diffstat of debian/ for systemd_239-7 systemd_239-7ubuntu10 changelog | 937 ++++++++++ control | 15 extra/dhclient-enter-resolved-hook | 72 extra/modprobe.d-udeb/scsi-mod-scan-sync.conf | 4 extra/start-udev | 6 extra/units/systemd-resolved.service.d/resolvconf.conf | 8 gbp.conf | 2 libnss-resolve.postrm | 4 patches/Do-not-apply-uaccess-tag-for-dev-kvm-if-mode-is-0666.patch | 239 ++ patches/Networkd-Start-DHCP-server-when-link-is-up.patch | 24 patches/Re-add-uaccess-tag-for-dev-kvm.patch | 30 patches/build-sys-Detect-whether-struct-statx-is-defined-in-sys-s.patch | 105 + patches/core-Actually-use-the-resolved-path-for-TemporaryFileSyst.patch | 27 patches/core-execute-environment_generators-with-manager-s-enviro.patch | 22 patches/core-execute-generators-with-manager-s-environmnet.patch | 22 patches/core-fix-gid-when-DynamicUser-yes-with-static-User.patch | 38 patches/core-job-add-check-for-return-of-job_type_merge_and_colla.patch | 27 patches/cryptsetup-Add-dependency-on-loopback-setup-to-generated-.patch | 34 patches/cryptsetup-add-support-for-sector-size-option-8881.patch | 113 + patches/debian/Re-enable-journal-forwarding-to-syslog.patch | 4 patches/debian/Revert-systemctl-when-removing-enablement-or-mask-symlink.patch | 2 patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch | 28 patches/debian/Revert-udev-rules-Permission-changes-for-dev-kvm.patch | 47 patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch | 27 patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch | 28 patches/debian/UBUNTU-Support-system-image-read-only-etc.patch | 84 patches/debian/UBUNTU-bump-selftest-timeouts.patch | 93 patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch | 44 patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch | 22 patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch | 66 patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch | 50 patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch | 40 patches/debian/UBUNTU-revert-networkd-unify-set-MTU.patch | 80 patches/debian/UBUNTU-test-execute-fix-execution-expectations-in-container.patch | 37 patches/debian/UBUNTU-test-fd-util-test_rearrange_stdio-fails-in-a-contain.patch | 31 patches/debian/UBUNTU-test-fs-utils-detect-container.patch | 33 patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch | 26 patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch | 23 patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch | 45 patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch | 23 patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch | 38 patches/debian/UBUNTU-units-disable-journald-watchdog.patch | 22 patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch | 42 patches/debian/Ubuntu-UseDomains-by-default.patch | 75 patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch | 39 patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch | 22 patches/debian/Use-Debian-specific-config-files.patch | 8 patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch | 4 patches/exec-util-in-execute_directories-support-initial-exec-env.patch | 229 ++ patches/journald-fixed-assertion-failure-when-system-journal-rota.patch | 25 patches/journald-free-the-allocated-memory-before-returning-from-.patch | 25 patches/journald-make-it-clear-that-dev_kmsg_record-modifies-the-.patch | 27 patches/man-Document-networkd-states-in-networkctl-1-10033.patch | 107 + patches/meson-unify-linux-stat.h-check-with-other-checks-and-use-.patch | 72 patches/network-DHCP-ignore-error-in-setting-hostname-when-it-is-.patch | 62 patches/network-add-missing-sd_netlink_unref.patch | 21 patches/network-also-check-that-Hostname-is-a-valid-DNS-domain-na.patch | 48 patches/network-free-routes-assigned-to-link.patch | 35 patches/network-simplify-link_free.patch | 32 patches/networkd-fix-overflow-check.patch | 62 patches/resolvconf-fixes-for-the-compatibility-interface.patch | 59 patches/resolve-dns_scope_network_good-does-not-returns-negative-.patch | 25 patches/resolve-do-not-compress-target-names-in-SRV-records.patch | 26 patches/resolve-do-not-hit-CNAME-or-DNAME-entry-in-NODATA-cache-9.patch | 33 patches/resolve-fix-error-handling-of-dns_name_is_valid.patch | 37 patches/resolve-fix-return-value-type-of-dns_answer_has_dname_for.patch | 44 patches/resolve-reduce-number-of-conversions-between-ifname-and-i.patch | 704 +++++++ patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch | 74 patches/resolved-assert-t-server-is-set-in-dns_transaction_emit_t.patch | 33 patches/series | 61 patches/syslog-fix-segfault-in-syslog_parse_priority.patch | 105 + patches/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch | 33 patches/timedate-defer-the-property-changed-signal-until-job-of-s.patch | 177 + patches/timedate-increment-reference-count-of-sd_bus_message.patch | 64 patches/umount-Don-t-use-options-from-fstab-on-remount.patch | 77 rules | 8 systemd.postinst | 48 systemd.postrm | 1 systemd.prerm | 15 tests/boot-and-services | 21 tests/boot-smoke | 49 tests/control | 21 tests/systemd-fsckd | 33 tests/upstream | 2 udev-udeb.install | 1 85 files changed, 5174 insertions(+), 134 deletions(-) diff -Nru systemd-239/debian/changelog systemd-239/debian/changelog --- systemd-239/debian/changelog 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/changelog 2018-10-04 14:58:51.000000000 +0000 @@ -1,3 +1,160 @@ +systemd (239-7ubuntu10) cosmic; urgency=medium + + * units: Disable journald Watchdog (LP: #1773148) + * Add conflicts with upstart and systemd-shim. (LP: #1773859) + + -- Dimitri John Ledkov Thu, 04 Oct 2018 15:58:51 +0100 + +systemd (239-7ubuntu9) cosmic; urgency=medium + + * core: export environment when running generators. + Ensure that manager's environment (including e.g. PATH) is exported when + running generators. Otherwise, one is at a mercy of running without PATH which + can lead to buggy generator behaviour. (LP: #1771858) + + -- Dimitri John Ledkov Wed, 26 Sep 2018 11:01:58 +0100 + +systemd (239-7ubuntu8) cosmic; urgency=medium + + [ Dimitri John Ledkov ] + * Cherrypick many bugfixes from master. + * systemctl: correctly proceed to immediate shutdown if scheduling fails + (LP: #1670291) + + [ Julian Andres Klode ] + * Improve networkd states documentation. + + -- Dimitri John Ledkov Wed, 12 Sep 2018 16:03:08 +0100 + +systemd (239-7ubuntu7) cosmic; urgency=medium + + * boot-and-services: skip gdm test, when gdm-x-session fails. + Across all architectures, gdm fails to come up reliably since cosmic. + (LP: #1790478) + + -- Dimitri John Ledkov Mon, 03 Sep 2018 16:33:00 +0100 + +systemd (239-7ubuntu6) cosmic; urgency=medium + + [ Dimitri John Ledkov ] + * debian/control: strengthen dependencies. + Make systemd-sysv depend on matching version of systemd. Autopkgtests at times + upgrade systemd-sysv without upgrading systemd. However, upgrading systemd-sysv + alone makes little sense. + Make systemd conflict, rather than just break, systemd-shim. As there are + upgrade failures cause by systemd-shim presence whilst upgrading to new + systemd. + * Correct gdm3 exclution on arm64, in boot-and-services test. + + [ Christian Ehrhardt ] + * Improve autopkgtest success rate, by bumping up timeouts. (LP: #1789841) + + -- Dimitri John Ledkov Fri, 31 Aug 2018 14:17:54 +0100 + +systemd (239-7ubuntu5) cosmic; urgency=medium + + [ Michael Biebl ] + * Clean up dbus-org.freedesktop.timesync1.service Alias on purge + (Closes: #904290) + + [ Martin Pitt ] + * timedated: Fix wrong PropertyChanged values and refcounting + + [ Dimitri John Ledkov ] + * autopkgtest: drop gdm3 on arm64 as well. + The cloud instances are configured without a graphics card, and thus X fails to + start, hence the gdm test fails. + * Revert "Workaround broken meson copying symlinked data files, as dangling symlinks." + This reverts commit 059bfb5349123fabc8c92324e0473193f01fc87c. + * Cherrypick v239-stable patches. + * cryptsetup: add support for sector-size= option (LP: #1776626) + * Cherrypick upstrem patches to fix ftbfs with new glibc. + + [ Michael Vogt ] + * Re-add support for /etc/writable for core18. (LP: #1778936) + + -- Dimitri John Ledkov Tue, 28 Aug 2018 17:35:51 +0100 + +systemd (239-7ubuntu4) cosmic; urgency=medium + + * Workaround broken meson copying symlinked data files, as dangling symlinks. + + -- Dimitri John Ledkov Wed, 22 Aug 2018 14:11:35 +0100 + +systemd (239-7ubuntu3) cosmic; urgency=medium + + * Revert "networkd: Unify set MTU" + This reverts commit 44b598a1c9d11c23420a5ef45ff11bcb0ed195eb due to regression + of ignoring LinkLocalAddressing=no. + Bug-Upstream: https://github.com/systemd/systemd/issues/9890 + + -- Dimitri John Ledkov Tue, 21 Aug 2018 21:51:31 +0100 + +systemd (239-7ubuntu2) cosmic; urgency=medium + + * test-sleep: skip test_fiemap upon inapproriate ioctl for device. + On v4.4 kernels, on top of btrfs ephemeral lxd v3.0 containers generate this + other error code, instead of not supported. Skip the test for both error codes. + + -- Dimitri John Ledkov Fri, 03 Aug 2018 16:49:10 +0100 + +systemd (239-7ubuntu1) cosmic; urgency=medium + + Merged from Debian Unstable, remaining changes are: + + * Set UseDomains to true, by default, on Ubuntu. + * Enable systemd-resolved by default. + * postinst: Create /etc/resolv.conf at postinst, pointing at the stub + resolver. + * postinst: drop empty/stock /etc/rc.local. + * postinst: enable persistent journal. + * Drop systemd.prerm safety check. + * Ship systemd sysctl settings. + * libnss-resolve: do not disable and stop systemd-resolved. + * boot-smoke: refactor ADT test. + * Fix test-functions failing with Ubuntu units. + * units: set ConditionVirtualization=!private-users on journald audit socket. + * units: drop resolvconf.conf drop-in, resolved integration moved to + resolvconf package. + * debian/tests: Switch to gdm3, enforce udev upgrade. + * Ubuntu/extra: ship dhclient-enter hook. + * Ignore failures to set Nice priority on services in containers. + * systemd-fsckd: Fix ADT tests to work on s390x too. + * Disable LLMNR and MulticastDNS by default. + * Enable qemu tests on most architectures. + * debian/tests/systemd-fsckd: update assertions expectations for v237. + * test/test-fs-util: detect container, in addition to root. + * test/test-functions: launch qemu-system with -vga none. + * Blacklist TEST-16-EXTEND-TIMEOUT. + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + * tests/control: ensure boot-smoke uses latest systemd & udev. + * wait-online: do not wait, if no links are managed (neither configured, or + failed). + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + * Workaround captive portals not responding to EDNS0 queries. + * resolved: Listen on both TCP and UDP by default. + * Recommend networkd-dispatcher + * networkd: if RA was implicit, do not await ndisc_configured. + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + * Skip starting systemd-remount-fs.service in containers. + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file. + * Disable dh_installinit generation of tmpfiles for the systemd package. + Replace with a manual safe call to systemd-tmpfiles which will process any + updates to the tmpfiles shipped by systemd package, taking into account any + overrides shipped by other packages, sysadmin, or specified in the runtime + directories. (LP: #1748147) + * Enable EFI/bootctl on armhf. + * boot-and-services: stderr is ok, for status command on the c1 container. + * Skip systemd-fsckd on arm64, because of broken/lack of clean shutdown. + * adt: boot-and-services: assert any kernel syslog messages. + * debian/extra/start-udev: Set scsi_mod scan=sync even if it's builtin to the + kernel (we previously only set it in modprobe.d) LP: #1779815 + * units: conditionalize more units to not start in containers. + * tests: conditionalize more unit tests to pass in LXD