argc, char* argv[]) { +diff --git a/units/meson.build b/units/meson.build +index 20fb90d..da22fa8 100644 +--- a/units/meson.build ++++ b/units/meson.build +@@ -36,7 +36,7 @@ units = [ + ['halt.target', ''], + ['hibernate.target', 'ENABLE_HIBERNATE'], + ['hybrid-sleep.target', 'ENABLE_HIBERNATE'], +- ['suspend-to-hibernate.target', 'ENABLE_HIBERNATE'], ++ ['suspend-then-hibernate.target', 'ENABLE_HIBERNATE'], + ['initrd-fs.target', ''], + ['initrd-root-device.target', ''], + ['initrd-root-fs.target', ''], +@@ -159,7 +159,7 @@ in_units = [ + ['systemd-hibernate-resume@.service', 'ENABLE_HIBERNATE'], + ['systemd-hibernate.service', 'ENABLE_HIBERNATE'], + ['systemd-hybrid-sleep.service', 'ENABLE_HIBERNATE'], +- ['systemd-suspend-to-hibernate.service', 'ENABLE_HIBERNATE'], ++ ['systemd-suspend-then-hibernate.service', 'ENABLE_HIBERNATE'], + ['systemd-hostnamed.service', 'ENABLE_HOSTNAMED', + 'dbus-org.freedesktop.hostname1.service'], + ['systemd-hwdb-update.service', 'ENABLE_HWDB', +diff --git a/units/suspend-then-hibernate.target b/units/suspend-then-hibernate.target +new file mode 100644 +index 0000000..8c45510 +--- /dev/null ++++ b/units/suspend-then-hibernate.target +@@ -0,0 +1,16 @@ ++# SPDX-License-Identifier: LGPL-2.1+ ++# ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++ ++[Unit] ++Description=Suspend; Idle into hibernate ++Documentation=man:systemd.special(7) ++DefaultDependencies=no ++Requires=systemd-suspend-then-hibernate.service ++After=systemd-suspend-then-hibernate.service ++StopWhenUnneeded=yes +diff --git a/units/suspend-to-hibernate.target b/units/suspend-to-hibernate.target +deleted file mode 100644 +index b9ab6d1..0000000 +--- a/units/suspend-to-hibernate.target ++++ /dev/null +@@ -1,16 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1+ +-# +-# This file is part of systemd. +-# +-# systemd is free software; you can redistribute it and/or modify it +-# under the terms of the GNU Lesser General Public License as published by +-# the Free Software Foundation; either version 2.1 of the License, or +-# (at your option) any later version. +- +-[Unit] +-Description=Suspend; Idle into hibernate +-Documentation=man:systemd.special(7) +-DefaultDependencies=no +-Requires=systemd-suspend-to-hibernate.service +-After=systemd-suspend-to-hibernate.service +-StopWhenUnneeded=yes +diff --git a/units/systemd-suspend-then-hibernate.service.in b/units/systemd-suspend-then-hibernate.service.in +new file mode 100644 +index 0000000..441ff16 +--- /dev/null ++++ b/units/systemd-suspend-then-hibernate.service.in +@@ -0,0 +1,19 @@ ++# SPDX-License-Identifier: LGPL-2.1+ ++# ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++ ++[Unit] ++Description=Suspend; Idle into hibernate ++Documentation=man:systemd-suspend.service(8) ++DefaultDependencies=no ++Requires=sleep.target ++After=sleep.target ++ ++[Service] ++Type=oneshot ++ExecStart=@rootlibexecdir@/systemd-sleep suspend-then-hibernate +diff --git a/units/systemd-suspend-to-hibernate.service.in b/units/systemd-suspend-to-hibernate.service.in +deleted file mode 100644 +index 9bec9f6..0000000 +--- a/units/systemd-suspend-to-hibernate.service.in ++++ /dev/null +@@ -1,19 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1+ +-# +-# This file is part of systemd. +-# +-# systemd is free software; you can redistribute it and/or modify it +-# under the terms of the GNU Lesser General Public License as published by +-# the Free Software Foundation; either version 2.1 of the License, or +-# (at your option) any later version. +- +-[Unit] +-Description=Suspend; Idle into hibernate +-Documentation=man:systemd-suspend.service(8) +-DefaultDependencies=no +-Requires=sleep.target +-After=sleep.target +- +-[Service] +-Type=oneshot +-ExecStart=@rootlibexecdir@/systemd-sleep suspend-to-hibernate diff -Nru systemd-237/debian/patches/debian/UBUNTU-core-use-setreuid-setregid-trick-to-create-session-k.patch systemd-237/debian/patches/debian/UBUNTU-core-use-setreuid-setregid-trick-to-create-session-k.patch --- systemd-237/debian/patches/debian/UBUNTU-core-use-setreuid-setregid-trick-to-create-session-k.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-core-use-setreuid-setregid-trick-to-create-session-k.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,181 @@ +From: Dimitri John Ledkov +Date: Tue, 13 Mar 2018 23:03:37 +0000 +Subject: core: use setreuid/setregid trick to create session keyring with + right ownership + +Re-use the hacks used to link user keyring, when creating the session +keyring. This way changing ownership of the keyring is not required, and thus +incovation_id can be correctly created in restricted environments. + +Creating invocation_id with root permissions works and linking it into session +keyring works, as at that point session keyring is possessed. + +Simple way to validate this is with following commands: + +$ journalctl -f & +$ sudo systemd-run --uid 1000 /bin/sh -c 'keyctl describe @s; keyctl list @s; keyctl read `keyctl search @s user invocation_id`' + +which now works in LXD containers as well as on the host. + +Fixes: https://github.com/systemd/systemd/issues/7655 +--- + src/core/execute.c | 117 +++++++++++++++++++++++++++-------------------------- + 1 file changed, 59 insertions(+), 58 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 0b5aa53..2919bc1 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2443,7 +2443,9 @@ static int setup_keyring( + uid_t uid, gid_t gid) { + + key_serial_t keyring; +- int r; ++ int r = 0; ++ uid_t saved_uid; ++ gid_t saved_gid; + + assert(u); + assert(context); +@@ -2462,6 +2464,26 @@ static int setup_keyring( + if (context->keyring_mode == EXEC_KEYRING_INHERIT) + return 0; + ++ /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things set up ++ * properly by the kernel. If we don't do that then we can't create it atomically, and that sucks for parallel ++ * execution. This mimics what pam_keyinit does, too. Setting up session keyring, to be owned by the right user ++ * & group is just as nasty as acquiring a reference to the user keyring. */ ++ ++ saved_uid = getuid(); ++ saved_gid = getgid(); ++ ++ if (gid_is_valid(gid) && gid != saved_gid) { ++ if (setregid(gid, -1) < 0) ++ return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m"); ++ } ++ ++ if (uid_is_valid(uid) && uid != saved_uid) { ++ if (setreuid(uid, -1) < 0) { ++ r = log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m"); ++ goto out; ++ } ++ } ++ + keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0); + if (keyring == -1) { + if (errno == ENOSYS) +@@ -2471,12 +2493,36 @@ static int setup_keyring( + else if (errno == EDQUOT) + log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring."); + else +- return log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m"); ++ r = log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m"); + +- return 0; ++ goto out; + } + +- /* Populate they keyring with the invocation ID by default. */ ++ /* When requested link the user keyring into the session keyring. */ ++ if (context->keyring_mode == EXEC_KEYRING_SHARED) { ++ ++ if (keyctl(KEYCTL_LINK, ++ KEY_SPEC_USER_KEYRING, ++ KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) { ++ r = log_unit_error_errno(u, errno, "Failed to link user keyring into session keyring: %m"); ++ goto out; ++ } ++ } ++ ++ /* Restore uid/gid back */ ++ if (uid_is_valid(uid) && uid != saved_uid) { ++ if (setreuid(saved_uid, -1) < 0) { ++ r = log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m"); ++ goto out; ++ } ++ } ++ ++ if (gid_is_valid(gid) && gid != saved_gid) { ++ if (setregid(saved_gid, -1) < 0) ++ return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m"); ++ } ++ ++ /* Populate they keyring with the invocation ID by default, as original saved_uid. */ + if (!sd_id128_is_null(u->invocation_id)) { + key_serial_t key; + +@@ -2487,65 +2533,20 @@ static int setup_keyring( + if (keyctl(KEYCTL_SETPERM, key, + KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH| + KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0) +- return log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m"); ++ r = log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m"); + } + } + +- /* And now, make the keyring owned by the service's user */ +- if (uid_is_valid(uid) || gid_is_valid(gid)) +- if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0) +- return log_unit_error_errno(u, errno, "Failed to change ownership of session keyring: %m"); +- +- /* When requested link the user keyring into the session keyring. */ +- if (context->keyring_mode == EXEC_KEYRING_SHARED) { +- uid_t saved_uid; +- gid_t saved_gid; ++out: ++ /* Revert back uid & gid for the the last time, and exit */ ++ /* no extra logging, as only the first already reported error matters */ ++ if (getuid() != saved_uid) ++ (void) setreuid(saved_uid, -1); + +- /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things +- * set up properly by the kernel. If we don't do that then we can't create it atomically, and that +- * sucks for parallel execution. This mimics what pam_keyinit does, too.*/ ++ if (getgid() != saved_gid) ++ (void) setregid(saved_gid, -1); + +- saved_uid = getuid(); +- saved_gid = getgid(); +- +- if (gid_is_valid(gid) && gid != saved_gid) { +- if (setregid(gid, -1) < 0) +- return log_unit_error_errno(u, errno, "Failed to change GID for user keyring: %m"); +- } +- +- if (uid_is_valid(uid) && uid != saved_uid) { +- if (setreuid(uid, -1) < 0) { +- (void) setregid(saved_gid, -1); +- return log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m"); +- } +- } +- +- if (keyctl(KEYCTL_LINK, +- KEY_SPEC_USER_KEYRING, +- KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) { +- +- r = -errno; +- +- (void) setreuid(saved_uid, -1); +- (void) setregid(saved_gid, -1); +- +- return log_unit_error_errno(u, r, "Failed to link user keyring into session keyring: %m"); +- } +- +- if (uid_is_valid(uid) && uid != saved_uid) { +- if (setreuid(saved_uid, -1) < 0) { +- (void) setregid(saved_gid, -1); +- return log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m"); +- } +- } +- +- if (gid_is_valid(gid) && gid != saved_gid) { +- if (setregid(saved_gid, -1) < 0) +- return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m"); +- } +- } +- +- return 0; ++ return r; + } + + static void append_socket_pair(int *array, unsigned *n, int pair[2]) { diff -Nru systemd-237/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch systemd-237/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch --- systemd-237/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,42 @@ +From: Dimitri John Ledkov +Date: Wed, 11 Oct 2017 12:17:03 +0100 +Subject: UBUNTU: drop unrelated settings from sysctl defaults shipped by + systemd. + +--- + sysctl.d/50-default.conf | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index e263cf0..36ae524 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -11,28 +11,8 @@ + # (e.g. /etc/sysctl.d/90-override.conf), and put any assignments + # there. + +-# System Request functionality of the kernel (SYNC) +-# +-# Use kernel.sysrq = 1 to allow all keys. +-# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for a list +-# of values and keys. +-kernel.sysrq = 16 +- +-# Append the PID to the core filename +-kernel.core_uses_pid = 1 +- +-# Source route verification +-net.ipv4.conf.all.rp_filter = 1 +- +-# Do not accept source routing +-net.ipv4.conf.all.accept_source_route = 0 +- + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.all.promote_secondaries = 1 + + # Fair Queue CoDel packet scheduler to fight bufferbloat + net.core.default_qdisc = fq_codel +- +-# Enable hard and soft link protection +-fs.protected_hardlinks = 1 +-fs.protected_symlinks = 1 diff -Nru systemd-237/debian/patches/debian/UBUNTU-drop-using-kvm-for-qemu-tests-as-this-current.patch systemd-237/debian/patches/debian/UBUNTU-drop-using-kvm-for-qemu-tests-as-this-current.patch --- systemd-237/debian/patches/debian/UBUNTU-drop-using-kvm-for-qemu-tests-as-this-current.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-drop-using-kvm-for-qemu-tests-as-this-current.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,24 @@ +From: Dimitri John Ledkov +Date: Tue, 21 Nov 2017 09:06:31 +0000 +Subject: UBUNTU: drop using kvm for qemu tests, + as this currently results in unreliable nested kvm. + +--- + test/test-functions | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index 22066d9..ab0f87e 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -148,10 +148,6 @@ $KERNEL_APPEND \ + QEMU_OPTIONS="$QEMU_OPTIONS -initrd $INITRD" + fi + +- if [ -c /dev/kvm ]; then +- QEMU_OPTIONS="$QEMU_OPTIONS -machine accel=kvm -enable-kvm -cpu host" +- fi +- + if [[ "$QEMU_TIMEOUT" != "infinity" ]]; then + QEMU_BIN="timeout --foreground $QEMU_TIMEOUT $QEMU_BIN" + fi diff -Nru systemd-237/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch systemd-237/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch --- systemd-237/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Mon, 26 Mar 2018 13:41:15 +0100 +Subject: journald.service: set Nice=-1 to dodge watchdog on soft lockups. + +LP: #1696970 +(cherry picked from commit c5b77c35b4ec0e1812702240f272fbeea3ad4152) +--- + units/systemd-journald.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index df76fe4..24c0150 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -22,6 +22,7 @@ ExecStart=@rootlibexecdir@/systemd-journald + Restart=always + RestartSec=0 + StandardOutput=null ++Nice=-1 + WatchdogSec=3min + FileDescriptorStoreMax=4224 + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE diff -Nru systemd-237/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch systemd-237/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch --- systemd-237/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,66 @@ +From: Dimitri John Ledkov +Date: Fri, 20 Apr 2018 03:24:13 +0100 +Subject: UBUNTU: networkd: if RA was implicit, do not await ndisc_configured. + +If RA was iplicit, meaning not otherwise requested, and a kernel default was in +use. Do not prevent link entering configured state, whilst ndisc configuration +is pending. Implicit kernel RA, is expected to be asynchronous and +non-blocking. + +LP: #1765173 +(cherry picked from commit 4b784890d000aab33a36f95e565469d5b76e6cbf) +--- + src/network/networkd-link.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 64c4508..19eaac2 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -222,7 +222,7 @@ static bool link_proxy_arp_enabled(Link *link) { + return true; + } + +-static bool link_ipv6_accept_ra_enabled(Link *link) { ++static bool link_ipv6_accept_ra_enabled_implicit(Link *link, bool * implicit) { + assert(link); + + if (!socket_ipv6_is_supported()) +@@ -241,9 +241,12 @@ static bool link_ipv6_accept_ra_enabled(Link *link) { + * disabled if local forwarding is enabled). + * If set, ignore or enforce RA independent of local forwarding state. + */ +- if (link->network->ipv6_accept_ra < 0) ++ if (link->network->ipv6_accept_ra < 0) { + /* default to accept RA if ip_forward is disabled and ignore RA if ip_forward is enabled */ ++ if (implicit) ++ *implicit = true; + return !link_ipv6_forward_enabled(link); ++ } + else if (link->network->ipv6_accept_ra > 0) + /* accept RA even if ip_forward is enabled */ + return true; +@@ -252,6 +255,10 @@ static bool link_ipv6_accept_ra_enabled(Link *link) { + return false; + } + ++static bool link_ipv6_accept_ra_enabled(Link *link) { ++ return link_ipv6_accept_ra_enabled_implicit(link, NULL); ++} ++ + static IPv6PrivacyExtensions link_ipv6_privacy_extensions(Link *link) { + assert(link); + +@@ -771,8 +778,10 @@ void link_check_ready(Link *link) { + !link->dhcp4_configured && !link->dhcp6_configured)) + return; + +- if (link_ipv6_accept_ra_enabled(link) && !link->ndisc_configured) +- return; ++ bool implicit = false; ++ if (link_ipv6_accept_ra_enabled_implicit(link, &implicit) && !link->ndisc_configured) ++ if (!implicit) ++ return; + } + + SET_FOREACH(a, link->addresses, i) diff -Nru systemd-237/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch systemd-237/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch --- systemd-237/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,50 @@ +From: Dimitri John Ledkov +Date: Fri, 6 Apr 2018 14:53:39 +0100 +Subject: UBUNTU resolved: Listen on both TCP and UDP by default. + +LP: #1731522 +--- + man/resolved.conf.xml | 4 ++-- + src/resolve/resolved-manager.c | 2 +- + src/resolve/resolved.conf.in | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml +index 451b9cd..bf88c0e 100644 +--- a/man/resolved.conf.xml ++++ b/man/resolved.conf.xml +@@ -233,9 +233,9 @@ + + DNSStubListener= + Takes a boolean argument or one of udp and tcp. If +- udp (the default), a DNS stub resolver will listen for UDP requests on address 127.0.0.53 ++ udp, a DNS stub resolver will listen for UDP requests on address 127.0.0.53 + port 53. If tcp, the stub will listen for TCP requests on the same address and port. If +- yes, the stub listens for both UDP and TCP requests. If no, the stub ++ yes (the default), the stub listens for both UDP and TCP requests. If no, the stub + listener is disabled. + + Note that the DNS stub listener is turned off implicitly when its listening address and port are already +diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c +index 37cef3f..12a9d17 100644 +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -600,7 +600,7 @@ int manager_new(Manager **ret) { + m->mdns_support = RESOLVE_SUPPORT_NO; + m->dnssec_mode = DEFAULT_DNSSEC_MODE; + m->enable_cache = true; +- m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP; ++ m->dns_stub_listener_mode = DNS_STUB_LISTENER_YES; + m->read_resolv_conf = true; + m->need_builtin_fallbacks = true; + m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY; +diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in +index bcd7a92..945760a 100644 +--- a/src/resolve/resolved.conf.in ++++ b/src/resolve/resolved.conf.in +@@ -19,4 +19,4 @@ + #MulticastDNS=no + #DNSSEC=@DEFAULT_DNSSEC_MODE@ + #Cache=yes +-#DNSStubListener=udp ++#DNSStubListener=yes diff -Nru systemd-237/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch systemd-237/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch --- systemd-237/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,40 @@ +From: Dimitri John Ledkov +Date: Fri, 9 Feb 2018 15:57:54 +0000 +Subject: UBUNTU: resolved: disable global LLMNR and MulticastDNS by default. + +LP: #1739672 +--- + src/resolve/resolved-manager.c | 4 ++-- + src/resolve/resolved.conf.in | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c +index 2ee0277..37cef3f 100644 +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -596,8 +596,8 @@ int manager_new(Manager **ret) { + m->dns_stub_udp_fd = m->dns_stub_tcp_fd = -1; + m->hostname_fd = -1; + +- m->llmnr_support = RESOLVE_SUPPORT_YES; +- m->mdns_support = RESOLVE_SUPPORT_YES; ++ m->llmnr_support = RESOLVE_SUPPORT_NO; ++ m->mdns_support = RESOLVE_SUPPORT_NO; + m->dnssec_mode = DEFAULT_DNSSEC_MODE; + m->enable_cache = true; + m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP; +diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in +index e6b2062..bcd7a92 100644 +--- a/src/resolve/resolved.conf.in ++++ b/src/resolve/resolved.conf.in +@@ -15,8 +15,8 @@ + #DNS= + #FallbackDNS=@DNS_SERVERS@ + #Domains= +-#LLMNR=yes +-#MulticastDNS=yes ++#LLMNR=no ++#MulticastDNS=no + #DNSSEC=@DEFAULT_DNSSEC_MODE@ + #Cache=yes + #DNSStubListener=udp diff -Nru systemd-237/debian/patches/debian/UBUNTU-shared-sleep-config-fix-unitialized-variable-and-use.patch systemd-237/debian/patches/debian/UBUNTU-shared-sleep-config-fix-unitialized-variable-and-use.patch --- systemd-237/debian/patches/debian/UBUNTU-shared-sleep-config-fix-unitialized-variable-and-use.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-shared-sleep-config-fix-unitialized-variable-and-use.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,53 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Sun, 11 Mar 2018 09:13:03 +0100 +Subject: [PATCH] shared/sleep-config: fix unitialized variable and use + STR_IN_SET (#8416) + +--- + src/shared/sleep-config.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c +index 4a365b1..94e3e26 100644 +--- a/src/shared/sleep-config.c ++++ b/src/shared/sleep-config.c +@@ -49,7 +49,7 @@ int parse_sleep_config(const char *verb, char ***_modes, char ***_states, usec_t + **hibernate_mode = NULL, **hibernate_state = NULL, + **hybrid_mode = NULL, **hybrid_state = NULL; + char **modes, **states; +- usec_t delay; ++ usec_t delay = 180 * USEC_PER_MINUTE; + + const ConfigTableItem items[] = { + { "Sleep", "SuspendMode", config_parse_strv, 0, &suspend_mode }, +@@ -97,13 +97,13 @@ int parse_sleep_config(const char *verb, char ***_modes, char ***_states, usec_t + USE(states, hybrid_state); + else + states = strv_new("disk", NULL); +- } else if (streq(verb, "suspend-to-hibernate")) { +- if (delay == 0) +- delay = 180 * USEC_PER_MINUTE; +- } else ++ ++ } else if (streq(verb, "suspend-to-hibernate")) ++ modes = states = NULL; ++ else + assert_not_reached("what verb"); + +- if ((!modes && (streq(verb, "hibernate") || streq(verb, "hybrid-sleep"))) || ++ if ((!modes && STR_IN_SET(verb, "hibernate", "hybrid-sleep")) || + (!states && !streq(verb, "suspend-to-hibernate"))) { + strv_free(modes); + strv_free(states); +@@ -306,10 +306,7 @@ int can_sleep(const char *verb) { + _cleanup_strv_free_ char **modes = NULL, **states = NULL; + int r; + +- assert(streq(verb, "suspend") || +- streq(verb, "hibernate") || +- streq(verb, "hybrid-sleep") || +- streq(verb, "suspend-to-hibernate")); ++ assert(STR_IN_SET(verb, "suspend", "hibernate", "hybrid-sleep", "suspend-to-hibernate")); + + if (streq(verb, "suspend-to-hibernate")) + return can_s2h(); diff -Nru systemd-237/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch systemd-237/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch --- systemd-237/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,33 @@ +From: Dimitri John Ledkov +Date: Fri, 16 Feb 2018 13:22:49 +0000 +Subject: test/test-fs-util: detect container, in addition to root. + +On armhf, during autopkgtests, whilst root is avilable, full capabilities in +parent namespace are not, since the tests are run in an LXD container. + +This should resolve armhf test failure. +--- + src/test/test-fs-util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c +index 2525c47..10ecc60 100644 +--- a/src/test/test-fs-util.c ++++ b/src/test/test-fs-util.c +@@ -35,6 +35,7 @@ + #include "strv.h" + #include "user-util.h" + #include "util.h" ++#include "virt.h" + + static void test_chase_symlinks(void) { + _cleanup_free_ char *result = NULL; +@@ -495,7 +496,7 @@ static void test_touch_file(void) { + assert_se((st.st_mode & 0777) == 0640); + assert_se(timespec_load(&st.st_mtim) == test_mtime); + +- if (geteuid() == 0) { ++ if (geteuid() == 0 && !detect_container()) { + a = strjoina(p, "/cdev"); + assert_se(mknod(a, 0775 | S_IFCHR, makedev(0, 0)) >= 0); + assert_se(touch_file(a, false, test_mtime, test_uid, test_gid, 0640) >= 0); diff -Nru systemd-237/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch systemd-237/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch --- systemd-237/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dimitri John Ledkov +Date: Wed, 8 Nov 2017 16:25:45 +0000 +Subject: UBUNTU: test-process-util: fails to verify cmdline changes in unpriv + user-namespace. + +Thus skip these asserts when running $ sudo ./test-process-util in an +unpriviledged user namespaced containers. + +(cherry picked from commit 86a4129d308602a1d2ba80b47863b32bec2059df) +--- + src/test/test-process-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-process-util.c b/src/test/test-process-util.c +index 72edcbb..8286b66 100644 +--- a/src/test/test-process-util.c ++++ b/src/test/test-process-util.c +@@ -381,7 +381,7 @@ static void test_rename_process_now(const char *p, int ret) { + + assert_se(get_process_cmdline(0, 0, false, &cmdline) >= 0); + /* we cannot expect cmdline to be renamed properly without privileges */ +- if (geteuid() == 0) { ++ if (geteuid() == 0 && !running_in_userns()) { + log_info("cmdline = <%s>", cmdline); + assert_se(strneq(p, cmdline, STRLEN("test-process-util"))); + assert_se(startswith(p, cmdline)); diff -Nru systemd-237/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch systemd-237/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch --- systemd-237/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,45 @@ +From: Dimitri John Ledkov +Date: Mon, 6 Nov 2017 16:00:13 +0000 +Subject: UBUNTU: test/test-functions: drop all prefixes + +When parsing and installing binaries mentioned in Exec*= lines the +5ed0dcf4d552271115d96d8d22b1a25494b85277 commit added parsing logic to drop +prefixes, including handling duplicate exclamation marks. But this did not +handle arbitrary combination of multiple prefixes, ie. StartExec=+-/bin/sh was +parsed as -/bin/sh which then would fail to install. + +Instead of using egrep and shell replacements, replace both with sed command +that does it all. This sed script extract a group of characters starting with a +/ up to the first space (if any) after the equals sign. This correctly handles +existing non-prefixed, prefixed, multiple-prefixed commands. + +About half commands seem to repeat themself, thus sort -u cuts the list of +binaries to install about in half. + +To validate change of behaviour both old and new functions were modified to +echo parsed binaries into separate files, and then diffed. The incorrect +-/bin/sh was missing in the new output. + +Without this patch tests fail on default Ubuntu installs. + +(cherry picked from commit 84c0a34987d00158e943e3151a1fe21caa78d40c) +--- + test/test-functions | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index ab0f87e..0b7575b 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -432,9 +432,8 @@ install_execs() { + export PKG_CONFIG_PATH=$BUILD_DIR/src/core/ + systemdsystemunitdir=$(pkg-config --variable=systemdsystemunitdir systemd) + systemduserunitdir=$(pkg-config --variable=systemduserunitdir systemd) +- egrep -ho '^Exec[^ ]*=[^ ]+' $initdir/{$systemdsystemunitdir,$systemduserunitdir}/*.service \ +- | while read i; do +- i=${i##Exec*=}; i=${i##[@+\!