container. + + -- Dimitri John Ledkov Thu, 26 Jul 2018 16:26:22 +0100 + systemd (239-7) unstable; urgency=medium * autopkgtest: Add iputils-ping dependency to root-unittests. @@ -156,6 +313,83 @@ -- Michael Biebl Sat, 23 Jun 2018 00:18:08 +0200 +systemd (238-5ubuntu3) cosmic; urgency=medium + + * debian/extra/start-udev: Set scsi_mod scan=sync even if it's builtin + to the kernel (we previously only set it in modprobe.d) LP: #1779815 + + -- Adam Conrad Fri, 20 Jul 2018 11:13:58 -0600 + +systemd (238-5ubuntu2) cosmic; urgency=medium + + * Disable dh_installinit generation of tmpfiles for the systemd package. + Replace with a manual safe call to systemd-tmpfiles which will process any + updates to the tmpfiles shipped by systemd package, taking into account any + overrides shipped by other packages, sysadmin, or specified in the runtime + directories. (LP: #1748147) + * Re-cherrypick keyring setreuid/setregid tricks, as that was merged post-v238. + * Enable EFI/bootctl on armhf. + * boot-and-services: stderr is ok, for status command on the c1 container. + systemctl may print warnings on the stderr when checking the status of + completed units. This should not, overall fail the autopkgtest run. + + -- Dimitri John Ledkov 🌈 Tue, 26 Jun 2018 10:55:51 +0100 + +systemd (238-5ubuntu1) cosmic; urgency=medium + + Merged from Debian Unstable, remaining changes are: + + * Set UseDomains to true, by default, on Ubuntu. + * Enable systemd-resolved by default. + * postinst: Create /etc/resolv.conf at postinst, pointing at the stub + resolver. + * postinst: drop empty/stock /etc/rc.local. + * postinst: enable persistent journal. + * Drop systemd.prerm safety check. + * Ship systemd sysctl settings. + * libnss-resolve: do not disable and stop systemd-resolved. + * boot-smoke: refactor ADT test. + * Fix test-functions failing with Ubuntu units. + * units: set ConditionVirtualization=!private-users on journald audit socket. + * units: drop resolvconf.conf drop-in, resolved integration moved to + resolvconf package. + * debian/tests: Switch to gdm3, enforce udev upgrade. + * Ubuntu/extra: ship dhclient-enter hook. + * Ignore failures to set Nice priority on services in containers. + * tests: Do not use nested kvm during ADT tests. + * systemd-fsckd: Fix ADT tests to work on s390x too. + * Disable LLMNR and MulticastDNS by default. + * Enable qemu tests on most architectures. + * debian/tests/systemd-fsckd: update assertions expectations for v237. + * test/test-fs-util: detect container, in addition to root. + * test/test-functions: launch qemu-system with -vga none. + * Blacklist TEST-16-EXTEND-TIMEOUT. + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + * tests/control: ensure boot-smoke uses latest systemd & udev. + * wait-online: do not wait, if no links are managed (neither configured, or + failed). + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + * Workaround captive portals not responding to EDNS0 queries. + * resolved: Listen on both TCP and UDP by default. + * Recommend networkd-dispatcher + * networkd: if RA was implicit, do not await ndisc_configured. + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + * Skip starting systemd-remount-fs.service in containers. + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file. + + * Apply systemd-stable/v238-stable patches. + + * Cherrypick feature to hibernate with disk offsets. + + * Remove dropped patches + * Drop merged keyring patch + * Drop write_persistent_net_s390x_virtio, as an LTS release was made. + * Revert debian/tests/upstream to be more like Debian's. + * Do not skip test-execute anymore, should be fixed on armhf now. + + -- Dimitri John Ledkov Wed, 30 May 2018 14:30:45 +0100 + systemd (238-5) unstable; urgency=medium [ Evgeny Vereshchagin ] @@ -281,6 +515,138 @@ -- Michael Biebl Wed, 28 Feb 2018 19:18:34 +0100 +systemd (237-3ubuntu11) cosmic; urgency=medium + + [ Dimitri John Ledkov ] + * hwdb: Fix wlan/rfkill keycode on Dell systems. (LP: #1762385) + * Cherrypick upstream fix for corrected detection of Virtualbox & Xen. + (LP: #1768104) + * Further improve captive portal workarounds. + Retry any NXDOMAIN results with lower feature levels, instead of just those + with 'secure' in the domain name. (LP: #1766969) + * Bump gbp.conf to cosmic + + [ Michael Biebl ] + * Add dependencies of libsystemd-shared to Pre-Depends. + This is necessary so systemctl is functional at all times during a + dist-upgrade. (Closes: #897986) (LP: #1771791) + * basic/macros: Rename noreturn into _noreturn_ + "noreturn" is reserved and can be used in other header files we include. + (Closes: #893426) + + [ Mario Limonciello ] + * Fix hibernate disk offsets. + Configure resume offset via sysfs, to enable resume from a swapfile. + (LP: #1760106) + + [ Felipe Sateler ] + * Don't include libmount.h in a header file. + Kernel and glibc headers both use MS_* constants, but are not in sync, so + only one of them can be used at a time. Thus, only import them where needed + Works around #898743 + + -- Dimitri John Ledkov Sat, 19 May 2018 00:35:30 +0100 + +systemd (237-3ubuntu10) bionic; urgency=medium + + * Create tmpfiles for persistent journal in postinst only when running + systemd (LP: #1748659) + + -- Balint Reczey Fri, 20 Apr 2018 18:55:56 +0200 + +systemd (237-3ubuntu9) bionic; urgency=medium + + * networkd: if RA was implicit, do not await ndisc_configured. + If RA was iplicit, meaning not otherwise requested, and a kernel default was in + use. Do not prevent link entering configured state, whilst ndisc configuration + is pending. Implicit kernel RA, is expected to be asynchronous and + non-blocking. (LP: #1765173) + * udev-udeb: ship modprobe.d snippet to force scsi_mod.scan=sync in d-i. + This ensures that all scans are completed, before installer reaches + partitioning stage. (LP: #1751813) + + -- Dimitri John Ledkov Fri, 20 Apr 2018 04:35:33 +0100 + +systemd (237-3ubuntu8) bionic; urgency=medium + + * Workaround captive portals not responding to EDNS0 queries (DVE-2018-0001). + (LP: #1727237) + * resolved: Listen on both TCP and UDP by default. (LP: #1731522) + * Recommend networkd-dispatcher (LP: #1762386) + * Refresh patches + + -- Dimitri John Ledkov Thu, 12 Apr 2018 12:12:24 +0100 + +systemd (237-3ubuntu7) bionic; urgency=medium + + * Introduce suspend then hibernate (LP: #1756006) + + -- Mario Limonciello Mon, 02 Apr 2018 14:25:04 -0500 + +systemd (237-3ubuntu6) bionic; urgency=medium + + * Adjust the new dropin test, for v237 systemd. + * Refresh the keyring patch, to the one merged. + + -- Dimitri John Ledkov Tue, 27 Mar 2018 13:40:09 +0100 + +systemd (237-3ubuntu5) bionic; urgency=medium + + * Drop old keyring/invocation_id patch, which made keyring setup be skipped in containers. + * Use new patch, which sets up session keyring without relying on chown operation. + * Drop systemd.prerm safety check. + On Ubuntu, systemd is the only choice, and is essential, via init -> + systemd-sysv -> systemd dependency chain, thus removing systemd is already + quite hard, and appropriate warnings are emitted by dpkg. (LP: #1758438) + * Detect Masked unit with drop-ins. (LP: #1752722) + * wait-online: do not wait, if no links are managed (neither configured, or failed). + (LP: #1728181) + * journald.service: set Nice=-1 to dodge watchdog on soft lockups. + (LP: #1696970) + * Refresh all patches. + + -- Dimitri John Ledkov Mon, 26 Mar 2018 15:55:25 +0100 + +systemd (237-3ubuntu4) bionic; urgency=medium + + * systemd-sysv-install: fix name initialisation. + Only initialise NAME, after --root optional argument has been parsed, otherwise + NAME is initialized to e.g. `enable', instead of to the `unit-name`, resulting + in failures. (LP: #1752882) + + -- Dimitri John Ledkov Mon, 05 Mar 2018 09:57:58 +0100 + +systemd (237-3ubuntu3) bionic; urgency=medium + + * tests/control: drop qemu-system-ppc. + Whilst some tests pass, many regress / fail to boot. This is not a regression, + as qemu-based tests were not run previously. + + -- Dimitri John Ledkov Tue, 20 Feb 2018 17:40:02 +0000 + +systemd (237-3ubuntu2) bionic; urgency=medium + + * tests/boot-smoke: ignore udevd connection timeouts resolving colord group. + * tests/systemd-fsckd: ignore systemd_fsck_with_plymouth_failure. + * tests/control: ensure boot-smoke uses latest systemd & udev. + * test/test-functions: on PPC64 use hvc0 console. + + -- Dimitri John Ledkov Tue, 20 Feb 2018 12:03:14 +0000 + +systemd (237-3ubuntu1) bionic; urgency=medium + + [ Gunnar Hjalmarsson ] + * Fix PO template creation. + Cherry-pick upstream patches to build a correct systemd.pot including + the polkit policy files even without policykit-1 being installed. + (LP: #1707898) + + [ Dimitri John Ledkov ] + * Blacklist TEST-16-EXTEND-TIMEOUT + * test/test-functions: use vmlinux for ppc64 tests. + + -- Dimitri John Ledkov Mon, 19 Feb 2018 21:15:23 +0000 + systemd (237-3) unstable; urgency=medium [ Martin Pitt ] @@ -303,6 +669,52 @@ -- Michael Biebl Wed, 14 Feb 2018 23:07:17 +0100 +systemd (237-2ubuntu3) bionic; urgency=medium + + * test/test-fs-util: detect container, in addition to root. + On armhf, during autopkgtests, whilst root is avilable, full capabilities in + parent namespace are not, since the tests are run in an LXD container. + This should resolve armhf autopkgtest failure. + * test/test-functions: launch qemu-system with -vga none. + Should resolve booting qemu-system-ppc64 without seabios. + * tests/upstream: skip parts of extend time out tests, regressed. + (LP: #1750364) + + -- Dimitri John Ledkov Mon, 19 Feb 2018 13:32:07 +0000 + +systemd (237-2ubuntu2) bionic; urgency=medium + + * Fix cryptsetup tests by shipping 95-dm-notify udev rule. (LP: #1749432) + * debian/tests/systemd-fsckd: update assertions expectations for v237 + fsck got rewritten to use "safe_fork" and whilst previously it would ignore the + error, when fsck is terminated by signal PIPE, it no longer does so. Thus one + should expect systemd-fsck-root.service to have failed in certain test cases. + + -- Dimitri John Ledkov Thu, 15 Feb 2018 00:32:54 +0000 + +systemd (237-2ubuntu1) bionic; urgency=medium + + [ Michael Vogt ] + * Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file + (LP: #1749000) + + [ Martin Pitt ] + * debian/tests/boot-smoke: More robust journal checking. + Also fail the test if calling journalctl fails, and avoid calling it + twice. See https://github.com/systemd/systemd/pull/8032 + + [ Gunnar Hjalmarsson ] + * Fix creation of translation template + - State the gettext package domain "systemd" explicitly, as with the + move to meson it ended up as "untitled.pot" + - Call xgettext to extract strings from polkit *.policy.in files, which + intltool-update ignores. (LP: #1707898) + + [ Dimitri John Ledkov ] + * Enable qemu tests on all architectures LP: #1749540 + + -- Dimitri John Ledkov Wed, 14 Feb 2018 16:43:12 +0000 + systemd (237-2) unstable; urgency=medium * Drop debian/extra/rules/70-debian-uaccess.rules. @@ -315,6 +727,47 @@ -- Michael Biebl Fri, 09 Feb 2018 23:35:31 +0100 +systemd (237-1ubuntu3) bionic; urgency=medium + + * Re-enable gnu-efi on arm64, binutils is fixed + * Cherrpick PR8133 to resolve too strict PidFile handling, which breaks + services starting with potentially insecure pidfiles e.g. munin + * Disable LLMNR and MulticastDNS by default LP: #1739672 + + -- Dimitri John Ledkov Fri, 09 Feb 2018 15:49:01 +0000 + +systemd (237-1ubuntu2) bionic; urgency=medium + + * Disable gnu-efi on arm64, due to FTBFS. LP: #1746765 + + -- Dimitri John Ledkov Fri, 02 Feb 2018 23:30:05 +0000 + +systemd (237-1ubuntu1) bionic; urgency=medium + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - Use stub-resolv.conf as the default provider of /etc/resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remount fs in containers, for non-degrated