-]}; i=${i##\!} ++ sed -n 's|^Exec[a-zA-Z]*=[^/]*\(/[^ ]*\).*|\1|gp' $initdir/{$systemdsystemunitdir,$systemduserunitdir}/*.service \ ++ | sort -u | while read i; do + # some {rc,halt}.local scripts and programs are okay to not exist, the rest should + inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] + done diff -Nru systemd-237/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch systemd-237/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch --- systemd-237/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,23 @@ +From: Dimitri John Ledkov +Date: Fri, 16 Feb 2018 13:28:31 +0000 +Subject: test/test-functions: launch qemu with -vga none + +When booting ppc64el virtual machines, they require seabios, unless -vga none +is specified. Since we do a direct kernel & initrd boot, with -nographic, we +really have no need for vga or seabios in this case. +--- + test/test-functions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-functions b/test/test-functions +index 0b7575b..f5f789c 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -140,6 +140,7 @@ $KERNEL_APPEND \ + -net none \ + -m 512M \ + -nographic \ ++-vga none \ + -kernel $KERNEL_BIN \ + -drive format=raw,cache=unsafe,file=${TESTDIR}/rootdisk.img \ + " diff -Nru systemd-237/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch systemd-237/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch --- systemd-237/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,42 @@ +From: Dimitri John Ledkov +Date: Mon, 26 Mar 2018 13:17:01 +0100 +Subject: wait-online: exit, if no links are managed. + +(cherry picked from commit 19d11f607ac0f8b1e31f72a8e9d3d44371b9dadb) +--- + src/network/wait-online/manager.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/network/wait-online/manager.c b/src/network/wait-online/manager.c +index 05f030d..aa963cb 100644 +--- a/src/network/wait-online/manager.c ++++ b/src/network/wait-online/manager.c +@@ -54,6 +54,7 @@ bool manager_all_configured(Manager *m) { + Link *l; + char **ifname; + bool one_ready = false; ++ bool none_managed = true; + + /* wait for all the links given on the command line to appear */ + STRV_FOREACH(ifname, m->interfaces) { +@@ -84,6 +85,11 @@ bool manager_all_configured(Manager *m) { + return false; + } + ++ if (STR_IN_SET(l->state, "configured", "failed")) { ++ log_info("managing: %s", l->ifname); ++ none_managed = false; ++ } ++ + if (l->operational_state && + STR_IN_SET(l->operational_state, "degraded", "routable")) + /* we wait for at least one link to be ready, +@@ -91,7 +97,7 @@ bool manager_all_configured(Manager *m) { + one_ready = true; + } + +- return one_ready; ++ return one_ready || none_managed; + } + + static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void *userdata) { diff -Nru systemd-237/debian/patches/debian/Ubuntu-UseDomains-by-default.patch systemd-237/debian/patches/debian/Ubuntu-UseDomains-by-default.patch --- systemd-237/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,75 @@ +From: Dimitri John Ledkov +Date: Thu, 20 Jul 2017 13:48:31 +0100 +Subject: Set UseDomains to true, by default, on Ubuntu. + +On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries +to a preset 3rd party by default. In resolved, dnssec is also disabled by +default, as too much of the internet is broken and using Ubuntu users to debug +the internet is not very productive - most of the time the end-user cannot fix +or know how to notify the site owners about the dnssec mistakes. Inherintally +the DHCP acquired DNS servers are therefore trusted, and are free to spoof +records. Not trusting DNS search domains, in such scenario, provides limited +security or privacy benefits. From user point of view, this also appears to be +a regression from previous Ubuntu releases which do trust DHCP acquired search +domains by default. + +Therefore we are enabling UseDomains by default on Ubuntu. + +Users may override this setting in the .network files by specifying +[DHCP|IPv6AcceptRA] UseDomains=no|route options. +--- + man/systemd.network.xml | 6 +++--- + src/network/networkd-network.c | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index 80d2802..d91346e 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -310,7 +310,7 @@ + IPv6AcceptRA=. + + Furthermore, note that by default the domain name +- specified through DHCP is not used for name resolution. ++ specified through DHCP, on Ubuntu, are used for name resolution. + See option below. + + See the [DHCP] section below for further configuration options for the DHCP client +@@ -1192,7 +1192,7 @@ + the setting. If set to route, the domain name received from + the DHCP server will be used for routing DNS queries only, but not for searching, similar to the effect of + the setting when the argument is prefixed with ~. Defaults to +- false. ++ true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +@@ -1355,7 +1355,7 @@ + the effect of the setting. If set to route, the domain name + received via IPv6 RA will be used for routing DNS queries only, but not for searching, similar to the + effect of the setting when the argument is prefixed with +- ~. Defaults to false. ++ ~. Defaults to true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 2dc3de3..e320c04 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -213,6 +213,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->dhcp_use_routes = true; + /* NOTE: this var might be overwriten by network_apply_anonymize_if_set */ + network->dhcp_send_hostname = true; ++ network->dhcp_use_domains = DHCP_USE_DOMAINS_YES; + /* To enable/disable RFC7844 Anonymity Profiles */ + network->dhcp_anonymize = false; + network->dhcp_route_metric = DHCP_ROUTE_METRIC; +@@ -260,6 +261,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->proxy_arp = -1; + network->arp = -1; + network->ipv6_accept_ra_use_dns = true; ++ network->ipv6_accept_ra_use_domains = DHCP_USE_DOMAINS_YES; + network->ipv6_accept_ra_route_table = RT_TABLE_MAIN; + + dropin_dirname = strjoina(network->name, ".network.d"); diff -Nru systemd-237/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch systemd-237/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch --- systemd-237/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,39 @@ +From: Dimitri John Ledkov +Date: Tue, 1 Aug 2017 17:38:05 +0100 +Subject: core: in execute, soft fail setting Nice priority, + when permissions are denied + +In unpriviledged containers Nice priority setting may not be permitted. Thus +log and ignore permission failure to set Nice priority in such +environments. This is similar to how OOMScoreAdjust is treated. +--- + src/core/execute.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 0df3971..0b5aa53 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2953,11 +2953,17 @@ static int exec_child( + } + } + +- if (context->nice_set) +- if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) { +- *exit_status = EXIT_NICE; +- return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m"); +- } ++ if (context->nice_set) { ++ r = setpriority(PRIO_PROCESS, 0, context->nice); ++ if (r == -EPERM || r == -EACCES) { ++ log_open(); ++ log_unit_debug_errno(unit, r, "Failed to adjust Nice setting, assuming containerized execution, ignoring: %m"); ++ log_close(); ++ } else if (r < 0) { ++ *exit_status = EXIT_NICE; ++ return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m"); ++ } ++ } + + if (context->cpu_sched_set) { + struct sched_param param = { diff -Nru systemd-237/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch systemd-237/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch --- systemd-237/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Wed, 2 Aug 2017 00:40:28 +0100 +Subject: units: set ConditionVirtualization=!private-users on journald audit + socket + +As it fails to start in an unpriviledged container. +--- + units/systemd-journald-audit.socket | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket +index cb8b774..6649934 100644 +--- a/units/systemd-journald-audit.socket ++++ b/units/systemd-journald-audit.socket +@@ -14,6 +14,7 @@ DefaultDependencies=no + Before=sockets.target + ConditionSecurity=audit + ConditionCapability=CAP_AUDIT_READ ++ConditionVirtualization=!private-users + + [Socket] + Service=systemd-journald.service diff -Nru systemd-237/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch systemd-237/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch --- systemd-237/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch 2018-04-20 16:55:56.000000000 +0000 @@ -258,12 +258,12 @@ 'src/sleep/sleep.c', include_directories : includes, diff --git a/po/POTFILES.in b/po/POTFILES.in -index f33c53f..4b8ef2e 100644 +index 470829a..55edf97 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in -@@ -6,3 +6,4 @@ src/login/org.freedesktop.login1.policy.in - src/machine/org.freedesktop.machine1.policy.in - src/timedate/org.freedesktop.timedate1.policy.in +@@ -7,3 +7,4 @@ src/machine/org.freedesktop.machine1.policy + src/resolve/org.freedesktop.resolve1.policy + src/timedate/org.freedesktop.timedate1.policy src/core/dbus-unit.c +src/fsckd/fsckd.c diff --git a/src/fsckd/fsckd.c b/src/fsckd/fsckd.c diff -Nru systemd-237/debian/patches/install-detect-masked-unit-with-drop-ins.patch systemd-237/debian/patches/install-detect-masked-unit-with-drop-ins.patch --- systemd-237/debian/patches/install-detect-masked-unit-with-drop-ins.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/install-detect-masked-unit-with-drop-ins.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,26 @@ +From: Filipe Brandenburger +Date: Thu, 1 Mar 2018 17:48:15 -0800 +Subject: install: detect masked unit with drop-ins + +Before this fix, a unit with drop-ins will not be reported as masked by +`systemctl is-enabled` or `systemctl list-unit-files`. + +(cherry picked from commit 9639b1752cf97eeee93d2a3dbc8531d6d4d4bc2e) +--- + src/shared/install.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/shared/install.c b/src/shared/install.c +index 026aa32..9628ac6 100644 +--- a/src/shared/install.c ++++ b/src/shared/install.c +@@ -1461,6 +1461,9 @@ static int unit_file_search( + return -ENOENT; + } + ++ if (info->type == UNIT_FILE_TYPE_MASKED) ++ return result; ++ + /* Search for drop-in directories */ + + dropin_dir_name = strjoina(info->name, ".d"); diff -Nru systemd-237/debian/patches/l10n-Update-POTFILES.in-and-POTFILES.skip.patch systemd-237/debian/patches/l10n-Update-POTFILES.in-and-POTFILES.skip.patch --- systemd-237/debian/patches/l10n-Update-POTFILES.in-and-POTFILES.skip.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/l10n-Update-POTFILES.in-and-POTFILES.skip.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,52 @@ +From: Michael Biebl +Date: Fri, 16 Feb 2018 14:25:32 +0100 +Subject: l10n: Update POTFILES.in and POTFILES.skip + +We no longer use .in suffixes for .policy files. + +Follow-up for commit 9b3cff199dd3827a9f2df9a7f5874d6ef18880f2 and +70886abbde59a45cfabe0769c0cdb3af1e5f7790. + +(cherry picked from commit d4d4688122a228a90d39ac3bddf29d1bb33d9850) +--- + po/POTFILES.in | 16 ++++++++-------- + po/POTFILES.skip | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/po/POTFILES.in b/po/POTFILES.in +index f610828..470829a 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -1,9 +1,9 @@ +-src/core/org.freedesktop.systemd1.policy.in.in +-src/hostname/org.freedesktop.hostname1.policy.in +-src/import/org.freedesktop.import1.policy.in +-src/locale/org.freedesktop.locale1.policy.in +-src/login/org.freedesktop.login1.policy.in +-src/machine/org.freedesktop.machine1.policy.in +-src/resolve/org.freedesktop.resolve1.policy.in +-src/timedate/org.freedesktop.timedate1.policy.in ++src/core/org.freedesktop.systemd1.policy.in ++src/hostname/org.freedesktop.hostname1.policy ++src/import/org.freedesktop.import1.policy ++src/locale/org.freedesktop.locale1.policy ++src/login/org.freedesktop.login1.policy ++src/machine/org.freedesktop.machine1.policy ++src/resolve/org.freedesktop.resolve1.policy ++src/timedate/org.freedesktop.timedate1.policy + src/core/dbus-unit.c +diff --git a/po/POTFILES.skip b/po/POTFILES.skip +index b56a998..e6ef4d7 100644 +--- a/po/POTFILES.skip ++++ b/po/POTFILES.skip +@@ -12,9 +12,9 @@ src/core/dbus-target.c + src/core/dbus-timer.c + src/core/dbus-unit.c + src/core/dbus-scope.c ++src/core/org.freedesktop.systemd1.policy + src/hostname/hostnamed.c + src/locale/localed.c +-src/core/org.freedesktop.systemd1.policy.in + src/timedate/timedated.c + units/user@.service.in + units/debug-shell.service.in diff -Nru systemd-237/debian/patches/l10n-update-POTFILES.in-8163.patch systemd-237/debian/patches/l10n-update-POTFILES.in-8163.patch --- systemd-237/debian/patches/l10n-update-POTFILES.in-8163.