boot + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + - Cherry-pick a few testsuite fixes + - Do not use nested kvm during ADT tests + - Fix ADT systemd-fsckd tests to work on s390x too + - Enable persistent journal by default + + -- Dimitri John Ledkov Tue, 30 Jan 2018 13:52:27 +0000 + systemd (237-1) unstable; urgency=medium * New upstream version 237 @@ -423,6 +876,51 @@ -- Michael Biebl Sun, 17 Dec 2017 21:45:51 +0100 +systemd (235-3ubuntu3) bionic; urgency=medium + + * netwokrd: add support for RequiredForOnline stanza. (LP: #1737570) + * resolved.service: set DefaultDependencies=no (LP: #1734167) + * systemd.postinst: enable persistent journal. (LP: #1618188) + * core: add support for non-writable unified cgroup hierarchy for container support. + (LP: #1734410) + + -- Dimitri John Ledkov Tue, 12 Dec 2017 13:25:32 +0000 + +systemd (235-3ubuntu2) bionic; urgency=medium + + * systemd-fsckd: Fix ADT tests to work on s390x too. + + -- Dimitri John Ledkov Tue, 21 Nov 2017 16:41:15 +0000 + +systemd (235-3ubuntu1) bionic; urgency=medium + + * Merge 235-3 from debian: + - Drop UBUNTU-CVE-2017-15908 included in Debian. + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - ship resolvconf integration via stub-resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remote fs in containers, for non-degrated boot + - CVE-2017-15908 in resolved fix loop on packets with pseudo dns types + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + - Cherry-pick a few testsuite fixes + + * UBUNTU Do not use nested kvm during ADT tests. + + -- Dimitri John Ledkov Tue, 21 Nov 2017 09:34:14 +0000 + systemd (235-3) unstable; urgency=medium [ Michael Biebl ] @@ -463,6 +961,63 @@ -- Martin Pitt Wed, 15 Nov 2017 09:34:00 +0100 +systemd (235-2ubuntu3) bionic; urgency=medium + + * Revert "Skip test-bpf in autopkgtest, currently is failing." + This reverts commit 75cf986e450e062a3d5780d1976e9efef41e6c4c. + * Fix test-bpf test case on ubuntu. + * Skip rename tests in containers, crude fix for now. + + -- Dimitri John Ledkov Mon, 13 Nov 2017 00:06:42 +0000 + +systemd (235-2ubuntu2) bionic; urgency=medium + + * Fix test-functions failing with Ubuntu units. + * tests: switch to using ext4 by default, instead of ext3. + * Skip test-bpf in autopkgtest, currently is failing. + + -- Dimitri John Ledkov Mon, 06 Nov 2017 18:33:39 +0000 + +systemd (235-2ubuntu1) bionic; urgency=medium + + [ Dimitri John Ledkov ] + * Merge 235-2 from debian: + - Drop all upstream cherry-picks + - Drop test-copy dh_strip size override, fixed upstream + + * Remaining delta from Debian: + - ship dhclient enter hook for dhclient integration with resolved + - ship resolvconf integration via stub-resolv.conf + - ship s390x virtio interface names migration + - do not disable systemd-resolved upon libnss-resolve removal + - do not remote fs in containers, for non-degrated boot + - CVE-2017-15908 in resolved fix loop on packets with pseudo dns types + - Unlink invocation id key, upon chown failure in containers + - Change default to UseDomains by default + - Do not treat failure to set Nice= setting as error in containers + - Add a condition to systemd-journald-audit.socet to not start in + containers (fails) + - Build without any built-in/fallback DNS server setting + - Enable resolved by default + - Update autopkgtests for reliability/raciness, and testing for typical + defaults + - Always upgrade udev, when running adt tests + - Skip test-execute on armhf + + * Fix up write_persistent_net_s390x for nullglob + + * Ship systemd sysctl settings. + Patch systemd's default sysctl settings to drop things that are set + elsewhere already. The promote secondary IP addresses is required for + networkd to successfully renew DHCP leases with a change of an IP address. + Set default package scheduler to Fair Queue CoDel. (LP: #1721223) + + [ Michael Biebl ] + * Install modprobe configuration file to /lib/modprobe.d. + Otherwise it is not read by kmod. (Closes: #879191) + + -- Dimitri John Ledkov Mon, 30 Oct 2017 17:20:54 +0000 + systemd (235-2) unstable; urgency=medium * Revert "tests: when running a manager object in a test, migrate to private @@ -572,6 +1127,187 @@ -- Cyril Brulebois Wed, 23 Aug 2017 20:41:33 +0200 +systemd (234-2ubuntu12.1) artful-security; urgency=medium + + * SECURITY UPDATE: remote DoS in resolve (LP: #1725351) + - debian/patches/CVE-2017-15908.patch: fix loop on packets with pseudo + dns types in src/resolve/resolved-dns-packet.c. + - CVE-2017-15908 + + -- Marc Deslauriers Thu, 26 Oct 2017 07:56:42 -0400 + +systemd (234-2ubuntu12) artful; urgency=medium + + [ Dimitri John Ledkov ] + * debian/rules: do not strip test-copy. + This insures test-copy is large enough for test-copy tests to pass. + (LP: #1721203) + + [ Michael Biebl ] + * Drop systemd-timesyncd.service.d/disable-with-time-daemon.conf. + All major NTP implementations ship a native service file nowadays with a + Conflicts=systemd-timesyncd.service so this drop-in is no longer + necessary. (Closes: #873185) (LP: #1721204) + + -- Dimitri John Ledkov Wed, 04 Oct 2017 13:28:34 +0100 + +systemd (234-2ubuntu11) artful; urgency=medium + + * Ubuntu/extra: ship dhclient-enter hook. + This allows isc-dhcp dhclient to set search domains and nameservers via + resolved. + * Disable systemd-networkd-wait-online by default. + Currently it is not fit for purpose, as it leads to long boot times when + networking is unplugged or not yet configured on boot. (LP: #1714301) + * networkd: change UseMTU default to true. + Cherry-pick upstream change. (LP: #1717471) + * postinst: drop empty/stock /etc/rc.local (LP: #1716979) + * Imporve resolvconf integration. + Make the .path|.service unit that feed resolved data into resolvconf not + generate failures if resolvconf is not installed. + Add a check to make sure that resolved does not read /etc/resolv.conf when that + is symlinked to stub-resolv.conf. (LP: #1717995) + * core: gracefully bail out keyring operations when chown fails (LP: #1691096) + + -- Dimitri John Ledkov Tue, 26 Sep 2017 11:38:02 -0400 + +systemd (234-2ubuntu10) artful; urgency=medium + + * Do not fail debootstrap if /etc/resolv.conf is immutable. (LP: #1713212) + * Revert "Create /etc/resolv.conf on resolved start, if it is an empty file." + As it is ineffective, and correct creation of /etc/resolv.conf has been fixed. + This reverts commit ccba42504f216f6ffbc54eb2c9af347355f8d86b. + * initramfs-tools: trigger udevadm add actions with subsystems first. + This updates the initramfs-tools init-top udev script to trigger udevadm + actions with type specified. This mimicks the + systemd-udev-trigger.service. Without type specified only devices are + triggered, but triggering subsystems may also be required and should happen + before triggering the devices. This is the case for example on s390x with zdev + generated udev rules. (LP: #1713536) + + -- Dimitri John Ledkov Wed, 30 Aug 2017 11:22:41 +0100 + +systemd (234-2ubuntu9) artful; urgency=medium + + * boot-and-services: skip gdm3 tests when absent, as it is on s390x. + + -- Dimitri John Ledkov Wed, 23 Aug 2017 11:58:57 +0100 + +systemd (234-2ubuntu8) artful; urgency=medium + + * Enable systemd-networkd by default. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 17:50:59 +0100 + +systemd (234-2ubuntu7) artful; urgency=medium + + * Always setup /etc/resolv.conf on new installations. + On new installations, /etc/resolv.conf will always exist. Move it to /run + and replace it with the desired final symlink. (LP: #1712283) + * Create /etc/resolv.conf on resolved start, if it is an empty file. + + -- Dimitri John Ledkov Tue, 22 Aug 2017 16:13:35 +0100 + +systemd (234-2ubuntu6) artful; urgency=medium + + * Disable KillUserProcesses, yet again, with meson this time. + * Re-enable reboot tests. + + -- Dimitri John Ledkov Thu, 17 Aug 2017 15:22:35 +0100 + +systemd (234-2ubuntu5) artful; urgency=medium + + * debian/tests: disable i386 & amd64 systemd-fsck test, and add environment + overrides to allow force execution of those tests locally. LP: #1708051. + + -- Dimitri John Ledkov Wed, 16 Aug 2017 13:04:48 +0100 + +systemd (234-2ubuntu4) artful; urgency=medium + + * debian/tests: disable i386 & amd64 boot-smoke, passes locally. LP: + #1708051. + + -- Dimitri John Ledkov Tue, 15 Aug 2017 14:20:12 +0100 + +systemd (234-2ubuntu3) artful; urgency=medium + + * debian/tests: Switch to gdm, enforce udev upgrade. + + -- Dimitri John Ledkov Mon, 14 Aug 2017 12:02:37 +0100 + +systemd (234-2ubuntu2) artful; urgency=medium + + * Ignore failures to set Nice priority on services in containers. + * Disable execute test on armhf. + * units: set ConditionVirtualization=!private-users on journald audit socket. + It fails to start in unprivileged containers. + * boot-smoke: refactor ADT test. + Wait for system to settle down and get to either running or degraded state, + then collect all metrics, and exit with an error if any of the tests failed. + + -- Dimitri John Ledkov Wed, 02 Aug 2017 03:02:03 +0100 + +systemd (234-2ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + * modprobe.d: set max_bonds=0 for bonding module to prevent bond0 creation. + This prevents confusing networkd, and allows networkd to manage bond0. + * Cherrypick upstream networkd-test.py assertion/check fixes. + This resolves ADT test suite failures, when running tests under lxc/lxd + providers. + * Cherrypick arm* seccomp fixes. + This should resolve ADT test failures, on arm64, when running as root. + * Re-enable seccomp and execute tests on arm. + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + [ Michael Biebl ] + * selinux: Enable labeling and access checks for unprivileged users. + Revert commit that inadvertently broke a lot of SELinux related + functionality for both unprivileged users and systemd instances running + as MANAGER_USER and instead deal with the auditd issue by checking for + the CAP_AUDIT_WRITE capability before opening an audit netlink socket. + (Closes: #863800) + + -- Dimitri John Ledkov Tue, 25 Jul 2017 13:30:58 +0100 + systemd (234-2) unstable; urgency=medium [ Martin Pitt ] @@ -592,6 +1328,64 @@ -- Michael Biebl Thu, 20 Jul 2017 15:13:42 +0200 +systemd (234-1ubuntu2) artful; urgency=medium + + * Set UseDomains to true, by default, on Ubuntu. + On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries + to a preset 3rd party by default. In resolved, dnssec is also disabled by + default, as too much of the internet is broken and using Ubuntu users to debug + the internet is not very productive - most of the time the end-user cannot fix + or know how to notify the site owners about the dnssec mistakes. Inherintally + the DHCP acquired DNS servers are therefore trusted, and are free to spoof + records. Not trusting DNS search domains, in such scenario, provides limited + security or privacy benefits. From user point of view, this also appears to be + a regression from previous Ubuntu releases which do trust DHCP acquired search + domains by default. + Therefore we are enabling UseDomains by default on Ubuntu. + Users may override this setting in the .network files by specifying + [DHCP|IPv6AcceptRA] UseDomains=no|route options. + * resolved: create private stub resolve file for integration with resolvconf. + The stub-resolve.conf file points at resolved stub resolver, but also lists the + available search domains. This is required to correctly resolve domains without + using resolve nss module. + * Enable systemd-resolved by default + * Create /etc/resolv.conf at postinst, pointing at the stub resolver. + The stub resolver file is dynamically managed by systemd-resolved. It points at + the stub resolver as the nameserver, however it also dynamically updates the + search stanza, thus non-nss dns tools work correctly with unqualified names and + correctly use the DHCP acquired search domains. + * libnss-resolve: do not disable and stop systemd-resolved + resolved is always used by default on ubuntu via stub resolver, therefore it + should continue to operate without libnss-resolve module installed. + + -- Dimitri John Ledkov Fri, 21 Jul 2017 17:07:17 +0100 + +systemd (234-1ubuntu1) artful; urgency=medium + + [ Dimitri John Ledkov ] + * Merge with debian, outstanding delta below. + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Mon, 17 Jul 2017 10:59:34 +0100 + systemd (234-1) unstable; urgency=medium [ Michael Biebl ] @@ -673,6 +1467,52 @@ -- Michael Biebl Mon, 19 Jun 2017 15:10:14 +0200 +systemd (233-8ubuntu2) artful; urgency=medium + + * Disable fallback DNS servers. + This causes resolved to call-home to google, attempt to access network when + none is available, and spams logs. (LP: #1449001, #1698734) + * SECURITY UPDATE: Out-of-bounds write in systemd-resolved. + CVE-2017-9445 (LP: #1695546) + + -- Dimitri John Ledkov Wed, 28 Jun 2017 13:27:28 +0100 + +systemd (233-8ubuntu1) artful; urgency=medium + + Merge from experimental. Existing Ubuntu cherry-picks: + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + * Cherrypick upstream commit to enable system use kernel maximum limit for RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + + Ubuntu cherry-picks, now also applied in Debian: + * resolved: fix null pointer dereference crash + + Remaining Ubuntu delta: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. + + New Ubuntu cherry-picks: + * loginctl: Chrerry-pick upstream fix to not ignore multiple session ids. + (LP: #1682154) + + -- Dimitri John Ledkov Mon, 19 Jun 2017 15:24:30 +0100 + systemd (233-8) experimental; urgency=medium * Bump debhelper compatibility level to 10 @@ -711,6 +1551,57 @@ -- Michael Biebl Wed, 24 May 2017 12:26:18 +0200 +systemd (233-6ubuntu3) artful; urgency=medium + + * resolved: fix null pointer dereference crash (LP: #1621396) + + -- Dimitri John Ledkov Mon, 22 May 2017 09:29:22 +0100 + +systemd (233-6ubuntu2) artful; urgency=medium + + [ Michael Biebl ] + * basic/journal-importer: Fix unaligned access in get_data_size() + (Closes: #862062) + + [ Dimitri John Ledkov ] + * ubuntu: disable dnssec on any ubuntu releases (LP: #1690605) + * Cherrypick upstream patch for vio predictable interface names. + * Cherrypick upstream patch for platform predictable interface names. + (LP: #1686784) + + [ Balint Reczey ] + * Skip starting systemd-remount-fs.service in containers + even when /etc/fstab is present. + This allows entering fully running state even when /etc/fstab + lists / to be mounted from a device which is not present in the + container. (LP: #1576341) + + -- Dimitri John Ledkov Wed, 17 May 2017 19:24:03 +0100 + +systemd (233-6ubuntu1) artful; urgency=medium + + Merge from Debian, existing changes: + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + New changes: + * Cherrypick upstream commit to enable system use kernel maximum limit for + RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + + -- Dimitri John Ledkov Tue, 02 May 2017 11:23:19 +0100 + systemd (233-6) experimental; urgency=medium [ Felipe Sateler ] @@ -751,6 +1642,52 @@ -- Michael Biebl Fri, 28 Apr 2017 21:47:14 +0200 +systemd (233-5ubuntu1) artful; urgency=medium + + [ Felipe Sateler ] + * Backport upstream PR #5531. + This delays opening the mdns and llmnr sockets until a network has enabled them. + This silences annoying messages when networkd receives such packets without + expecting them: + Got mDNS UDP packet on unknown scope. + + [ Martin Pitt ] + * resolved: Disable DNSSEC by default on stretch and zesty. + Both Debian stretch and Ubuntu zesty are close to releasing, switch to + DNSSEC=off by default for those. Users can still turn it back on with + DNSSEC=allow-downgrade (or even "yes"). + + [ Michael Biebl ] + * Add Conflicts against hal. + Since v183, udev no longer supports RUN+="socket:". This feature is + still used by hal, but now generates vast amounts of errors in the + journal. Thus force the removal of hal by adding a Conflicts to the udev + package. This is safe, as hal is long dead and no longer useful. + * Drop systemd-ui Suggests + systemd-ui is unmaintained upstream and not particularly useful anymore. + * journal: fix up syslog facility when forwarding native messages. + Native journal messages (_TRANSPORT=journal) typically don't have a + syslog facility attached to it. As a result when forwarding the + messages to syslog they ended up with facility 0 (LOG_KERN). + Apply syslog_fixup_facility() so we use LOG_USER instead. (Closes: #837893) + * Split upstream tests into systemd-tests binary package (Closes: #859152) + * Get PACKAGE_VERSION from config.h. + This also works with meson and is not autotools specific. + + [ Dimitri John Ledkov ] + * ubuntu: udev.postinst preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. + This patch only affects Ubuntu systems. (Closes: #860246) (LP: #1682437) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + + -- Dimitri John Ledkov Fri, 21 Apr 2017 14:36:34 +0100 + systemd (233-5) experimental; urgency=medium * Do not throw a warning in emergency and rescue mode if plymouth is not diff -Nru systemd-239/debian/control systemd-239/debian/control --- systemd-239/debian/control 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/control 2018-10-04 14:58:51.000000000 +0000 @@ -1,7 +1,8 @@ Source: systemd Section: admin Priority: optional -Maintainer: Debian systemd Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian systemd Maintainers Uploaders: Michael Biebl , Marco d'Itri , Sjoerd Simons , @@ -20,7 +21,7 @@ meson (>= 0.44), gettext, gperf, - gnu-efi [amd64 i386 arm64], + gnu-efi [amd64 i386 arm64 armhf], libcap-dev (>= 1:2.24-9~), libpam0g-dev, libapparmor-dev (>= 2.9.0-3+exp2) , @@ -62,7 +63,8 @@ Section: admin Priority: important Recommends: libpam-systemd, - dbus + dbus, + networkd-dispatcher Suggests: systemd-container, policykit-1 Pre-Depends: ${shlibs:Pre-Depends}, @@ -74,8 +76,8 @@ mount (>= 2.26), adduser, procps, +Conflicts: systemd-shim, upstart Breaks: apparmor (<< 2.9.2-1), - systemd-shim (<< 10-4~), ifupdown (<< 0.8.5~), udev (<< 228-5), laptop-mode-tools (<< 1.68~), @@ -112,7 +114,8 @@ upstart-sysv, Pre-Depends: systemd Depends: ${shlibs:Depends}, - ${misc:Depends} + ${misc:Depends}, + systemd (= ${binary:Version}), Recommends: libnss-systemd Description: system and service manager - SysV links systemd is a system and service manager for Linux. It provides aggressive @@ -208,7 +211,7 @@ systemd (= ${binary:Version}), libpam-runtime (>= 1.0.1-6), dbus, - systemd-shim (>= 10-4~) | systemd-sysv + systemd-sysv Description: system and service manager - PAM module This package contains the PAM module which registers user sessions in the systemd control group hierarchy for logind. diff -Nru systemd-239/debian/extra/dhclient-enter-resolved-hook systemd-239/debian/extra/dhclient-enter-resolved-hook --- systemd-239/debian/extra/dhclient-enter-resolved-hook 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/extra/dhclient-enter-resolved-hook 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,72 @@ +# +# Script fragment to make dhclient supply nameserver information to resolvconf +# + +# Tips: +# * Be careful about changing the environment since this is sourced +# * This script fragment uses bash features +# * As of isc-dhcp-client 4.2 the "reason" (for running the script) can be one of the following. +# (Listed on man page:) MEDIUM(0) PREINIT(0) BOUND(M) RENEW(M) REBIND(M) REBOOT(M) EXPIRE(D) FAIL(D) RELEASE(D) STOP(D) NBI(-) TIMEOUT(M) +# (Also used in master script:) ARPCHECK(0), ARPSEND(0) +# (Also used in master script:) PREINIT6(0) BOUND6(M) RENEW6(M) REBIND6(M) DEPREF6(0) EXPIRE6(D) RELEASE6(D) STOP6(D) +# (0) = master script does not run make_resolv_conf +# (M) = master script runs make_resolv_conf +# (D) = master script downs interface +# (-) = master script does nothing with this + +if [ -x /lib/systemd/systemd-resolved ] ; then + # For safety, first undefine the nasty default make_resolv_conf() + make_resolv_conf() { : ; } + case "$reason" in + BOUND|RENEW|REBIND|REBOOT|TIMEOUT|BOUND6|RENEW6|REBIND6) + # Define a resolvconf-compatible m_r_c() function + # It gets run later (or, in the TIMEOUT case, MAY get run later) + make_resolv_conf() { + local statedir + if [ ! "$interface" ] ; then + return + fi + statedir="/run/systemd/resolved.conf.d" + mkdir -p $statedir + if [ -n "$new_domain_name_servers" ] ; then + cat <$statedir/isc-dhcp-v4-$interface.conf +[Resolve] +DNS=$new_domain_name_servers +EOF + if [ -n "$new_domain_name" ] || [ -n "$new_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v4-$interface.conf +Domains=$new_domain_search $new_domain_name +EOF + fi + fi + if [ -n "$new_dhcp6_name_servers" ] ; then + cat <$statedir/isc-dhcp-v6-$interface.conf +[Resolve] +DNS=$new_dhcp6_name_servers +EOF + if [ -n "$new_dhcp6_domain_search" ] ; then + cat <>$statedir/isc-dhcp-v6-$interface.conf +Domains=$new_dhcp6_domain_search +EOF + fi + fi + systemctl try-reload-or-restart systemd-resolved.service + } + ;; + + EXPIRE|FAIL|RELEASE|STOP) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v4-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + EXPIRE6|RELEASE6|STOP6) + if [ ! "$interface" ] ; then + return + fi + rm -f /run/systemd/resolved.conf.d/isc-dhcp-v6-$interface.conf + systemctl try-reload-or-restart systemd-resolved.service + ;; + esac +fi diff -Nru systemd-239/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf systemd-239/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf --- systemd-239/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/extra/modprobe.d-udeb/scsi-mod-scan-sync.conf 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,4 @@ +# Use synchronous scanning, to block update-dev in d-i/hw-detect until after the scan is done +# This ensures that partitioning stage has all the drives detected + +options scsi_mod scan=sync diff -Nru systemd-239/debian/extra/start-udev systemd-239/debian/extra/start-udev --- systemd-239/debian/extra/start-udev 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/extra/start-udev 2018-10-04 14:58:51.000000000 +0000 @@ -8,6 +8,12 @@ mount -n -o mode=0755 -t devtmpfs devtmpfs /dev fi +# This covers the same case as lib/modprobe.d/scsi-mod-scan-sync.conf +# in the event that scsi_mod is built in to the kernel, not a module: +if [ -f /sys/module/scsi_mod/parameters/scan ]; then + echo sync > /sys/module/scsi_mod/parameters/scan +fi + SYSTEMD_LOG_LEVEL=notice /lib/systemd/systemd-udevd --daemon --resolve-names=never udevadm trigger --action=add diff -Nru systemd-239/debian/extra/units/systemd-resolved.service.d/resolvconf.conf systemd-239/debian/extra/units/systemd-resolved.service.d/resolvconf.conf --- systemd-239/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/extra/units/systemd-resolved.service.d/resolvconf.conf 1970-01-01 00:00:00.000000000 +0000 @@ -1,8 +0,0 @@ -# tell resolvconf about resolved's builtin DNS server, so that DNS servers -# picked up via networkd are respected when using resolvconf, and that software -# like Chrome that does not do NSS (libnss-resolve) still gets proper DNS -# resolution; do not remove the entry after stop though, as that leads to -# timeouts on shutdown via the resolvconf hooks (see LP: #1648068) -[Service] -ExecStartPost=+/bin/sh -c '[ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved' -ReadWritePaths=-/run/resolvconf diff -Nru systemd-239/debian/gbp.conf systemd-239/debian/gbp.conf --- systemd-239/debian/gbp.conf 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/gbp.conf 2018-10-04 14:58:51.000000000 +0000 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = False patch-numbers = False -debian-branch = master +debian-branch = ubuntu-cosmic [dch] full = True diff -Nru systemd-239/debian/libnss-resolve.postrm systemd-239/debian/libnss-resolve.postrm --- systemd-239/debian/libnss-resolve.postrm 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/libnss-resolve.postrm 2018-10-04 14:58:51.000000000 +0000 @@ -23,10 +23,6 @@ if [ "$1" = remove ]; then remove_nss_entry /etc/nsswitch.conf libnss-resolve resolve - systemctl disable systemd-resolved.service - if [ -d /run/systemd/system ]; then - deb-systemd-invoke stop systemd-resolved.service || true - fi fi #DEBHELPER# diff -Nru systemd-239/debian/patches/Do-not-apply-uaccess-tag-for-dev-kvm-if-mode-is-0666.patch systemd-239/debian/patches/Do-not-apply-uaccess-tag-for-dev-kvm-if-mode-is-0666.patch --- systemd-239/debian/patches/Do-not-apply-uaccess-tag-for-dev-kvm-if-mode-is-0666.