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/l10n-update-POTFILES.in-8163.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,20 @@ +From: AsciiWolf +Date: Tue, 13 Feb 2018 04:05:22 +0100 +Subject: l10n: update POTFILES.in (#8163) + +(cherry picked from commit 372771c8d32702f4930ca98a22ec4b27e2f9cfc7) +--- + po/POTFILES.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/po/POTFILES.in b/po/POTFILES.in +index f33c53f..f610828 100644 +--- a/po/POTFILES.in ++++ b/po/POTFILES.in +@@ -4,5 +4,6 @@ src/import/org.freedesktop.import1.policy.in + src/locale/org.freedesktop.locale1.policy.in + src/login/org.freedesktop.login1.policy.in + src/machine/org.freedesktop.machine1.policy.in ++src/resolve/org.freedesktop.resolve1.policy.in + src/timedate/org.freedesktop.timedate1.policy.in + src/core/dbus-unit.c diff -Nru systemd-237/debian/patches/meson-drop-double-.in-suffix-for-o.fd.systemd1.policy-fil.patch systemd-237/debian/patches/meson-drop-double-.in-suffix-for-o.fd.systemd1.policy-fil.patch --- systemd-237/debian/patches/meson-drop-double-.in-suffix-for-o.fd.systemd1.policy-fil.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/meson-drop-double-.in-suffix-for-o.fd.systemd1.policy-fil.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,185 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Fri, 16 Feb 2018 12:37:42 +0100 +Subject: meson: drop double .in suffix for o.fd.systemd1.policy file + +This file is now undergoing just one transformation, so drop the unnecessary +suffix. + +(cherry picked from commit 70886abbde59a45cfabe0769c0cdb3af1e5f7790) +--- + src/core/meson.build | 2 +- + src/core/org.freedesktop.systemd1.policy.in | 72 ++++++++++++++++++++++++++ + src/core/org.freedesktop.systemd1.policy.in.in | 72 -------------------------- + 3 files changed, 73 insertions(+), 73 deletions(-) + create mode 100644 src/core/org.freedesktop.systemd1.policy.in + delete mode 100644 src/core/org.freedesktop.systemd1.policy.in.in + +diff --git a/src/core/meson.build b/src/core/meson.build +index c58893b..01706db 100644 +--- a/src/core/meson.build ++++ b/src/core/meson.build +@@ -212,7 +212,7 @@ install_data('org.freedesktop.systemd1.service', + install_dir : dbussystemservicedir) + + policy = configure_file( +- input : 'org.freedesktop.systemd1.policy.in.in', ++ input : 'org.freedesktop.systemd1.policy.in', + output : 'org.freedesktop.systemd1.policy', + configuration : substs) + install_data(policy, +diff --git a/src/core/org.freedesktop.systemd1.policy.in b/src/core/org.freedesktop.systemd1.policy.in +new file mode 100644 +index 0000000..648221b +--- /dev/null ++++ b/src/core/org.freedesktop.systemd1.policy.in +@@ -0,0 +1,72 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Send passphrase back to system ++ Authentication is required to send the entered passphrase back to the system. ++ ++ no ++ no ++ auth_admin_keep ++ ++ @rootlibexecdir@/systemd-reply-password ++ ++ ++ ++ Manage system services or other units ++ Authentication is required to manage system services or other units. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Manage system service or unit files ++ Authentication is required to manage system service or unit files. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Set or unset system and service manager environment variables ++ Authentication is required to set or unset system and service manager environment variables. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Reload the systemd state ++ Authentication is required to reload the systemd state. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ +diff --git a/src/core/org.freedesktop.systemd1.policy.in.in b/src/core/org.freedesktop.systemd1.policy.in.in +deleted file mode 100644 +index 648221b..0000000 +--- a/src/core/org.freedesktop.systemd1.policy.in.in ++++ /dev/null +@@ -1,72 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Send passphrase back to system +- Authentication is required to send the entered passphrase back to the system. +- +- no +- no +- auth_admin_keep +- +- @rootlibexecdir@/systemd-reply-password +- +- +- +- Manage system services or other units +- Authentication is required to manage system services or other units. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Manage system service or unit files +- Authentication is required to manage system service or unit files. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Set or unset system and service manager environment variables +- Authentication is required to set or unset system and service manager environment variables. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Reload the systemd state +- Authentication is required to reload the systemd state. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- diff -Nru systemd-237/debian/patches/meson-drop-unnecessary-transformation-of-policy-files.patch systemd-237/debian/patches/meson-drop-unnecessary-transformation-of-policy-files.patch --- systemd-237/debian/patches/meson-drop-unnecessary-transformation-of-policy-files.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/meson-drop-unnecessary-transformation-of-policy-files.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,1695 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Fri, 16 Feb 2018 12:48:55 +0100 +Subject: meson: drop unnecessary "transformation" of policy files + +Those files don't contain any @variables@, so the configuration step was just +copying them to build/. Let's avoid that, and fix their suffixes while at it. + +(cherry picked from commit 9b3cff199dd3827a9f2df9a7f5874d6ef18880f2) +--- + src/hostname/meson.build | 7 +- + src/hostname/org.freedesktop.hostname1.policy | 52 ++++ + src/hostname/org.freedesktop.hostname1.policy.in | 52 ---- + src/import/meson.build | 7 +- + src/import/org.freedesktop.import1.policy | 51 ++++ + src/import/org.freedesktop.import1.policy.in | 51 ---- + src/locale/meson.build | 7 +- + src/locale/org.freedesktop.locale1.policy | 42 +++ + src/locale/org.freedesktop.locale1.policy.in | 42 --- + src/login/meson.build | 7 +- + src/login/org.freedesktop.login1.policy | 360 +++++++++++++++++++++++ + src/login/org.freedesktop.login1.policy.in | 360 ----------------------- + src/machine/meson.build | 7 +- + src/machine/org.freedesktop.machine1.policy | 104 +++++++ + src/machine/org.freedesktop.machine1.policy.in | 104 ------- + src/resolve/meson.build | 9 +- + src/resolve/org.freedesktop.resolve1.policy | 43 +++ + src/resolve/org.freedesktop.resolve1.policy.in | 43 --- + src/timedate/meson.build | 7 +- + src/timedate/org.freedesktop.timedate1.policy | 64 ++++ + src/timedate/org.freedesktop.timedate1.policy.in | 64 ---- + 21 files changed, 724 insertions(+), 759 deletions(-) + create mode 100644 src/hostname/org.freedesktop.hostname1.policy + delete mode 100644 src/hostname/org.freedesktop.hostname1.policy.in + create mode 100644 src/import/org.freedesktop.import1.policy + delete mode 100644 src/import/org.freedesktop.import1.policy.in + create mode 100644 src/locale/org.freedesktop.locale1.policy + delete mode 100644 src/locale/org.freedesktop.locale1.policy.in + create mode 100644 src/login/org.freedesktop.login1.policy + delete mode 100644 src/login/org.freedesktop.login1.policy.in + create mode 100644 src/machine/org.freedesktop.machine1.policy + delete mode 100644 src/machine/org.freedesktop.machine1.policy.in + create mode 100644 src/resolve/org.freedesktop.resolve1.policy + delete mode 100644 src/resolve/org.freedesktop.resolve1.policy.in + create mode 100644 src/timedate/org.freedesktop.timedate1.policy + delete mode 100644 src/timedate/org.freedesktop.timedate1.policy.in + +diff --git a/src/hostname/meson.build b/src/hostname/meson.build +index c35c668..1ab9271 100644 +--- a/src/hostname/meson.build ++++ b/src/hostname/meson.build +@@ -20,11 +20,6 @@ if conf.get('ENABLE_HOSTNAMED') == 1 + install_dir : dbuspolicydir) + install_data('org.freedesktop.hostname1.service', + install_dir : dbussystemservicedir) +- +- policy = configure_file( +- input : 'org.freedesktop.hostname1.policy.in', +- output : 'org.freedesktop.hostname1.policy', +- configuration : substs) +- install_data(policy, ++ install_data('org.freedesktop.hostname1.policy', + install_dir : polkitpolicydir) + endif +diff --git a/src/hostname/org.freedesktop.hostname1.policy b/src/hostname/org.freedesktop.hostname1.policy +new file mode 100644 +index 0000000..4ac82c6 +--- /dev/null ++++ b/src/hostname/org.freedesktop.hostname1.policy +@@ -0,0 +1,52 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Set host name ++ Authentication is required to set the local host name. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Set static host name ++ Authentication is required to set the statically configured local host name, as well as the pretty host name. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.hostname1.set-hostname org.freedesktop.hostname1.set-machine-info ++ ++ ++ ++ Set machine information ++ Authentication is required to set local machine information. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ +diff --git a/src/hostname/org.freedesktop.hostname1.policy.in b/src/hostname/org.freedesktop.hostname1.policy.in +deleted file mode 100644 +index 4ac82c6..0000000 +--- a/src/hostname/org.freedesktop.hostname1.policy.in ++++ /dev/null +@@ -1,52 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Set host name +- Authentication is required to set the local host name. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Set static host name +- Authentication is required to set the statically configured local host name, as well as the pretty host name. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.hostname1.set-hostname org.freedesktop.hostname1.set-machine-info +- +- +- +- Set machine information +- Authentication is required to set local machine information. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +diff --git a/src/import/meson.build b/src/import/meson.build +index e5088b3..975afc6 100644 +--- a/src/import/meson.build ++++ b/src/import/meson.build +@@ -70,12 +70,7 @@ if conf.get('ENABLE_IMPORTD') == 1 + install_dir : dbuspolicydir) + install_data('org.freedesktop.import1.service', + install_dir : dbussystemservicedir) +- +- policy = configure_file( +- input : 'org.freedesktop.import1.policy.in', +- output : 'org.freedesktop.import1.policy', +- configuration : substs) +- install_data(policy, ++ install_data('org.freedesktop.import1.policy', + install_dir : polkitpolicydir) + + install_data('import-pubring.gpg', +diff --git a/src/import/org.freedesktop.import1.policy b/src/import/org.freedesktop.import1.policy +new file mode 100644 +index 0000000..beea5fe +--- /dev/null ++++ b/src/import/org.freedesktop.import1.policy +@@ -0,0 +1,51 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Import a VM or container image ++ Authentication is required to import a VM or container image ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Export a VM or container image ++ Authentication is required to export a VM or container image ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Download a VM or container image ++ Authentication is required to download a VM or container image ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ +diff --git a/src/import/org.freedesktop.import1.policy.in b/src/import/org.freedesktop.import1.policy.in +deleted file mode 100644 +index beea5fe..0000000 +--- a/src/import/org.freedesktop.import1.policy.in ++++ /dev/null +@@ -1,51 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Import a VM or container image +- Authentication is required to import a VM or container image +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Export a VM or container image +- Authentication is required to export a VM or container image +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Download a VM or container image +- Authentication is required to download a VM or container image +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +diff --git a/src/locale/meson.build b/src/locale/meson.build +index 30882cc..6b85f6b 100644 +--- a/src/locale/meson.build ++++ b/src/locale/meson.build +@@ -28,12 +28,7 @@ if conf.get('ENABLE_LOCALED') == 1 + install_dir : dbuspolicydir) + install_data('org.freedesktop.locale1.service', + install_dir : dbussystemservicedir) +- +- policy = configure_file( +- input : 'org.freedesktop.locale1.policy.in', +- output : 'org.freedesktop.locale1.policy', +- configuration : substs) +- install_data(policy, ++ install_data('org.freedesktop.locale1.policy', + install_dir : polkitpolicydir) + endif + +diff --git a/src/locale/org.freedesktop.locale1.policy b/src/locale/org.freedesktop.locale1.policy +new file mode 100644 +index 0000000..f924174 +--- /dev/null ++++ b/src/locale/org.freedesktop.locale1.policy +@@ -0,0 +1,42 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Set system locale ++ Authentication is required to set the system locale. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.locale1.set-keyboard ++ ++ ++ ++ Set system keyboard settings ++ Authentication is required to set the system keyboard settings. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ +diff --git a/src/locale/org.freedesktop.locale1.policy.in b/src/locale/org.freedesktop.locale1.policy.in +deleted file mode 100644 +index f924174..0000000 +--- a/src/locale/org.freedesktop.locale1.policy.in ++++ /dev/null +@@ -1,42 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Set system locale +- Authentication is required to set the system locale. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.locale1.set-keyboard +- +- +- +- Set system keyboard settings +- Authentication is required to set the system keyboard settings. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +diff --git a/src/login/meson.build b/src/login/meson.build +index 599c44e..5b75382 100644 +--- a/src/login/meson.build ++++ b/src/login/meson.build +@@ -87,12 +87,7 @@ if conf.get('ENABLE_LOGIND') == 1 + install_dir : dbuspolicydir) + install_data('org.freedesktop.login1.service', + install_dir : dbussystemservicedir) +- +- policy = configure_file( +- input : 'org.freedesktop.login1.policy.in', +- output : 'org.freedesktop.login1.policy', +- configuration : substs) +- install_data(policy, ++ install_data('org.freedesktop.login1.policy', + install_dir : polkitpolicydir) + + install_data('70-power-switch.rules', install_dir : udevrulesdir) +diff --git a/src/login/org.freedesktop.login1.policy b/src/login/org.freedesktop.login1.policy +new file mode 100644 +index 0000000..f1d1f95 +--- /dev/null ++++ b/src/login/org.freedesktop.login1.policy +@@ -0,0 +1,360 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Allow applications to inhibit system shutdown ++ Authentication is required for an application to inhibit system shutdown. ++ ++ no ++ yes ++ yes ++ ++ org.freedesktop.login1.inhibit-delay-shutdown org.freedesktop.login1.inhibit-block-sleep org.freedesktop.login1.inhibit-delay-sleep org.freedesktop.login1.inhibit-block-idle ++ ++ ++ ++ Allow applications to delay system shutdown ++ Authentication is required for an application to delay system shutdown. ++ ++ yes ++ yes ++ yes ++ ++ org.freedesktop.login1.inhibit-delay-sleep ++ ++ ++ ++ Allow applications to inhibit system sleep ++ Authentication is required for an application to inhibit system sleep. ++ ++ no ++ yes ++ yes ++ ++ org.freedesktop.login1.inhibit-delay-sleep org.freedesktop.login1.inhibit-block-idle ++ ++ ++ ++ Allow applications to delay system sleep ++ Authentication is required for an application to delay system sleep. ++ ++ yes ++ yes ++ yes ++ ++ ++ ++ ++ Allow applications to inhibit automatic system suspend ++ Authentication is required for an application to inhibit automatic system suspend. ++ ++ yes ++ yes ++ yes ++ ++ ++ ++ ++ Allow applications to inhibit system handling of the power key ++ Authentication is required for an application to inhibit system handling of the power key. ++ ++ no ++ yes ++ yes ++ ++ org.freedesktop.login1.inhibit-handle-suspend-key org.freedesktop.login1.inhibit-handle-hibernate-key org.freedesktop.login1.inhibit-handle-lid-switch ++ ++ ++ ++ Allow applications to inhibit system handling of the suspend key ++ Authentication is required for an application to inhibit system handling of the suspend key. ++ ++ no ++ yes ++ yes ++ ++ org.freedesktop.login1.inhibit-handle-hibernate-key org.freedesktop.login1.inhibit-handle-lid-switch ++ ++ ++ ++ Allow applications to inhibit system handling of the hibernate key ++ Authentication is required for an application to inhibit system handling of the hibernate key. ++ ++ no ++ yes ++ yes ++ ++ ++ ++ ++ Allow applications to inhibit system handling of the lid switch ++ Authentication is required for an application to inhibit system handling of the lid switch. ++ ++ no ++ yes ++ yes ++ ++ ++ ++ ++ Allow non-logged-in user to run programs ++ Explicit request is required to run programs as a non-logged-in user. ++ ++ yes ++ yes ++ yes ++ ++ ++ ++ ++ Allow non-logged-in users to run programs ++ Authentication is required to run programs as a non-logged-in user. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Allow attaching devices to seats ++ Authentication is required for attaching a device to a seat. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.flush-devices ++ ++ ++ ++ Flush device to seat attachments ++ Authentication is required for resetting how devices are attached to seats. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Power off the system ++ Authentication is required for powering off the system. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ org.freedesktop.login1.set-wall-message ++ ++ ++ ++ Power off the system while other users are logged in ++ Authentication is required for powering off the system while other users are logged in. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ org.freedesktop.login1.power-off ++ ++ ++ ++ Power off the system while an application asked to inhibit it ++ Authentication is required for powering off the system while an application asked to inhibit it. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.power-off ++ ++ ++ ++ Reboot the system ++ Authentication is required for rebooting the system. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ org.freedesktop.login1.set-wall-message ++ ++ ++ ++ Reboot the system while other users are logged in ++ Authentication is required for rebooting the system while other users are logged in. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ org.freedesktop.login1.reboot ++ ++ ++ ++ Reboot the system while an application asked to inhibit it ++ Authentication is required for rebooting the system while an application asked to inhibit it. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.reboot ++ ++ ++ ++ Halt the system ++ Authentication is required for halting the system. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.set-wall-message ++ ++ ++ ++ Halt the system while other users are logged in ++ Authentication is required for halting the system while other users are logged in. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.halt ++ ++ ++ ++ Halt the system while an application asked to inhibit it ++ Authentication is required for halting the system while an application asked to inhibit it. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.halt ++ ++ ++ ++ Suspend the system ++ Authentication is required for suspending the system. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ ++ ++ ++ Suspend the system while other users are logged in ++ Authentication is required for suspending the system while other users are logged in. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ org.freedesktop.login1.suspend ++ ++ ++ ++ Suspend the system while an application asked to inhibit it ++ Authentication is required for suspending the system while an application asked to inhibit it. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.suspend ++ ++ ++ ++ Hibernate the system ++ Authentication is required for hibernating the system. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ ++ ++ ++ Hibernate the system while other users are logged in ++ Authentication is required for hibernating the system while other users are logged in. ++ ++ auth_admin_keep ++ auth_admin_keep ++ yes ++ ++ org.freedesktop.login1.hibernate ++ ++ ++ ++ Hibernate the system while an application asked to inhibit it ++ Authentication is required for hibernating the system while an application asked to inhibit it. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.login1.hibernate ++ ++ ++ ++ Manage active sessions, users and seats ++ Authentication is required for managing active sessions, users and seats. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Lock or unlock active sessions ++ Authentication is required to lock or unlock active sessions. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Allow indication to the firmware to boot to setup interface ++ Authentication is required to indicate to the firmware to boot to setup interface. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Set a wall message ++ Authentication is required to set a wall message ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ +diff --git a/src/login/org.freedesktop.login1.policy.in b/src/login/org.freedesktop.login1.policy.in +deleted file mode 100644 +index f1d1f95..0000000 +--- a/src/login/org.freedesktop.login1.policy.in ++++ /dev/null +@@ -1,360 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Allow applications to inhibit system shutdown +- Authentication is required for an application to inhibit system shutdown. +- +- no +- yes +- yes +- +- org.freedesktop.login1.inhibit-delay-shutdown org.freedesktop.login1.inhibit-block-sleep org.freedesktop.login1.inhibit-delay-sleep org.freedesktop.login1.inhibit-block-idle +- +- +- +- Allow applications to delay system shutdown +- Authentication is required for an application to delay system shutdown. +- +- yes +- yes +- yes +- +- org.freedesktop.login1.inhibit-delay-sleep +- +- +- +- Allow applications to inhibit system sleep +- Authentication is required for an application to inhibit system sleep. +- +- no +- yes +- yes +- +- org.freedesktop.login1.inhibit-delay-sleep org.freedesktop.login1.inhibit-block-idle +- +- +- +- Allow applications to delay system sleep +- Authentication is required for an application to delay system sleep. +- +- yes +- yes +- yes +- +- +- +- +- Allow applications to inhibit automatic system suspend +- Authentication is required for an application to inhibit automatic system suspend. +- +- yes +- yes +- yes +- +- +- +- +- Allow applications to inhibit system handling of the power key +- Authentication is required for an application to inhibit system handling of the power key. +- +- no +- yes +- yes +- +- org.freedesktop.login1.inhibit-handle-suspend-key org.freedesktop.login1.inhibit-handle-hibernate-key org.freedesktop.login1.inhibit-handle-lid-switch +- +- +- +- Allow applications to inhibit system handling of the suspend key +- Authentication is required for an application to inhibit system handling of the suspend key. +- +- no +- yes +- yes +- +- org.freedesktop.login1.inhibit-handle-hibernate-key org.freedesktop.login1.inhibit-handle-lid-switch +- +- +- +- Allow applications to inhibit system handling of the hibernate key +- Authentication is required for an application to inhibit system handling of the hibernate key. +- +- no +- yes +- yes +- +- +- +- +- Allow applications to inhibit system handling of the lid switch +- Authentication is required for an application to inhibit system handling of the lid switch. +- +- no +- yes +- yes +- +- +- +- +- Allow non-logged-in user to run programs +- Explicit request is required to run programs as a non-logged-in user. +- +- yes +- yes +- yes +- +- +- +- +- Allow non-logged-in users to run programs +- Authentication is required to run programs as a non-logged-in user. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Allow attaching devices to seats +- Authentication is required for attaching a device to a seat. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.flush-devices +- +- +- +- Flush device to seat attachments +- Authentication is required for resetting how devices are attached to seats. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Power off the system +- Authentication is required for powering off the system. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- org.freedesktop.login1.set-wall-message +- +- +- +- Power off the system while other users are logged in +- Authentication is required for powering off the system while other users are logged in. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- org.freedesktop.login1.power-off +- +- +- +- Power off the system while an application asked to inhibit it +- Authentication is required for powering off the system while an application asked to inhibit it. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.power-off +- +- +- +- Reboot the system +- Authentication is required for rebooting the system. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- org.freedesktop.login1.set-wall-message +- +- +- +- Reboot the system while other users are logged in +- Authentication is required for rebooting the system while other users are logged in. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- org.freedesktop.login1.reboot +- +- +- +- Reboot the system while an application asked to inhibit it +- Authentication is required for rebooting the system while an application asked to inhibit it. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.reboot +- +- +- +- Halt the system +- Authentication is required for halting the system. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.set-wall-message +- +- +- +- Halt the system while other users are logged in +- Authentication is required for halting the system while other users are logged in. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.halt +- +- +- +- Halt the system while an application asked to inhibit it +- Authentication is required for halting the system while an application asked to inhibit it. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.halt +- +- +- +- Suspend the system +- Authentication is required for suspending the system. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- +- +- +- Suspend the system while other users are logged in +- Authentication is required for suspending the system while other users are logged in. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- org.freedesktop.login1.suspend +- +- +- +- Suspend the system while an application asked to inhibit it +- Authentication is required for suspending the system while an application asked to inhibit it. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.suspend +- +- +- +- Hibernate the system +- Authentication is required for hibernating the system. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- +- +- +- Hibernate the system while other users are logged in +- Authentication is required for hibernating the system while other users are logged in. +- +- auth_admin_keep +- auth_admin_keep +- yes +- +- org.freedesktop.login1.hibernate +- +- +- +- Hibernate the system while an application asked to inhibit it +- Authentication is required for hibernating the system while an application asked to inhibit it. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.login1.hibernate +- +- +- +- Manage active sessions, users and seats +- Authentication is required for managing active sessions, users and seats. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Lock or unlock active sessions +- Authentication is required to lock or unlock active sessions. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Allow indication to the firmware to boot to setup interface +- Authentication is required to indicate to the firmware to boot to setup interface. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Set a wall message +- Authentication is required to set a wall message +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +diff --git a/src/machine/meson.build b/src/machine/meson.build +index 0f2944c..b530ca6 100644 +--- a/src/machine/meson.build ++++ b/src/machine/meson.build +@@ -43,12 +43,7 @@ if conf.get('ENABLE_MACHINED') == 1 + install_dir : dbuspolicydir) + install_data('org.freedesktop.machine1.service', + install_dir : dbussystemservicedir) +- +- policy = configure_file( +- input : 'org.freedesktop.machine1.policy.in', +- output : 'org.freedesktop.machine1.policy', +- configuration : substs) +- install_data(policy, ++ install_data('org.freedesktop.machine1.policy', + install_dir : polkitpolicydir) + endif + +diff --git a/src/machine/org.freedesktop.machine1.policy b/src/machine/org.freedesktop.machine1.policy +new file mode 100644 +index 0000000..039c3d4 +--- /dev/null ++++ b/src/machine/org.freedesktop.machine1.policy +@@ -0,0 +1,104 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Log into a local container ++ Authentication is required to log into a local container. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Log into the local host ++ Authentication is required to log into the local host. ++ ++ auth_admin ++ auth_admin ++ yes ++ ++ ++ ++ ++ Acquire a shell in a local container ++ Authentication is required to acquire a shell in a local container. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ org.freedesktop.login1.login ++ ++ ++ ++ Acquire a shell on the local host ++ Authentication is required to acquire a shell on the local host. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ org.freedesktop.login1.host-login ++ ++ ++ ++ Acquire a pseudo TTY in a local container ++ Authentication is required to acquire a pseudo TTY in a local container. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Acquire a pseudo TTY on the local host ++ Authentication is required to acquire a pseudo TTY on the local host. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ ++ Manage local virtual machines and containers ++ Authentication is required to manage local virtual machines and containers. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ org.freedesktop.login1.shell org.freedesktop.login1.login ++ ++ ++ ++ Manage local virtual machine and container images ++ Authentication is required to manage local virtual machine and container images. ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ ++ ++ +diff --git a/src/machine/org.freedesktop.machine1.policy.in b/src/machine/org.freedesktop.machine1.policy.in +deleted file mode 100644 +index 039c3d4..0000000 +--- a/src/machine/org.freedesktop.machine1.policy.in ++++ /dev/null +@@ -1,104 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Log into a local container +- Authentication is required to log into a local container. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Log into the local host +- Authentication is required to log into the local host. +- +- auth_admin +- auth_admin +- yes +- +- +- +- +- Acquire a shell in a local container +- Authentication is required to acquire a shell in a local container. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- org.freedesktop.login1.login +- +- +- +- Acquire a shell on the local host +- Authentication is required to acquire a shell on the local host. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- org.freedesktop.login1.host-login +- +- +- +- Acquire a pseudo TTY in a local container +- Authentication is required to acquire a pseudo TTY in a local container. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Acquire a pseudo TTY on the local host +- Authentication is required to acquire a pseudo TTY on the local host. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +- Manage local virtual machines and containers +- Authentication is required to manage local virtual machines and containers. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- org.freedesktop.login1.shell org.freedesktop.login1.login +- +- +- +- Manage local virtual machine and container images +- Authentication is required to manage local virtual machine and container images. +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- +- +- +diff --git a/src/resolve/meson.build b/src/resolve/meson.build +index 7e7876d..16ba83e 100644 +--- a/src/resolve/meson.build ++++ b/src/resolve/meson.build +@@ -154,6 +154,8 @@ if conf.get('ENABLE_RESOLVE') == 1 + install_dir : dbuspolicydir) + install_data('org.freedesktop.resolve1.service', + install_dir : dbussystemservicedir) ++ install_data('org.freedesktop.resolve1.policy', ++ install_dir : polkitpolicydir) + + resolved_conf = configure_file( + input : 'resolved.conf.in', +@@ -164,13 +166,6 @@ if conf.get('ENABLE_RESOLVE') == 1 + + install_data('resolv.conf', + install_dir : rootlibexecdir) +- +- policy = configure_file( +- input : 'org.freedesktop.resolve1.policy.in', +- output : 'org.freedesktop.resolve1.policy', +- configuration : substs) +- install_data(policy, +- install_dir : polkitpolicydir) + endif + + tests += [ +diff --git a/src/resolve/org.freedesktop.resolve1.policy b/src/resolve/org.freedesktop.resolve1.policy +new file mode 100644 +index 0000000..b65ba3e +--- /dev/null ++++ b/src/resolve/org.freedesktop.resolve1.policy +@@ -0,0 +1,43 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Register a DNS-SD service ++ Authentication is required to register a DNS-SD service ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ ++ Unregister a DNS-SD service ++ Authentication is required to unregister a DNS-SD service ++ ++ auth_admin ++ auth_admin ++ auth_admin_keep ++ ++ unix-user:systemd-resolve ++ ++ ++ +diff --git a/src/resolve/org.freedesktop.resolve1.policy.in b/src/resolve/org.freedesktop.resolve1.policy.in +deleted file mode 100644 +index b65ba3e..0000000 +--- a/src/resolve/org.freedesktop.resolve1.policy.in ++++ /dev/null +@@ -1,43 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Register a DNS-SD service +- Authentication is required to register a DNS-SD service +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- unix-user:systemd-resolve +- +- +- +- Unregister a DNS-SD service +- Authentication is required to unregister a DNS-SD service +- +- auth_admin +- auth_admin +- auth_admin_keep +- +- unix-user:systemd-resolve +- +- +- +diff --git a/src/timedate/meson.build b/src/timedate/meson.build +index 6892596..87482c0 100644 +--- a/src/timedate/meson.build ++++ b/src/timedate/meson.build +@@ -20,11 +20,6 @@ if conf.get('ENABLE_TIMEDATED') == 1 + install_dir : dbuspolicydir) + install_data('org.freedesktop.timedate1.service', + install_dir : dbussystemservicedir) +- +- policy = configure_file( +- input : 'org.freedesktop.timedate1.policy.in', +- output : 'org.freedesktop.timedate1.policy', +- configuration : substs) +- install_data(policy, ++ install_data('org.freedesktop.timedate1.policy', + install_dir : polkitpolicydir) + endif +diff --git a/src/timedate/org.freedesktop.timedate1.policy b/src/timedate/org.freedesktop.timedate1.policy +new file mode 100644 +index 0000000..d488572 +--- /dev/null ++++ b/src/timedate/org.freedesktop.timedate1.policy +@@ -0,0 +1,64 @@ ++ ++ ++ ++ ++ ++ ++ ++ The systemd Project ++ http://www.freedesktop.org/wiki/Software/systemd ++ ++ ++ Set system time ++ Authentication is required to set the system time. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ org.freedesktop.timedate1.set-timezone org.freedesktop.timedate1.set-ntp ++ ++ ++ ++ Set system timezone ++ Authentication is required to set the system timezone. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Set RTC to local timezone or UTC ++ Authentication is required to control whether ++ the RTC stores the local or UTC time. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ ++ Turn network time synchronization on or off ++ Authentication is required to control whether ++ network time synchronization shall be enabled. ++ ++ auth_admin_keep ++ auth_admin_keep ++ auth_admin_keep ++ ++ ++ ++ +diff --git a/src/timedate/org.freedesktop.timedate1.policy.in b/src/timedate/org.freedesktop.timedate1.policy.in +deleted file mode 100644 +index d488572..0000000 +--- a/src/timedate/org.freedesktop.timedate1.policy.in ++++ /dev/null +@@ -1,64 +0,0 @@ +- +- +- +- +- +- +- +- The systemd Project +- http://www.freedesktop.org/wiki/Software/systemd +- +- +- Set system time +- Authentication is required to set the system time. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- org.freedesktop.timedate1.set-timezone org.freedesktop.timedate1.set-ntp +- +- +- +- Set system timezone +- Authentication is required to set the system timezone. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Set RTC to local timezone or UTC +- Authentication is required to control whether +- the RTC stores the local or UTC time. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- +- Turn network time synchronization on or off +- Authentication is required to control whether +- network time synchronization shall be enabled. +- +- auth_admin_keep +- auth_admin_keep +- auth_admin_keep +- +- +- +- diff -Nru systemd-237/debian/patches/meson-fix-systemd-pot-target-when-polkit-devel-is-not-ins.patch systemd-237/debian/patches/meson-fix-systemd-pot-target-when-polkit-devel-is-not-ins.patch --- systemd-237/debian/patches/meson-fix-systemd-pot-target-when-polkit-devel-is-not-ins.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/meson-fix-systemd-pot-target-when-polkit-devel-is-not-ins.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,37 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Sun, 18 Feb 2018 17:39:08 +0100 +Subject: meson: fix systemd-pot target when polkit-devel is not installed + +To successfully extract strings from our .policy files, gettext needs +polkit.