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/Do-not-apply-uaccess-tag-for-dev-kvm-if-mode-is-0666.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,239 @@ +From: Michael Biebl +Date: Fri, 13 Jul 2018 23:36:13 +0200 +Subject: Do not apply uaccess tag for /dev/kvm if mode is 0666 + +(cherry picked from commit ace5e3111c0b8d8bfd84b32f2c689b0a4d92c061) +--- + meson.build | 4 ++- + src/login/70-uaccess.rules | 83 ------------------------------------------ + src/login/70-uaccess.rules.m4 | 84 +++++++++++++++++++++++++++++++++++++++++++ + src/login/meson.build | 13 ++++--- + 4 files changed, 96 insertions(+), 88 deletions(-) + delete mode 100644 src/login/70-uaccess.rules + create mode 100644 src/login/70-uaccess.rules.m4 + +diff --git a/meson.build b/meson.build +index 04331dd..dd21f50 100644 +--- a/meson.build ++++ b/meson.build +@@ -741,7 +741,9 @@ substs.set('USERS_GID', users_gid) + conf.set10('ENABLE_ADM_GROUP', get_option('adm-group')) + conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group')) + +-substs.set('DEV_KVM_MODE', get_option('dev-kvm-mode')) ++dev_kvm_mode = get_option('dev-kvm-mode') ++substs.set('DEV_KVM_MODE', dev_kvm_mode) ++conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666') + substs.set('GROUP_RENDER_MODE', get_option('group-render-mode')) + + kill_user_processes = get_option('default-kill-user-processes') +diff --git a/src/login/70-uaccess.rules b/src/login/70-uaccess.rules +deleted file mode 100644 +index 6feb957..0000000 +--- a/src/login/70-uaccess.rules ++++ /dev/null +@@ -1,83 +0,0 @@ +-# SPDX-License-Identifier: LGPL-2.1+ +-# +-# This file is part of systemd. +-# +-# systemd is free software; you can redistribute it and/or modify it +-# under the terms of the GNU Lesser General Public License as published by +-# the Free Software Foundation; either version 2.1 of the License, or +-# (at your option) any later version. +- +-ACTION=="remove", GOTO="uaccess_end" +-ENV{MAJOR}=="", GOTO="uaccess_end" +- +-# PTP/MTP protocol devices, cameras, portable media players +-SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:060101:*", TAG+="uaccess" +- +-# Digicams with proprietary protocol +-ENV{ID_GPHOTO2}=="?*", TAG+="uaccess" +- +-# SCSI and USB scanners +-ENV{libsane_matched}=="yes", TAG+="uaccess" +- +-# HPLIP devices (necessary for ink level check and HP tool maintenance) +-ENV{ID_HPLIP}=="1", TAG+="uaccess" +- +-# optical drives +-SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="uaccess" +-SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="uaccess" +- +-# Sound devices +-SUBSYSTEM=="sound", TAG+="uaccess", \ +- OPTIONS+="static_node=snd/timer", OPTIONS+="static_node=snd/seq" +- +-# ffado is an userspace driver for firewire sound cards +-SUBSYSTEM=="firewire", ENV{ID_FFADO}=="1", TAG+="uaccess" +- +-# Webcams, frame grabber, TV cards +-SUBSYSTEM=="video4linux", TAG+="uaccess" +-SUBSYSTEM=="dvb", TAG+="uaccess" +- +-# IIDC devices: industrial cameras and some webcams +-SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", TAG+="uaccess" +-SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", TAG+="uaccess" +-# AV/C devices: camcorders, set-top boxes, TV sets, audio devices, and more +-SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="uaccess" +-SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess" +- +-# DRI video devices +-SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess" +- +-# KVM +-SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" +- +-# smart-card readers +-ENV{ID_SMARTCARD_READER}=="?*", TAG+="uaccess" +- +-# (USB) authentication devices +-ENV{ID_SECURITY_TOKEN}=="?*", TAG+="uaccess" +- +-# PDA devices +-ENV{ID_PDA}=="?*", TAG+="uaccess" +- +-# Programmable remote control +-ENV{ID_REMOTE_CONTROL}=="1", TAG+="uaccess" +- +-# joysticks +-SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="uaccess" +- +-# color measurement devices +-ENV{COLOR_MEASUREMENT_DEVICE}=="?*", TAG+="uaccess" +- +-# DDC/CI device, usually high-end monitors such as the DreamColor +-ENV{DDC_DEVICE}=="?*", TAG+="uaccess" +- +-# media player raw devices (for user-mode drivers, Android SDK, etc.) +-SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="uaccess" +- +-# software-defined radio communication devices +-ENV{ID_SOFTWARE_RADIO}=="?*", TAG+="uaccess" +- +-# 3D printers, CNC machines, laser cutters, 3D scanners, etc. +-ENV{ID_MAKER_TOOL}=="?*", TAG+="uaccess" +- +-LABEL="uaccess_end" +diff --git a/src/login/70-uaccess.rules.m4 b/src/login/70-uaccess.rules.m4 +new file mode 100644 +index 0000000..d55e5bf +--- /dev/null ++++ b/src/login/70-uaccess.rules.m4 +@@ -0,0 +1,84 @@ ++# SPDX-License-Identifier: LGPL-2.1+ ++# ++# This file is part of systemd. ++# ++# systemd is free software; you can redistribute it and/or modify it ++# under the terms of the GNU Lesser General Public License as published by ++# the Free Software Foundation; either version 2.1 of the License, or ++# (at your option) any later version. ++ ++ACTION=="remove", GOTO="uaccess_end" ++ENV{MAJOR}=="", GOTO="uaccess_end" ++ ++# PTP/MTP protocol devices, cameras, portable media players ++SUBSYSTEM=="usb", ENV{ID_USB_INTERFACES}=="*:060101:*", TAG+="uaccess" ++ ++# Digicams with proprietary protocol ++ENV{ID_GPHOTO2}=="?*", TAG+="uaccess" ++ ++# SCSI and USB scanners ++ENV{libsane_matched}=="yes", TAG+="uaccess" ++ ++# HPLIP devices (necessary for ink level check and HP tool maintenance) ++ENV{ID_HPLIP}=="1", TAG+="uaccess" ++ ++# optical drives ++SUBSYSTEM=="block", ENV{ID_CDROM}=="1", TAG+="uaccess" ++SUBSYSTEM=="scsi_generic", SUBSYSTEMS=="scsi", ATTRS{type}=="4|5", TAG+="uaccess" ++ ++# Sound devices ++SUBSYSTEM=="sound", TAG+="uaccess", \ ++ OPTIONS+="static_node=snd/timer", OPTIONS+="static_node=snd/seq" ++ ++# ffado is an userspace driver for firewire sound cards ++SUBSYSTEM=="firewire", ENV{ID_FFADO}=="1", TAG+="uaccess" ++ ++# Webcams, frame grabber, TV cards ++SUBSYSTEM=="video4linux", TAG+="uaccess" ++SUBSYSTEM=="dvb", TAG+="uaccess" ++ ++# IIDC devices: industrial cameras and some webcams ++SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x00010*", TAG+="uaccess" ++SUBSYSTEM=="firewire", ATTR{units}=="*0x00b09d:0x00010*", TAG+="uaccess" ++# AV/C devices: camcorders, set-top boxes, TV sets, audio devices, and more ++SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="uaccess" ++SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess" ++ ++# DRI video devices ++SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess" ++m4_ifdef(`DEV_KVM_UACCESS',`` ++# KVM ++SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"'' ++)m4_dnl ++ ++# smart-card readers ++ENV{ID_SMARTCARD_READER}=="?*", TAG+="uaccess" ++ ++# (USB) authentication devices ++ENV{ID_SECURITY_TOKEN}=="?*", TAG+="uaccess" ++ ++# PDA devices ++ENV{ID_PDA}=="?*", TAG+="uaccess" ++ ++# Programmable remote control ++ENV{ID_REMOTE_CONTROL}=="1", TAG+="uaccess" ++ ++# joysticks ++SUBSYSTEM=="input", ENV{ID_INPUT_JOYSTICK}=="?*", TAG+="uaccess" ++ ++# color measurement devices ++ENV{COLOR_MEASUREMENT_DEVICE}=="?*", TAG+="uaccess" ++ ++# DDC/CI device, usually high-end monitors such as the DreamColor ++ENV{DDC_DEVICE}=="?*", TAG+="uaccess" ++ ++# media player raw devices (for user-mode drivers, Android SDK, etc.) ++SUBSYSTEM=="usb", ENV{ID_MEDIA_PLAYER}=="?*", TAG+="uaccess" ++ ++# software-defined radio communication devices ++ENV{ID_SOFTWARE_RADIO}=="?*", TAG+="uaccess" ++ ++# 3D printers, CNC machines, laser cutters, 3D scanners, etc. ++ENV{ID_MAKER_TOOL}=="?*", TAG+="uaccess" ++ ++LABEL="uaccess_end" +diff --git a/src/login/meson.build b/src/login/meson.build +index 4326a45..0e1ed18 100644 +--- a/src/login/meson.build ++++ b/src/login/meson.build +@@ -81,10 +81,6 @@ if conf.get('ENABLE_LOGIND') == 1 + + install_data('70-power-switch.rules', install_dir : udevrulesdir) + +- if conf.get('HAVE_ACL') == 1 +- install_data('70-uaccess.rules', install_dir : udevrulesdir) +- endif +- + seat_rules = configure_file( + input : '71-seat.rules.in', + output : '71-seat.rules', +@@ -92,6 +88,15 @@ if conf.get('ENABLE_LOGIND') == 1 + install_data(seat_rules, + install_dir : udevrulesdir) + ++ custom_target( ++ '70-uaccess.rules', ++ input : '70-uaccess.rules.m4', ++ output: '70-uaccess.rules', ++ command : [meson_apply_m4, config_h, '@INPUT@'], ++ capture : true, ++ install : conf.get('HAVE_ACL') == 1, ++ install_dir : udevrulesdir) ++ + custom_target( + '73-seat-late.rules', + input : '73-seat-late.rules.m4', diff -Nru systemd-239/debian/patches/Networkd-Start-DHCP-server-when-link-is-up.patch systemd-239/debian/patches/Networkd-Start-DHCP-server-when-link-is-up.patch --- systemd-239/debian/patches/Networkd-Start-DHCP-server-when-link-is-up.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/Networkd-Start-DHCP-server-when-link-is-up.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,24 @@ +From: Susant Sahani +Date: Mon, 9 Jul 2018 11:10:54 +0530 +Subject: Networkd: Start DHCP server when link is up. + +Closes #9479 + +(cherry picked from commit 708c425d0aeda659d430f437163587babb96b1bb) +--- + src/network/networkd-link.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 602e03f..5975ebc 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1096,7 +1096,7 @@ static int link_enter_set_addresses(Link *link) { + + /* now that we can figure out a default address for the dhcp server, + start it */ +- if (link_dhcp4_server_enabled(link)) { ++ if (link_dhcp4_server_enabled(link) && (link->flags & IFF_UP)) { + Address *address; + Link *uplink = NULL; + bool acquired_uplink = false; diff -Nru systemd-239/debian/patches/Re-add-uaccess-tag-for-dev-kvm.patch systemd-239/debian/patches/Re-add-uaccess-tag-for-dev-kvm.patch --- systemd-239/debian/patches/Re-add-uaccess-tag-for-dev-kvm.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/Re-add-uaccess-tag-for-dev-kvm.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,30 @@ +From: Michael Biebl +Date: Tue, 10 Jul 2018 14:47:58 +0200 +Subject: Re-add uaccess tag for /dev/kvm + +If --dev-kvm-mode is set to something different then 0666, which we +explicitly support, it makes sense to still apply the uaccess tag to +/dev/kvm. For distros which opt to use the default 0666, this change is +a nop. + +This partially reverts commit b8fd3d82205f632ce001fade74fed287e1564a1a. + +(cherry picked from commit fa53e24130af3a389573acb9585eadbf7192955f) +--- + src/login/70-uaccess.rules | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/login/70-uaccess.rules b/src/login/70-uaccess.rules +index 3515d29..6feb957 100644 +--- a/src/login/70-uaccess.rules ++++ b/src/login/70-uaccess.rules +@@ -47,6 +47,9 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess" + # DRI video devices + SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess" + ++# KVM ++SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" ++ + # smart-card readers + ENV{ID_SMARTCARD_READER}=="?*", TAG+="uaccess" + diff -Nru systemd-239/debian/patches/build-sys-Detect-whether-struct-statx-is-defined-in-sys-s.patch systemd-239/debian/patches/build-sys-Detect-whether-struct-statx-is-defined-in-sys-s.patch --- systemd-239/debian/patches/build-sys-Detect-whether-struct-statx-is-defined-in-sys-s.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/build-sys-Detect-whether-struct-statx-is-defined-in-sys-s.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,105 @@ +From: Filipe Brandenburger +Date: Sun, 15 Jul 2018 22:43:35 -0700 +Subject: build-sys: Detect whether struct statx is defined in sys/stat.h +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Starting with glibc 2.27.9000-36.fc29, include file sys/stat.h will have a +definition for struct statx, in which case include file linux/stat.h should be +avoided, in order to prevent a duplicate definition. + + In file included from ../src/basic/missing.h:18, + from ../src/basic/util.h:28, + from ../src/basic/hashmap.h:10, + from ../src/shared/bus-util.h:12, + from ../src/libsystemd/sd-bus/bus-creds.c:11: + /usr/include/linux/stat.h:99:8: error: redefinition of ‘struct statx’ + struct statx { + ^~~~~ + In file included from /usr/include/sys/stat.h:446, + from ../src/basic/util.h:19, + from ../src/basic/hashmap.h:10, + from ../src/shared/bus-util.h:12, + from ../src/libsystemd/sd-bus/bus-creds.c:11: + /usr/include/bits/statx.h:36:8: note: originally defined here + struct statx + ^~~~~ + +Extend our meson.build to look for struct statx when only sys/stat.h is +included and, in that case, do not include linux/stat.h anymore. + +Tested that systemd builds correctly when using a glibc version that includes a +definition for struct statx. + +glibc Fedora RPM update: +https://src.fedoraproject.org/rpms/glibc/c/28cb5d31fc1e5887912283c889689c47076278ae + +glibc upstream commit: +https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=fd70af45528d59a00eb3190ef6706cb299488fcd + +(cherry picked from commit 75720bff62a84896e9a0654afc7cf9408cf89a38) +--- + meson.build | 5 +++++ + src/basic/missing.h | 5 ++++- + src/basic/xattr-util.c | 1 - + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/meson.build b/meson.build +index d218747..f1f4611 100644 +--- a/meson.build ++++ b/meson.build +@@ -425,6 +425,7 @@ decl_headers = ''' + #include + ''' + # FIXME: key_serial_t is only defined in keyutils.h, this is bound to fail ++# FIXME: these should use -D_GNU_SOURCE, since that is defined at build time + + foreach decl : ['char16_t', + 'char32_t', +@@ -439,6 +440,10 @@ foreach decl : ['char16_t', + conf.set10('HAVE_' + decl.underscorify().to_upper(), have) + endforeach + ++conf.set10('HAVE_STRUCT_STATX_IN_SYS_STAT_H', cc.sizeof('struct statx', prefix : ''' ++#include ++''', args : '-D_GNU_SOURCE') > 0) ++ + foreach decl : [['IFLA_INET6_ADDR_GEN_MODE', 'linux/if_link.h'], + ['IN6_ADDR_GEN_MODE_STABLE_PRIVACY', 'linux/if_link.h'], + ['IFLA_VRF_TABLE', 'linux/if_link.h'], +diff --git a/src/basic/missing.h b/src/basic/missing.h +index 71a07d0..14ad3d4 100644 +--- a/src/basic/missing.h ++++ b/src/basic/missing.h +@@ -15,7 +15,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -25,6 +24,10 @@ + #include + #include + ++#if !HAVE_STRUCT_STATX_IN_SYS_STAT_H ++#include ++#endif ++ + #if HAVE_AUDIT + #include + #endif +diff --git a/src/basic/xattr-util.c b/src/basic/xattr-util.c +index c5c55ea..0ee0979 100644 +--- a/src/basic/xattr-util.c ++++ b/src/basic/xattr-util.c +@@ -2,7 +2,6 @@ + + #include + #include +-#include + #include + #include + #include diff -Nru systemd-239/debian/patches/core-Actually-use-the-resolved-path-for-TemporaryFileSyst.patch systemd-239/debian/patches/core-Actually-use-the-resolved-path-for-TemporaryFileSyst.patch --- systemd-239/debian/patches/core-Actually-use-the-resolved-path-for-TemporaryFileSyst.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/core-Actually-use-the-resolved-path-for-TemporaryFileSyst.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,27 @@ +From: YmrDtnJu +Date: Fri, 22 Jun 2018 23:17:07 +0000 +Subject: core: Actually use the resolved path for TemporaryFileSystem= + (#9385) + +The code already resolves specifiers using unit_full_printf() but then uses the +unresolved version again for temporary_filesystem_add(). + +(cherry picked from commit a26fec240862c7bc466f468490bae2395f263708) +(cherry picked from commit 46e98d5acef33196ca84945af3a0c1c928a05130) +--- + src/core/load-fragment.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c +index d9a5094..fa36052 100644 +--- a/src/core/load-fragment.c ++++ b/src/core/load-fragment.c +@@ -3904,7 +3904,7 @@ int config_parse_temporary_filesystems( + if (r < 0) + continue; + +- r = temporary_filesystem_add(&c->temporary_filesystems, &c->n_temporary_filesystems, path, w); ++ r = temporary_filesystem_add(&c->temporary_filesystems, &c->n_temporary_filesystems, resolved, w); + if (r == -ENOMEM) + return log_oom(); + if (r < 0) { diff -Nru systemd-239/debian/patches/core-execute-environment_generators-with-manager-s-enviro.patch systemd-239/debian/patches/core-execute-environment_generators-with-manager-s-enviro.patch --- systemd-239/debian/patches/core-execute-environment_generators-with-manager-s-enviro.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/core-execute-environment_generators-with-manager-s-enviro.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Wed, 12 Sep 2018 19:51:23 +0100 +Subject: core: execute environment_generators with manager's environment + +(cherry picked from commit ea368f0bd2b77bbc67eab42471b470582f0bd6bc) +--- + src/core/manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index c12eb05..134e4c5 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3736,7 +3736,7 @@ static int manager_run_environment_generators(Manager *m) { + if (!generator_path_any(paths)) + return 0; + +- return execute_directories(paths, DEFAULT_TIMEOUT_USEC, gather_environment, args, NULL, NULL); ++ return execute_directories(paths, DEFAULT_TIMEOUT_USEC, gather_environment, args, NULL, m->environment); + } + + static int manager_run_generators(Manager *m) { diff -Nru systemd-239/debian/patches/core-execute-generators-with-manager-s-environmnet.patch systemd-239/debian/patches/core-execute-generators-with-manager-s-environmnet.patch --- systemd-239/debian/patches/core-execute-generators-with-manager-s-environmnet.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/core-execute-generators-with-manager-s-environmnet.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Wed, 12 Sep 2018 19:52:30 +0100 +Subject: core: execute generators with manager's environmnet + +(cherry picked from commit a3156a8ee4d68b09715225cc04674eea7b5aaec4) +--- + src/core/manager.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/manager.c b/src/core/manager.c +index 134e4c5..8dad2f0 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3768,7 +3768,7 @@ static int manager_run_generators(Manager *m) { + + RUN_WITH_UMASK(0022) + execute_directories((const char* const*) paths, DEFAULT_TIMEOUT_USEC, +- NULL, NULL, (char**) argv, NULL); ++ NULL, NULL, (char**) argv, m->environment); + + finish: + lookup_paths_trim_generator(&m->lookup_paths); diff -Nru systemd-239/debian/patches/core-fix-gid-when-DynamicUser-yes-with-static-User.patch systemd-239/debian/patches/core-fix-gid-when-DynamicUser-yes-with-static-User.patch --- systemd-239/debian/patches/core-fix-gid-when-DynamicUser-yes-with-static-User.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/core-fix-gid-when-DynamicUser-yes-with-static-User.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,38 @@ +From: Yu Watanabe +Date: Thu, 26 Jul 2018 11:42:54 +0900 +Subject: core: fix gid when DynamicUser=yes with static User= + +When DynamicUser=yes and static User= are set, and the user has +different uid and gid, then as the storage socket for the dynamic +user does not contains gid, we need to obtain gid. + +Follow-up for 9ec655cbbd7505ef465e0444da0622e46099ce42. + +Fixes #9702. + +(cherry picked from commit 25a1df7c652d180eb716412885c3ce3fcc1bbded) +--- + src/core/dynamic-user.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/core/dynamic-user.c b/src/core/dynamic-user.c +index 7c5111d..f380db5 100644 +--- a/src/core/dynamic-user.c ++++ b/src/core/dynamic-user.c +@@ -525,6 +525,16 @@ static int dynamic_user_realize( + num = new_uid; + uid_lock_fd = new_uid_lock_fd; + } ++ } else if (is_user && !uid_is_dynamic(num)) { ++ struct passwd *p; ++ ++ /* Statically allocated user may have different uid and gid. So, let's obtain the gid. */ ++ errno = 0; ++ p = getpwuid(num); ++ if (!p) ++ return errno > 0 ? -errno : -ESRCH; ++ ++ gid = p->pw_gid; + } + + /* If the UID/GID was already allocated dynamically, push the data we popped out back in. If it was already diff -Nru systemd-239/debian/patches/core-job-add-check-for-return-of-job_type_merge_and_colla.patch systemd-239/debian/patches/core-job-add-check-for-return-of-job_type_merge_and_colla.patch --- systemd-239/debian/patches/core-job-add-check-for-return-of-job_type_merge_and_colla.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/core-job-add-check-for-return-of-job_type_merge_and_colla.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,27 @@ +From: Filipe Brandenburger +Date: Tue, 12 Jun 2018 14:20:04 -0700 +Subject: core/job: add check for return of job_type_merge_and_collapse() + +Using an assertion is fine, since calls to job_merge_into_installed() +are protected by a check for job_type_is_conflicting(). + +Uncovered by Coverity, fixes CID 996307. + +(cherry picked from commit 53a2383b8bd978cdd98debb69dea95bf0091116a) +--- + src/core/job.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/job.c b/src/core/job.c +index 734756b..2f37ff5 100644 +--- a/src/core/job.c ++++ b/src/core/job.c +@@ -174,7 +174,7 @@ static void job_merge_into_installed(Job *j, Job *other) { + assert(j->unit == other->unit); + + if (j->type != JOB_NOP) +- job_type_merge_and_collapse(&j->type, other->type, j->unit); ++ assert_se(job_type_merge_and_collapse(&j->type, other->type, j->unit) == 0); + else + assert(other->type == JOB_NOP); + diff -Nru systemd-239/debian/patches/cryptsetup-Add-dependency-on-loopback-setup-to-generated-.patch systemd-239/debian/patches/cryptsetup-Add-dependency-on-loopback-setup-to-generated-.patch --- systemd-239/debian/patches/cryptsetup-Add-dependency-on-loopback-setup-to-generated-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/cryptsetup-Add-dependency-on-loopback-setup-to-generated-.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,34 @@ +From: =?utf-8?q?Lorenz_H=C3=BCbschle-Schneider?= +Date: Tue, 26 Jun 2018 19:41:30 +0200 +Subject: cryptsetup: Add dependency on loopback setup to generated units + +For loopback volumes, the generated unit needs to depend on +systemd-tmpfiles-setup-dev.service to ensure that loopback +support is loaded. + +Fixes #9308 + +(cherry picked from commit b90cbe6638560b9e42343e705a561b73b6dca39f) +--- + src/cryptsetup/cryptsetup-generator.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c +index f5a8182..d8e65c0 100644 +--- a/src/cryptsetup/cryptsetup-generator.c ++++ b/src/cryptsetup/cryptsetup-generator.c +@@ -151,8 +151,13 @@ static int create_disk( + fputs("Before=dev-mapper-%i.swap\n", + f); + } else ++ /* For loopback devices, add systemd-tmpfiles-setup-dev.service ++ dependency to ensure that loopback support is available in ++ the kernel (/dev/loop-control needs to exist) */ + fprintf(f, +- "RequiresMountsFor=%s\n", ++ "RequiresMountsFor=%s\n" ++ "Requires=systemd-tmpfiles-setup-dev.service\n" ++ "After=systemd-tmpfiles-setup-dev.service\n", + u_escaped); + + r = generator_write_timeouts(arg_dest, device, name, options, &filtered); diff -Nru systemd-239/debian/patches/cryptsetup-add-support-for-sector-size-option-8881.patch systemd-239/debian/patches/cryptsetup-add-support-for-sector-size-option-8881.patch --- systemd-239/debian/patches/cryptsetup-add-support-for-sector-size-option-8881.