{its,loc} files provided by policykit-devel. When that package is not +installed, systemd-pot would fail to extract strings: + +[0/1] Running external command systemd-pot. +xgettext: warning: file 'src/core/org.freedesktop.systemd1.policy.in.in' extension 'policy' is unknown; will try C +xgettext: warning: file 'src/hostname/org.freedesktop.hostname1.policy.in' extension 'policy' is unknown; will try C +... + +We now don't need the .its and .loc files for normal building, but they are +still useful when generating the .pot file, because that way we avoid the +dependency on sufficiently new polkit. We just need to tell i18n to pass their +location to xgettext. + +(cherry picked from commit b0faead2501cd539767dc11d098c08f5730224ff) +--- + po/meson.build | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/po/meson.build b/po/meson.build +index 7ba08fb..01ab7a3 100644 +--- a/po/meson.build ++++ b/po/meson.build +@@ -16,6 +16,6 @@ + # along with systemd; If not, see . + + i18n = import('i18n') +-i18n.gettext(meson.project_name(), preset: 'glib') +- +-po_dir = meson.current_source_dir() ++i18n.gettext(meson.project_name(), ++ preset : 'glib', ++ data_dirs : '.') diff -Nru systemd-237/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch systemd-237/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch --- systemd-237/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,79 @@ +From: Dimitri John Ledkov +Date: Wed, 28 Mar 2018 23:05:17 +0100 +Subject: resolved: Mitigate DVE-2018-0001, + by retrying NXDOMAIN without EDNS0. + +Some captive portals, lie and do not respond with the captive portal IP +address, if the query is with EDNS0 enabled and DO bit set to zero. Thus retry +"secure" domain name look ups with less secure methods, upon NXDOMAIN. + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/bionic/+source/systemd/+bug/1727237 +Bug-DNS: https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md +(cherry picked from commit cc0a0eb1a9379a81256d68d65f8450a487c0ab12) +--- + src/resolve/resolved-dns-transaction.c | 44 ++++++++++++++++++++++++++++++---- + 1 file changed, 39 insertions(+), 5 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index f4bbde0..7f18116 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -388,12 +388,12 @@ static int dns_transaction_pick_server(DnsTransaction *t) { + if (!server) + return -ESRCH; + +- /* If we changed the server invalidate the feature level clamping, as the new server might have completely +- * different properties. */ +- if (server != t->server) ++ /* If we changed the server invalidate the current & clamp feature levels, as the new server might have ++ * completely different properties. */ ++ if (server != t->server) { + t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID; +- +- t->current_feature_level = dns_server_possible_feature_level(server); ++ t->current_feature_level = dns_server_possible_feature_level(server); ++ } + + /* Clamp the feature level if that is requested. */ + if (t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID && +@@ -954,6 +954,40 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { + return; + } + ++ /* Some captive portals are special in that the Aruba/Datavalet hardware will miss replacing the ++ * packets with the local server IP to point to the authenticated side of the network if EDNS0 is ++ * enabled. Instead they return NXDOMAIN, with DO bit set to zero... nothing to see here, yet respond ++ * with the captive portal IP, when using UDP level. ++ * ++ * Common portal names that fail like so are: ++ * secure.datavalet.io ++ * securelogin.arubanetworks.com ++ * securelogin.networks.mycompany.com ++ * ++ * Thus retry NXDOMAIN RCODES for "secure" things with a lower feature level. ++ * ++ * Do not "clamp" the feature level down, as the captive portal should not be lying for the wider ++ * internet (e.g. _other_ queries were observed fine with EDNS0 on these networks) ++ * ++ * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md ++ */ ++ if (DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN && t->current_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) { ++ ++ char key_str[DNS_RESOURCE_KEY_STRING_MAX]; ++ dns_resource_key_to_string(t->key, key_str, sizeof key_str); ++ if (strstr(key_str, "secure") != NULL) { ++ t->current_feature_level = t->current_feature_level - 1; ++ ++ log_warning("Server returned error %s, suspecting DNS violation DVE-2018-0001, retrying transaction with reduced feature level %s.", ++ dns_rcode_to_string(DNS_PACKET_RCODE(p)), ++ dns_server_feature_level_to_string(t->current_feature_level)); ++ ++ dns_transaction_retry(t, false /* use the same server */); ++ return; ++ } ++ ++ } ++ + if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) { + /* This server refused our request? If so, try again, use a different server */ + log_debug("Server returned REFUSED, switching servers, and retrying."); diff -Nru systemd-237/debian/patches/series systemd-237/debian/patches/series --- systemd-237/debian/patches/series 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/patches/series 2018-04-20 16:55:56.000000000 +0000 @@ -1,5 +1,17 @@ service-relax-PID-file-symlink-chain-checks-a-bit-8133.patch socket-util-fix-getpeergroups-assert-fd-8080.patch +l10n-update-POTFILES.in-8163.patch +Gettextize-policy-files.patch +meson-drop-double-.in-suffix-for-o.fd.systemd1.policy-fil.patch +meson-drop-unnecessary-transformation-of-policy-files.patch +l10n-Update-POTFILES.in-and-POTFILES.skip.patch +meson-fix-systemd-pot-target-when-polkit-devel-is-not-ins.patch +test-test-functions-Debian-Ubuntu-now-ship-95-dm-notify.r.patch +test-test-functions-on-PP64-use-vmlinux.patch +test-test-functions-on-PPC64-use-hvc0-console.patch +test-masked-unit-with-drop-ins.patch +install-detect-masked-unit-with-drop-ins.patch +resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch debian/Use-Debian-specific-config-files.patch debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch @@ -25,3 +37,23 @@ debian/Add-env-variable-for-machine-ID-path.patch debian/Avoid-requiring-a-kvm-system-group.patch debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch +debian/Skip-starting-systemd-remount-fs.service-in-containers.patch +debian/Ubuntu-UseDomains-by-default.patch +debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch +debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch +debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch +debian/UBUNTU-drop-using-kvm-for-qemu-tests-as-this-current.patch +debian/UBUNTU-test-test-functions-drop-all-prefixes.patch +debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch +debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch +debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch +debian/UBUNTU-test-fs-utils-detect-container.patch +debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch +debian/UBUNTU-core-use-setreuid-setregid-trick-to-create-session-k.patch +debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch +debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch +debian/UBUNTU-Introduce-suspend-to-hibernate-8274.patch +debian/UBUNTU-shared-sleep-config-fix-unitialized-variable-and-use.patch +debian/UBUNTU-Rename-suspend-to-hibernate-to-suspend-then-hibernat.patch +debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch +debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch diff -Nru systemd-237/debian/patches/test-masked-unit-with-drop-ins.patch systemd-237/debian/patches/test-masked-unit-with-drop-ins.patch --- systemd-237/debian/patches/test-masked-unit-with-drop-ins.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/test-masked-unit-with-drop-ins.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,30 @@ +From: Filipe Brandenburger +Date: Thu, 1 Mar 2018 21:07:27 -0800 +Subject: test: masked unit with drop-ins + +(cherry picked from commit 67348e791dd0c546965e48cc091f1e8245b9260d) +--- + test/TEST-15-DROPIN/test-dropin.sh | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/test/TEST-15-DROPIN/test-dropin.sh b/test/TEST-15-DROPIN/test-dropin.sh +index 9d8af99..3819cad 100755 +--- a/test/TEST-15-DROPIN/test-dropin.sh ++++ b/test/TEST-15-DROPIN/test-dropin.sh +@@ -179,6 +179,16 @@ test_masked_dropins () { + ln -sf ../b.service /usr/lib/systemd/system/a.service.wants/b.service + check_ko a Wants b.service + ++ # 'a' is masked but has an override config file ++ echo "*** test a is masked but has an override" ++ create_services a b ++ ln -sf /dev/null /etc/systemd/system/a.service ++ cat >/usr/lib/systemd/system/a.service.d/override.conf < +Date: Wed, 14 Feb 2018 20:34:55 +0000 +Subject: test/test-functions: Debian/Ubuntu, now ship 95-dm-notify.rules, + copy it + +This fixes cryptsetup tests on recent Ubuntu/Debian systems (current +development series). + +Bug-Launchpad: https://launchpad.net/bugs/1749432 +(cherry picked from commit 7e026ca51e48b5beb50fc7745b8678a101413d78) +--- + test/test-functions | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/test-functions b/test/test-functions +index 018bdca..ac3de81 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -314,7 +314,7 @@ install_dmevent() { + if [[ "$LOOKS_LIKE_DEBIAN" ]]; then + # dmsetup installs 55-dm and 60-persistent-storage-dm on Debian/Ubuntu + # see https://anonscm.debian.org/cgit/pkg-lvm/lvm2.git/tree/debian/patches/0007-udev.patch +- inst_rules 55-dm.rules 60-persistent-storage-dm.rules ++ inst_rules 55-dm.rules 60-persistent-storage-dm.rules 95-dm-notify.rules + else + inst_rules 10-dm.rules 13-dm-disk.rules 95-dm-notify.rules + fi diff -Nru systemd-237/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch systemd-237/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch --- systemd-237/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/test-test-functions-on-PP64-use-vmlinux.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,33 @@ +From: Dimitri John Ledkov +Date: Mon, 19 Feb 2018 20:47:41 +0000 +Subject: test/test-functions: on PP64 use vmlinux + +At least on Ubuntu, ppc64el uses vmlinux-, not vmlinuz. With this, it should be +possible to run qemu tests on ppc64el as part of Ubuntu autopkgtests. + +(cherry picked from commit a2ab2bdd5fcbd15c1f9daf4eb34c4dfb56c12e30) +--- + test/test-functions | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/test/test-functions b/test/test-functions +index ac3de81..87235e3 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -72,7 +72,15 @@ run_qemu() { + if [[ "$LOOKS_LIKE_ARCH" ]]; then + KERNEL_BIN=/boot/vmlinuz-linux + else +- KERNEL_BIN=/boot/vmlinuz-$KERNEL_VER ++ [ "$ARCH" ] || ARCH=$(uname -m) ++ case $ARCH in ++ ppc64*) ++ KERNEL_BIN=/boot/vmlinux-$KERNEL_VER ++ ;; ++ *) ++ KERNEL_BIN=/boot/vmlinuz-$KERNEL_VER ++ ;; ++ esac + fi + fi + diff -Nru systemd-237/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch systemd-237/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch --- systemd-237/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-237/debian/patches/test-test-functions-on-PPC64-use-hvc0-console.patch 2018-04-20 16:55:56.000000000 +0000 @@ -0,0 +1,39 @@ +From: Dimitri John Ledkov +Date: Tue, 20 Feb 2018 12:01:40 +0000 +Subject: test/test-functions: on PPC64 use hvc0 console + +(cherry picked from commit 47709db0687f27c4a1de0826f2330ae147db6e01) +--- + test/test-functions | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/test/test-functions b/test/test-functions +index 87235e3..22066d9 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -68,6 +68,8 @@ run_qemu() { + && KERNEL_BIN="$EFI_MOUNT/$MACHINE_ID/$KERNEL_VER/linux" + fi + ++ CONSOLE=ttyS0 ++ + if [[ ! "$KERNEL_BIN" ]]; then + if [[ "$LOOKS_LIKE_ARCH" ]]; then + KERNEL_BIN=/boot/vmlinuz-linux +@@ -76,6 +78,7 @@ run_qemu() { + case $ARCH in + ppc64*) + KERNEL_BIN=/boot/vmlinux-$KERNEL_VER ++ CONSOLE=hvc0 + ;; + *) + KERNEL_BIN=/boot/vmlinuz-$KERNEL_VER +@@ -127,7 +130,7 @@ root=/dev/sda1 \ + raid=noautodetect \ + loglevel=2 \ + init=$ROOTLIBDIR/systemd \ +-console=ttyS0 \ ++console=$CONSOLE \ + selinux=0 \ + $_cgroup_args \ + $KERNEL_APPEND \ diff -Nru systemd-237/debian/rules systemd-237/debian/rules --- systemd-237/debian/rules 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/rules 2018-04-20 16:55:56.000000000 +0000 @@ -197,7 +197,6 @@ rm -f debian/install/*/etc/init.d/README rm -rf debian/install/*/etc/rpm/ rm -rf debian/install/*/usr/lib/rpm/ - rm -f debian/install/*/usr/lib/sysctl.d/50-default.conf rm -f debian/install/*/etc/X11/xinit/xinitrc.d/50-systemd-user.sh rmdir -p --ignore-fail-on-non-empty debian/install/*/etc/X11/xinit/xinitrc.d/ rm -f debian/install/*/lib/systemd/system/halt-local.service @@ -255,6 +254,8 @@ install --mode=644 debian/extra/rules-ubuntu/*.rules debian/udev/lib/udev/rules.d/ cp -a debian/extra/units-ubuntu/* debian/systemd/lib/systemd/system/ install --mode=755 debian/extra/set-cpufreq debian/systemd/lib/systemd/ + install -D --mode=755 debian/extra/write_persistent_net_s390x_virtio debian/udev/usr/share/systemd/write_persistent_net_s390x_virtio + install -D --mode=755 debian/extra/dhclient-enter-resolved-hook debian/systemd/etc/dhcp/dhclient-enter-hooks.d/resolved endif override_dh_installinit: diff -Nru systemd-237/debian/systemd.postinst systemd-237/debian/systemd.postinst --- systemd-237/debian/systemd.postinst 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/systemd.postinst 2018-04-20 16:55:56.000000000 +0000 @@ -39,6 +39,32 @@ systemctl enable systemd-timesyncd.service || true fi +# Enable resolved by default on new installs installs and upgrades +if dpkg --compare-versions "$2" lt "234-1ubuntu2~"; then + systemctl enable systemd-resolved.service || true +fi + +# Drop stock /etc/rc.local on upgrades +if dpkg --compare-versions "$2" lt "234-2ubuntu11~"; then + if [ -f /etc/rc.local ]; then + if [ "10fd9f051accb6fd1f753f2d48371890" = "$(md5sum /etc/rc.local | cut -d\ -f1)" ]; then + echo Removing empty /etc/rc.local + rm -f /etc/rc.local || true + fi + fi +fi + +# Use stub resolve.conf by default on new installs +if [ -z "$2" ]; then + mkdir -p /run/systemd/resolve + if [ -e /etc/resolv.conf ]; then + cp /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf + fi + # If /etc/resolv.conf is a bind-mount, moving or replacing + # /etc/resolv.conf may fail + ln -snf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || true +fi + # Enable ondemand by default on new installs installs and upgrades if [ -e /lib/systemd/system/ondemand.service ] && dpkg --compare-versions "$2" lt "231-7~"; then systemctl enable ondemand.service || true @@ -96,6 +122,15 @@ # Setup system users and groups addgroup --quiet --system systemd-journal +# Enable persistent journal, in auto-mode, by default on new installs installs and upgrades +if dpkg --compare-versions "$2" lt "235-3ubuntu3~"; then + mkdir -p /var/log/journal + # create tmpfiles only when running systemd, otherwise %b substitution fails + if [ -d /run/systemd/system ]; then + systemd-tmpfiles --create --prefix /var/log/journal + fi +fi + adduser --quiet --system --group --no-create-home --home /run/systemd/netif \ --gecos "systemd Network Management" systemd-network adduser --quiet --system --group --no-create-home --home /run/systemd/resolve \ @@ -104,6 +139,13 @@ # Initial update of the Message Catalogs database _update_catalog +# Disable networkd when upgrading from broken versions 8..10. Turns out +# enabling networkd unconditionally has long boot time side-effects +if dpkg --compare-versions "$2" gt "234-2ubuntu8~" && + dpkg --compare-versions "$2" lt "234-2ubuntu11~"; then + systemctl disable systemd-networkd-wait-online.service || true +fi + if [ -n "$2" ]; then _systemctl daemon-reexec || true # don't restart logind; this can be done again once this gets implemented: diff -Nru systemd-237/debian/systemd.prerm systemd-237/debian/systemd.prerm --- systemd-237/debian/systemd.prerm 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/systemd.prerm 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -#! /bin/sh - -set -e - -# -# Prevent systemd from being removed if it's the active init. That -# will not work. -# - -if [ "$1" = "remove" ] && [ -d /run/systemd/system ]; then - echo "systemd is the active init system, please switch to another before removing systemd." - exit 1 -fi - -#DEBHELPER# diff -Nru systemd-237/debian/tests/boot-and-services systemd-237/debian/tests/boot-and-services --- systemd-237/debian/tests/boot-and-services 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/tests/boot-and-services 2018-04-20 16:55:56.000000000 +0000 @@ -59,12 +59,13 @@ subprocess.call(['journalctl', '-b', '-u', f]) self.assertEqual(failed, []) - def test_lightdm(self): - out = subprocess.check_output(['ps', 'u', '-C', 'lightdm']) - self.assertIn(b'lightdm --session', out) + @unittest.skipUnless(subprocess.call(['which', 'gdm3'], stdout=subprocess.DEVNULL) == 0, 'gdm3 not found') + def test_gdm3(self): + out = subprocess.check_output(['ps', 'u', '-C', 'gdm-x-session']) + self.assertIn(b'gdm-x-session gnome-session', out) out = subprocess.check_output(['ps', 'u', '-C', 'Xorg']) - self.assertIn(b':0', out) - self.active_unit('lightdm') + self.assertIn(b'Xorg vt1', out) + self.active_unit('gdm') def test_dbus(self): out = subprocess.check_output( diff -Nru systemd-237/debian/tests/boot-smoke systemd-237/debian/tests/boot-smoke --- systemd-237/debian/tests/boot-smoke 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/tests/boot-smoke 2018-04-20 16:55:56.000000000 +0000 @@ -29,32 +29,59 @@ done fi else + ret=0 + + echo "waiting to boot..." + TIMEOUT=35 + while [ $TIMEOUT -ge 0 ]; do + state="$(systemctl is-system-running || true)" + case $state in + running|degraded) + break + ;; + *) + sleep 1 + TIMEOUT=$((TIMEOUT - 1)) + ;; + esac + done + echo "checking for failed unmounts for user systemd" JOURNAL=$(journalctl) if echo "$JOURNAL" | grep -E "systemd\[([2-9]|[1-9][0-9]+)\].*Failed unmounting"; then - exit 1 + ret=1 fi - echo "checking for connection timeouts" + echo "checking for connection timeouts (non fatal)" if echo "$JOURNAL" | grep "Connection timed out"; then - exit 1 + # systemd-udevd started to time out resolving group 'colord' + # yet, not reproducible locally, investigating + ret=0 fi echo "checking that polkitd runs" - pidof polkitd + if ! pidof polkitd; then + echo "polkitd is NOT running" + ret=1 + fi + + echo "checking failed jobs (non fatal)" + if [ "$state" != "running" ]; then + echo "systemctl is-system-running returns: $state" + systemctl --no-pager --no-legend list-jobs > $ADT_ARTIFACTS/running-jobs.txt || true + fi echo "checking that there are no running jobs" - TIMEOUT=10 - while [ $TIMEOUT -ge 0 ]; do - running="$(systemctl --no-pager --no-legend list-jobs || true)" - [ -n "$running" ] || break - TIMEOUT=$((TIMEOUT - 1)) - done + running="$(systemctl --no-pager --no-legend list-jobs || true)" if [ -n "$running" ]; then echo "running jobs after remaining timeout $TIMEOUT: $running" journalctl --sync journalctl -ab > $ADT_ARTIFACTS/journal.txt udevadm info --export-db > $ADT_ARTIFACTS/udevdb.txt - exit 1 + ret=1 + fi + + if [ "$ret" != "0" ]; then + exit $ret fi fi diff -Nru systemd-237/debian/tests/control systemd-237/debian/tests/control --- systemd-237/debian/tests/control 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/tests/control 2018-04-20 16:55:56.000000000 +0000 @@ -1,5 +1,6 @@ Tests: timedated, hostnamed, localed-locale, localed-x11-keymap Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -7,6 +8,7 @@ Tests: logind Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -15,6 +17,7 @@ Tests: unit-config Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -25,6 +28,7 @@ Tests: storage Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -37,6 +41,7 @@ Tests: networkd-test.py Tests-Directory: test Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -51,6 +56,7 @@ Tests: build-login Depends: systemd, + udev, libpam-systemd, acl, locales, @@ -67,13 +73,14 @@ Tests: boot-and-services Depends: systemd-sysv, + systemd, + udev, systemd-container, systemd-coredump, libpam-systemd, xserver-xorg-video-dummy, xserver-xorg, - lightdm, - lightdm-gtk-greeter | lightdm-greeter, + gdm3 [!s390x], cron, network-manager, busybox-static, @@ -84,6 +91,7 @@ Tests: udev Depends: systemd-tests, + udev, tree, perl, xz-utils, @@ -91,6 +99,7 @@ Tests: root-unittests Depends: systemd-tests, + udev, tree, perl, xz-utils, @@ -115,7 +124,9 @@ isc-dhcp-client, iputils-ping, strace, - qemu-system-x86 [amd64], + qemu-system-x86 [amd64 i386], + qemu-system-arm [arm64 armhf], + qemu-system-s390x [s390x], less, pkg-config, gcc, @@ -152,9 +163,11 @@ systemd-journal-remote, systemd-container, systemd-sysv, + systemd, + udev, network-manager, policykit-1, - lightdm, + gdm3 [!s390x], xserver-xorg-video-dummy, Restrictions: needs-recommends, needs-root, isolation-container, allow-stderr, breaks-testbed diff -Nru systemd-237/debian/tests/root-unittests systemd-237/debian/tests/root-unittests --- systemd-237/debian/tests/root-unittests 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/tests/root-unittests 2018-04-20 16:55:56.000000000 +0000 @@ -9,6 +9,15 @@ test-catalog " +# test-execute fail on armhf and are currently executed on arm64 kernels. +# https://github.com/systemd/systemd/issues/5851 +arch=$(dpkg --print-architecture) +if [ "$arch" = "armhf" ]; then + EXFAIL="$EXFAIL +test-execute +" +fi + res=0 for t in /usr/lib/systemd/tests/test-*; do tname=$(basename $t) diff -Nru systemd-237/debian/tests/systemd-fsckd systemd-237/debian/tests/systemd-fsckd --- systemd-237/debian/tests/systemd-fsckd 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/tests/systemd-fsckd 2018-04-20 16:55:56.000000000 +0000 @@ -7,6 +7,7 @@ import inspect import fileinput import os +import platform import subprocess import shutil import stat @@ -44,6 +45,7 @@ # ensure we have our root fsck enabled by default (it detects it runs in a vm and doesn't pull the target) # note that it can already exists in case of a reboot (as there was no tearDown as we wanted) os.makedirs(os.path.dirname(SYSTEMD_FSCK_ROOT_ENABLE_PATH), exist_ok=True) + os.makedirs('/var/log/journal', exist_ok=True) with suppress(FileExistsError): os.symlink(SYSTEMD_FSCK_ROOT_PATH, SYSTEMD_FSCK_ROOT_ENABLE_PATH) enable_plymouth() @@ -96,7 +98,10 @@ self.assertFsckdStop() self.assertWasRunning('process-killer') self.assertFalse(self.is_failed_unit('process-killer')) - self.assertFsckProceeded() + self.assertWasRunning('systemd-fsckd') + self.assertFalse(self.is_failed_unit('systemd-fsckd')) + self.assertTrue(self.is_failed_unit('systemd-fsck-root')) + self.assertWasRunning('plymouth-start') self.assertSystemRunning() def test_systemd_fsck_with_failure(self): @@ -120,11 +125,12 @@ else: self.assertFsckdStop() self.assertProcessKilled() - self.assertFalse(self.is_failed_unit('systemd-fsck-root')) + self.assertTrue(self.is_failed_unit('systemd-fsck-root')) self.assertTrue(self.is_failed_unit('systemd-fsckd')) self.assertWasRunning('plymouth-start') self.assertSystemRunning() + @unittest.expectedFailure def test_systemd_fsck_with_plymouth_failure(self): '''Ensure that a failing plymouth doesn't prevent fsckd to reconnect/exit''' if not self._after_reboot: @@ -219,7 +225,7 @@ subprocess.check_call(['systemctl', 'enable', 'process-killer'], stderr=subprocess.DEVNULL) -def enable_plymouth(enable=True): +def enable_plymouth_grub(enable=True): '''ensure plymouth is enabled in grub config (doesn't reboot)''' plymouth_enabled = 'splash' in open('/boot/grub/grub.cfg').read() if enable and not plymouth_enabled: @@ -238,6 +244,23 @@ subprocess.check_call(['update-grub'], stderr=subprocess.DEVNULL) +def enable_plymouth_zipl(enable=True, ziplconf='/etc/zipl.conf'): + '''ensure plymouth is enabled in zipl config (doesn't reboot)''' + plymouth_enabled = 'splash' in open(ziplconf).read() + if enable and not plymouth_enabled: + subprocess.check_call(['sed', '-i', 's/^\(parameters.*\)/\\1 splash quiet/', ziplconf], stderr=subprocess.DEVNULL) + elif not enable and plymouth_enabled: + subprocess.check_call(['sed', '-i', 's/ splash quiet//g', ziplconf], stderr=subprocess.DEVNULL) + subprocess.check_call(['zipl'], stderr=subprocess.DEVNULL) + + +def enable_plymouth(enable=True): + if platform.processor() == 's390x': + enable_plymouth_zipl(enable) + else: + enable_plymouth_grub(enable) + + def boot_with_systemd_distro(): '''Reboot with systemd as init and distro setup for grub''' enable_plymouth() diff -Nru systemd-237/debian/tests/upstream systemd-237/debian/tests/upstream --- systemd-237/debian/tests/upstream 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/tests/upstream 2018-04-20 16:55:56.000000000 +0000 @@ -5,7 +5,7 @@ # even after installing policycoreutils this fails with # "Failed to install /usr/libexec/selinux/hll/pp" -BLACKLIST="TEST-06-SELINUX" +BLACKLIST="TEST-06-SELINUX TEST-16-EXTEND-TIMEOUT" # quiesce Makefile.guess; not really relevant as systemd/nspawn run from # installed packages @@ -22,19 +22,26 @@ # adjust path sed -i 's_/usr/libexec/selinux/hll/pp_/usr/lib/selinux/hll/pp_' test/TEST-06-SELINUX/test.sh +FAILED="" + for t in test/TEST*; do echo "$BLACKLIST" | grep -q "$(basename $t)" && continue echo "========== `basename $t` ==========" rm -rf /var/tmp/systemd-test.* if ! make -C $t clean setup run; then - for j in /var/tmp/systemd-test.*/journal/*; do + for j in /var/tmp/systemd-test.*/journal/*/system.journal; do [ -e "$j" ] || continue # keep the entire journal in artifacts, in case one needs the debug messages - cp "$j" "$AUTOPKGTEST_ARTIFACTS/$(basename $t)-$(basename $j)" + cp "$j" "$AUTOPKGTEST_ARTIFACTS/$(basename $t)-$(basename $(dirname $j))" echo "---- $j ----" - journalctl --priority=warning --directory=$j + journalctl --priority=warning --file=$j done - exit 1 + FAILED="$FAILED $t" fi echo done + +if [ -n "$FAILED" ]; then + echo FAILED TESTS: "$FAILED" + exit 1 +fi diff -Nru systemd-237/debian/udev-udeb.install systemd-237/debian/udev-udeb.install --- systemd-237/debian/udev-udeb.install 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/udev-udeb.install 2018-04-20 16:55:56.000000000 +0000 @@ -18,3 +18,4 @@ ../../extra/rules/73-special-net-names.rules lib/udev/rules.d/ ../../extra/rules/73-usb-net-by-mac.rules lib/udev/rules.d/ ../../extra/start-udev lib/debian-installer/ +../../extra/modprobe.d-udeb/scsi-mod-scan-sync.conf lib/modprobe.d/ diff -Nru systemd-237/debian/udev.postinst systemd-237/debian/udev.postinst --- systemd-237/debian/udev.postinst 2018-02-14 22:07:17.000000000 +0000 +++ systemd-237/debian/udev.postinst 2018-04-20 16:55:56.000000000 +0000 @@ -85,6 +85,14 @@ NamePolicy=onboard kernel EOF fi + + # 232-20 (232-21ubuntu3 in ubuntu) introduced predicable interface names on + # s390x for virtio However, we should preserve ethX names on upgrade. + if [ -x /usr/share/systemd/write_persistent_net_s390x_virtio ]; then + if dpkg --compare-versions "$2" lt-nl "232-21ubuntu3~"; then + /usr/share/systemd/write_persistent_net_s390x_virtio || true + fi + fi } update_hwdb() {