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/cryptsetup-add-support-for-sector-size-option-8881.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,113 @@ +From: Dimitri John Ledkov +Date: Fri, 24 Aug 2018 16:37:45 +0100 +Subject: cryptsetup: add support for sector-size= option (#8881) + +Bug-Ubuntu: https://launchpad.net/bugs/1776626 +(cherry picked from commit 9a63ee584da7c76e7945f3dbf386a093dbf40d8d) +--- + man/crypttab.xml | 9 +++++++++ + meson.build | 6 ++++++ + src/cryptsetup/cryptsetup.c | 30 ++++++++++++++++++++++++++++++ + 3 files changed, 45 insertions(+) + +diff --git a/man/crypttab.xml b/man/crypttab.xml +index dcaf03d..3574ce0 100644 +--- a/man/crypttab.xml ++++ b/man/crypttab.xml +@@ -250,6 +250,15 @@ + option. + + ++ ++ ++ ++ Specifies the sector size in bytes. See ++ cryptsetup8 ++ for possible values and the default value of this ++ option. ++ ++ + + + +diff --git a/meson.build b/meson.build +index dd21f50..d218747 100644 +--- a/meson.build ++++ b/meson.build +@@ -924,11 +924,17 @@ if want_libcryptsetup != 'false' and not fuzzer_build + version : '>= 1.6.0', + required : want_libcryptsetup == 'true') + have = libcryptsetup.found() ++ have_sector = cc.has_member( ++ 'struct crypt_params_plain', ++ 'sector_size', ++ prefix : '#include ') + else + have = false ++ have_sector = false + libcryptsetup = [] + endif + conf.set10('HAVE_LIBCRYPTSETUP', have) ++conf.set10('HAVE_LIBCRYPTSETUP_SECTOR_SIZE', have_sector) + + want_libcurl = get_option('libcurl') + if want_libcurl != 'false' and not fuzzer_build +diff --git a/src/cryptsetup/cryptsetup.c b/src/cryptsetup/cryptsetup.c +index 8321681..87008cb 100644 +--- a/src/cryptsetup/cryptsetup.c ++++ b/src/cryptsetup/cryptsetup.c +@@ -23,10 +23,14 @@ + + /* internal helper */ + #define ANY_LUKS "LUKS" ++/* as in src/cryptsetup.h */ ++#define CRYPT_SECTOR_SIZE 512 ++#define CRYPT_MAX_SECTOR_SIZE 4096 + + static const char *arg_type = NULL; /* ANY_LUKS, CRYPT_LUKS1, CRYPT_LUKS2, CRYPT_TCRYPT or CRYPT_PLAIN */ + static char *arg_cipher = NULL; + static unsigned arg_key_size = 0; ++static unsigned arg_sector_size = CRYPT_SECTOR_SIZE; + static int arg_key_slot = CRYPT_ANY_SLOT; + static unsigned arg_keyfile_size = 0; + static uint64_t arg_keyfile_offset = 0; +@@ -86,6 +90,29 @@ static int parse_one_option(const char *option) { + + arg_key_size /= 8; + ++ } else if ((val = startswith(option, "sector-size="))) { ++ ++#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE ++ r = safe_atou(val, &arg_sector_size); ++ if (r < 0) { ++ log_error_errno(r, "Failed to parse %s, ignoring: %m", option); ++ return 0; ++ } ++ ++ if (arg_sector_size % 2) { ++ log_error("sector-size= not a multiple of 2, ignoring."); ++ return 0; ++ } ++ ++ if (arg_sector_size < CRYPT_SECTOR_SIZE || arg_sector_size > CRYPT_MAX_SECTOR_SIZE) { ++ log_error("sector-size= is outside of %u and %u, ignoring.", CRYPT_SECTOR_SIZE, CRYPT_MAX_SECTOR_SIZE); ++ return 0; ++ } ++#else ++ log_error("sector-size= is not supported, compiled with old libcryptsetup."); ++ return 0; ++#endif ++ + } else if ((val = startswith(option, "key-slot="))) { + + arg_type = ANY_LUKS; +@@ -471,6 +498,9 @@ static int attach_luks_or_plain(struct crypt_device *cd, + struct crypt_params_plain params = { + .offset = arg_offset, + .skip = arg_skip, ++#if HAVE_LIBCRYPTSETUP_SECTOR_SIZE ++ .sector_size = arg_sector_size, ++#endif + }; + const char *cipher, *cipher_mode; + _cleanup_free_ char *truncated_cipher = NULL; diff -Nru systemd-239/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch systemd-239/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch --- systemd-239/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/patches/debian/Re-enable-journal-forwarding-to-syslog.patch 2018-10-04 14:58:51.000000000 +0000 @@ -30,10 +30,10 @@ systemd.journald.forward_to_syslog, systemd.journald.forward_to_kmsg, diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c -index 4f1550e..f48059d 100644 +index b6e7a9c..d7add47 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c -@@ -1692,6 +1692,7 @@ int server_init(Server *s) { +@@ -1693,6 +1693,7 @@ int server_init(Server *s) { s->rate_limit_interval = DEFAULT_RATE_LIMIT_INTERVAL; s->rate_limit_burst = DEFAULT_RATE_LIMIT_BURST; diff -Nru systemd-239/debian/patches/debian/Revert-systemctl-when-removing-enablement-or-mask-symlink.patch systemd-239/debian/patches/debian/Revert-systemctl-when-removing-enablement-or-mask-symlink.patch --- systemd-239/debian/patches/debian/Revert-systemctl-when-removing-enablement-or-mask-symlink.patch 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/patches/debian/Revert-systemctl-when-removing-enablement-or-mask-symlink.patch 2018-10-04 14:58:51.000000000 +0000 @@ -369,7 +369,7 @@ static void unit_file_list_free_one(UnitFileList *f) { diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c -index f072ad0..fc0baa8 100644 +index 79de664..a76c105 100644 --- a/src/systemctl/systemctl.c +++ b/src/systemctl/systemctl.c @@ -7683,11 +7683,6 @@ static int systemctl_parse_argv(int argc, char *argv[]) { diff -Nru systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch --- systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch 2018-10-04 14:58:51.000000000 +0000 @@ -11,22 +11,22 @@ meson.build | 2 -- meson_options.txt | 2 -- rules/50-udev-default.rules.in | 5 +---- - src/login/70-uaccess.rules | 2 +- + src/login/70-uaccess.rules.m4 | 2 +- 4 files changed, 2 insertions(+), 9 deletions(-) diff --git a/meson.build b/meson.build -index 4cca9fe..7d3fa6a 100644 +index 654bc3f..8d2a0b8 100644 --- a/meson.build +++ b/meson.build -@@ -742,7 +742,6 @@ conf.set10('ENABLE_ADM_GROUP', get_option('adm-group')) - conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group')) - - substs.set('DEV_KVM_MODE', get_option('dev-kvm-mode')) +@@ -757,7 +757,6 @@ conf.set10('ENABLE_WHEEL_GROUP', get_option('wheel-group')) + dev_kvm_mode = get_option('dev-kvm-mode') + substs.set('DEV_KVM_MODE', dev_kvm_mode) + conf.set10('DEV_KVM_UACCESS', dev_kvm_mode != '0666') -substs.set('GROUP_RENDER_MODE', get_option('group-render-mode')) kill_user_processes = get_option('default-kill-user-processes') conf.set10('KILL_USER_PROCESSES', kill_user_processes) -@@ -2874,7 +2873,6 @@ status = [ +@@ -2895,7 +2894,6 @@ status = [ 'minimum container UID base: @0@'.format(container_uid_base_min), 'maximum container UID base: @0@'.format(container_uid_base_max), '/dev/kvm access mode: @0@'.format(get_option('dev-kvm-mode')), @@ -67,16 +67,16 @@ SUBSYSTEM=="sound", GROUP="audio", \ OPTIONS+="static_node=snd/seq", OPTIONS+="static_node=snd/timer" -diff --git a/src/login/70-uaccess.rules b/src/login/70-uaccess.rules -index 3515d29..a10cc20 100644 ---- a/src/login/70-uaccess.rules -+++ b/src/login/70-uaccess.rules +diff --git a/src/login/70-uaccess.rules.m4 b/src/login/70-uaccess.rules.m4 +index d55e5bf..e46cacb 100644 +--- a/src/login/70-uaccess.rules.m4 ++++ b/src/login/70-uaccess.rules.m4 @@ -45,7 +45,7 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x010001*", TAG+="uaccess" SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess" # DRI video devices -SUBSYSTEM=="drm", KERNEL=="card*", TAG+="uaccess" +SUBSYSTEM=="drm", KERNEL=="card*|renderD*", TAG+="uaccess" - - # smart-card readers - ENV{ID_SMARTCARD_READER}=="?*", TAG+="uaccess" + m4_ifdef(`DEV_KVM_UACCESS',`` + # KVM + SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess"'' diff -Nru systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-kvm.patch systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-kvm.patch --- systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-kvm.patch 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/patches/debian/Revert-udev-rules-Permission-changes-for-dev-kvm.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,47 +0,0 @@ -From: Michael Biebl -Date: Tue, 10 Jul 2018 14:35:44 +0200 -Subject: Revert "udev-rules: Permission changes for /dev/kvm" - -This reverts commit b8fd3d82205f632ce001fade74fed287e1564a1a. - -We don't want to make /dev/kvm accessible to everyone. -Instead we are going to keep the uaccess tag in Debian to make it -accessible dynamically. -Access can also be granted via group kvm, as the device will be root:kvm -owned and have 0660 permissions. - -See -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887852 -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892945 ---- - meson_options.txt | 2 +- - src/login/70-uaccess.rules | 3 +++ - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/meson_options.txt b/meson_options.txt -index 45c6320..46b0503 100644 ---- a/meson_options.txt -+++ b/meson_options.txt -@@ -178,7 +178,7 @@ option('nobody-user', type : 'string', - option('nobody-group', type : 'string', - description : 'The name of the nobody group (the one with GID 65534)', - value : 'nobody') --option('dev-kvm-mode', type : 'string', value : '0666', -+option('dev-kvm-mode', type : 'string', value : '0660', - description : '/dev/kvm access mode') - option('default-kill-user-processes', type : 'boolean', - description : 'the default value for KillUserProcesses= setting') -diff --git a/src/login/70-uaccess.rules b/src/login/70-uaccess.rules -index a10cc20..60da934 100644 ---- a/src/login/70-uaccess.rules -+++ b/src/login/70-uaccess.rules -@@ -47,6 +47,9 @@ SUBSYSTEM=="firewire", ATTR{units}=="*0x00a02d:0x014001*", TAG+="uaccess" - # DRI video devices - SUBSYSTEM=="drm", KERNEL=="card*|renderD*", TAG+="uaccess" - -+# KVM -+SUBSYSTEM=="misc", KERNEL=="kvm", TAG+="uaccess" -+ - # smart-card readers - ENV{ID_SMARTCARD_READER}=="?*", TAG+="uaccess" - diff -Nru systemd-239/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch systemd-239/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch --- systemd-239/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/Skip-starting-systemd-remount-fs.service-in-containers.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,27 @@ +From: Balint Reczey +Date: Mon, 8 May 2017 17:02:03 +0200 +Subject: Skip starting systemd-remount-fs.service in containers + +even when /etc/fstab is present. + +This allows entering fully running state even when /etc/fstab +lists / to be mounted from a device which is not present in the +container. + +LP: #1576341 +--- + units/systemd-remount-fs.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in +index 2e5b75e..fb3e30b 100644 +--- a/units/systemd-remount-fs.service.in ++++ b/units/systemd-remount-fs.service.in +@@ -17,6 +17,7 @@ After=systemd-fsck-root.service + Before=local-fs-pre.target local-fs.target shutdown.target + Wants=local-fs-pre.target + ConditionPathExists=/etc/fstab ++ConditionVirtualization=!container + + [Service] + Type=oneshot diff -Nru systemd-239/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch systemd-239/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch --- systemd-239/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,28 @@ +From: Michael Vogt +Date: Wed, 14 Feb 2018 16:38:13 +0000 +Subject: Add "AssumedApparmorLabel=unconfined" to timedate1 dbus service file + +A change in apparmor mediates auto-activation attempts now through +AppArmor: https://cgit.freedesktop.org/dbus/dbus/commit/?id=dc25979eb + +This breaks the snapd time{zone,server}-control interfaces which limt +sending dbus message to a (label=unconfined) org.freedesktop.timedate1 +peers. + +By adding the AssumedApparmorLabel=unconfined label the snapd interfaces +work again. + +LP: #1749000 +--- + src/timedate/org.freedesktop.timedate1.service | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/timedate/org.freedesktop.timedate1.service b/src/timedate/org.freedesktop.timedate1.service +index d5f3a6e..c498b82 100644 +--- a/src/timedate/org.freedesktop.timedate1.service ++++ b/src/timedate/org.freedesktop.timedate1.service +@@ -12,3 +12,4 @@ Name=org.freedesktop.timedate1 + Exec=/bin/false + User=root + SystemdService=dbus-org.freedesktop.timedate1.service ++AssumedAppArmorLabel=unconfined diff -Nru systemd-239/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch systemd-239/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch --- systemd-239/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-Support-system-image-read-only-etc.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,84 @@ +From: Martin Pitt +Date: Sat, 26 Apr 2014 23:49:32 +0200 +Subject: Support system-image read-only /etc + +On Ubuntu Phone with readonly /etc we symlink +/etc/{adjtime,localtime,timezone,hostname,machine-info} to /etc/writable/, so +we need to update those files instead if the original files are symlinks into +/etc/writable/. + +Forwarded: OMGno, this is a rather nasty hack until we fix system-image to get a writable /etc +Bug-Ubuntu: https://launchpad.net/bugs/1227520 +--- + src/hostname/hostnamed.c | 28 ++++++++++++++++++++++++---- + 1 file changed, 24 insertions(+), 4 deletions(-) + +diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c +index ee51002..96aa40a 100644 +--- a/src/hostname/hostnamed.c ++++ b/src/hostname/hostnamed.c +@@ -14,6 +14,7 @@ + #include "os-util.h" + #include "parse-util.h" + #include "path-util.h" ++#include "fs-util.h" + #include "selinux-util.h" + #include "strv.h" + #include "user-util.h" +@@ -60,6 +61,25 @@ static void context_free(Context *c) { + bus_verify_polkit_async_registry_free(c->polkit_registry); + } + ++/* Hack for Ubuntu phone: check if path is an existing symlink to ++ * /etc/writable; if it is, update that instead */ ++static const char* writable_filename(const char *path) { ++ ssize_t r; ++ static char realfile_buf[PATH_MAX]; ++ _cleanup_free_ char *realfile = NULL; ++ const char *result = path; ++ int orig_errno = errno; ++ ++ r = readlink_and_make_absolute(path, &realfile); ++ if (r >= 0 && startswith(realfile, "/etc/writable")) { ++ snprintf(realfile_buf, sizeof(realfile_buf), "%s", realfile); ++ result = realfile_buf; ++ } ++ ++ errno = orig_errno; ++ return result; ++} ++ + static int context_read_data(Context *c) { + int r; + struct utsname u; +@@ -281,12 +301,12 @@ static int context_write_data_static_hostname(Context *c) { + + if (isempty(c->data[PROP_STATIC_HOSTNAME])) { + +- if (unlink("/etc/hostname") < 0) ++ if (unlink(writable_filename("/etc/hostname")) < 0) + return errno == ENOENT ? 0 : -errno; + + return 0; + } +- return write_string_file_atomic_label("/etc/hostname", c->data[PROP_STATIC_HOSTNAME]); ++ return write_string_file_atomic_label(writable_filename("/etc/hostname"), c->data[PROP_STATIC_HOSTNAME]); + } + + static int context_write_data_machine_info(Context *c) { +@@ -331,13 +351,13 @@ static int context_write_data_machine_info(Context *c) { + } + + if (strv_isempty(l)) { +- if (unlink("/etc/machine-info") < 0) ++ if (unlink(writable_filename("/etc/machine-info")) < 0) + return errno == ENOENT ? 0 : -errno; + + return 0; + } + +- return write_env_file_label("/etc/machine-info", l); ++ return write_env_file_label(writable_filename("/etc/machine-info"), l); + } + + static int property_get_icon_name( diff -Nru systemd-239/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch systemd-239/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch --- systemd-239/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-bump-selftest-timeouts.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,93 @@ +From: Christian Ehrhardt +Date: Wed, 12 Sep 2018 13:10:24 +0100 +Subject: Bump the self-test timeouts to increase autopkgtest success rate + +Especially on i386 tests the systemd selftests were flaky for quite a while. +It turned out that 5/8 tests checked seemed to have worked fine but were +killed early by the timeouts expiring. +It was brought up that spectre and L1TF mitigations might have further +opened the window for these issues to trigger more often now. +Lets in our package bump the timeout which will worst case make a real bad test +slightly longer but probably safes many hours of wasted tests especially +considering how often they are jsut retried these days. +. +We might forward that upstream if for a while this proves to increase +the success rate of systemd autopkgtests. +Forwarded: no +Forward-info: need to prove with test success rate +Author: Christian Ehrhardt +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1789841 +Last-Update: 2018-08-30 +--- + test/TEST-08-ISSUE-2730/test.sh | 2 +- + test/TEST-09-ISSUE-2691/test.sh | 2 +- + test/TEST-17-UDEV-WANTS/test.sh | 2 +- + test/TEST-18-FAILUREACTION/test.sh | 2 +- + test/TEST-19-DELEGATE/test.sh | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/test/TEST-08-ISSUE-2730/test.sh b/test/TEST-08-ISSUE-2730/test.sh +index 90bf133..50d8ef1 100755 +--- a/test/TEST-08-ISSUE-2730/test.sh ++++ b/test/TEST-08-ISSUE-2730/test.sh +@@ -6,7 +6,7 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/2730" + TEST_NO_NSPAWN=1 + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + FSTYPE=ext4 + + test_setup() { +diff --git a/test/TEST-09-ISSUE-2691/test.sh b/test/TEST-09-ISSUE-2691/test.sh +index 9b5990b..c6f0fb5 100755 +--- a/test/TEST-09-ISSUE-2691/test.sh ++++ b/test/TEST-09-ISSUE-2691/test.sh +@@ -6,7 +6,7 @@ TEST_DESCRIPTION="https://github.com/systemd/systemd/issues/2691" + TEST_NO_NSPAWN=1 + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=90 ++QEMU_TIMEOUT=300 + + test_setup() { + create_empty_image +diff --git a/test/TEST-17-UDEV-WANTS/test.sh b/test/TEST-17-UDEV-WANTS/test.sh +index 24989eb..074771a 100755 +--- a/test/TEST-17-UDEV-WANTS/test.sh ++++ b/test/TEST-17-UDEV-WANTS/test.sh +@@ -6,7 +6,7 @@ TEST_DESCRIPTION="UDEV SYSTEMD_WANTS property" + TEST_NO_NSPAWN=1 + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + + test_setup() { + create_empty_image +diff --git a/test/TEST-18-FAILUREACTION/test.sh b/test/TEST-18-FAILUREACTION/test.sh +index e48ba9b..ab9efd8 100755 +--- a/test/TEST-18-FAILUREACTION/test.sh ++++ b/test/TEST-18-FAILUREACTION/test.sh +@@ -5,7 +5,7 @@ set -e + TEST_DESCRIPTION="FailureAction= operation" + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + + test_setup() { + create_empty_image +diff --git a/test/TEST-19-DELEGATE/test.sh b/test/TEST-19-DELEGATE/test.sh +index 841a29c..0038be3 100755 +--- a/test/TEST-19-DELEGATE/test.sh ++++ b/test/TEST-19-DELEGATE/test.sh +@@ -6,7 +6,7 @@ TEST_DESCRIPTION="test cgroup delegation in the unifier hierarchy" + TEST_NO_NSPAWN=1 + + . $TEST_BASE_DIR/test-functions +-QEMU_TIMEOUT=180 ++QEMU_TIMEOUT=300 + UNIFIED_CGROUP_HIERARCHY=yes + + test_setup() { diff -Nru systemd-239/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch systemd-239/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch --- systemd-239/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,44 @@ +From: Dimitri John Ledkov +Date: Wed, 11 Oct 2017 12:17:03 +0100 +Subject: UBUNTU: drop unrelated settings from sysctl defaults shipped by + systemd. + +--- + sysctl.d/50-default.conf | 20 -------------------- + 1 file changed, 20 deletions(-) + +diff --git a/sysctl.d/50-default.conf b/sysctl.d/50-default.conf +index b67ae87..3050e28 100644 +--- a/sysctl.d/50-default.conf ++++ b/sysctl.d/50-default.conf +@@ -11,22 +11,6 @@ + # (e.g. /etc/sysctl.d/90-override.conf), and put any assignments + # there. + +-# System Request functionality of the kernel (SYNC) +-# +-# Use kernel.sysrq = 1 to allow all keys. +-# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html for a list +-# of values and keys. +-kernel.sysrq = 16 +- +-# Append the PID to the core filename +-kernel.core_uses_pid = 1 +- +-# Source route verification +-net.ipv4.conf.all.rp_filter = 1 +- +-# Do not accept source routing +-net.ipv4.conf.all.accept_source_route = 0 +- + # Promote secondary addresses when the primary address is removed + net.ipv4.conf.all.promote_secondaries = 1 + +@@ -35,7 +19,3 @@ net.core.default_qdisc = fq_codel + + # Request Explicit Congestion Notification (ECN) on both in and outgoing connections + net.ipv4.tcp_ecn = 1 +- +-# Enable hard and soft link protection +-fs.protected_hardlinks = 1 +-fs.protected_symlinks = 1 diff -Nru systemd-239/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch systemd-239/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch --- systemd-239/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Mon, 26 Mar 2018 13:41:15 +0100 +Subject: journald.service: set Nice=-1 to dodge watchdog on soft lockups. + +LP: #1696970 +(cherry picked from commit c5b77c35b4ec0e1812702240f272fbeea3ad4152) +--- + units/systemd-journald.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 52939e6..6fa4362 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -22,6 +22,7 @@ ExecStart=@rootlibexecdir@/systemd-journald + Restart=always + RestartSec=0 + StandardOutput=null ++Nice=-1 + WatchdogSec=3min + FileDescriptorStoreMax=4224 + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE diff -Nru systemd-239/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch systemd-239/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch --- systemd-239/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,66 @@ +From: Dimitri John Ledkov +Date: Fri, 20 Apr 2018 03:24:13 +0100 +Subject: UBUNTU: networkd: if RA was implicit, do not await ndisc_configured. + +If RA was iplicit, meaning not otherwise requested, and a kernel default was in +use. Do not prevent link entering configured state, whilst ndisc configuration +is pending. Implicit kernel RA, is expected to be asynchronous and +non-blocking. + +LP: #1765173 +(cherry picked from commit 4b784890d000aab33a36f95e565469d5b76e6cbf) +--- + src/network/networkd-link.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 5975ebc..a8ad3f4 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -205,7 +205,7 @@ static bool link_proxy_arp_enabled(Link *link) { + return true; + } + +-static bool link_ipv6_accept_ra_enabled(Link *link) { ++static bool link_ipv6_accept_ra_enabled_implicit(Link *link, bool * implicit) { + assert(link); + + if (!socket_ipv6_is_supported()) +@@ -224,9 +224,12 @@ static bool link_ipv6_accept_ra_enabled(Link *link) { + * disabled if local forwarding is enabled). + * If set, ignore or enforce RA independent of local forwarding state. + */ +- if (link->network->ipv6_accept_ra < 0) ++ if (link->network->ipv6_accept_ra < 0) { + /* default to accept RA if ip_forward is disabled and ignore RA if ip_forward is enabled */ ++ if (implicit) ++ *implicit = true; + return !link_ipv6_forward_enabled(link); ++ } + else if (link->network->ipv6_accept_ra > 0) + /* accept RA even if ip_forward is enabled */ + return true; +@@ -235,6 +238,10 @@ static bool link_ipv6_accept_ra_enabled(Link *link) { + return false; + } + ++static bool link_ipv6_accept_ra_enabled(Link *link) { ++ return link_ipv6_accept_ra_enabled_implicit(link, NULL); ++} ++ + static IPv6PrivacyExtensions link_ipv6_privacy_extensions(Link *link) { + assert(link); + +@@ -762,8 +769,10 @@ void link_check_ready(Link *link) { + !link->dhcp4_configured && !link->dhcp6_configured)) + return; + +- if (link_ipv6_accept_ra_enabled(link) && !link->ndisc_configured) +- return; ++ bool implicit = false; ++ if (link_ipv6_accept_ra_enabled_implicit(link, &implicit) && !link->ndisc_configured) ++ if (!implicit) ++ return; + } + + SET_FOREACH(a, link->addresses, i) diff -Nru systemd-239/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch systemd-239/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch --- systemd-239/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,50 @@ +From: Dimitri John Ledkov +Date: Fri, 6 Apr 2018 14:53:39 +0100 +Subject: UBUNTU resolved: Listen on both TCP and UDP by default. + +LP: #1731522 +--- + man/resolved.conf.xml | 4 ++-- + src/resolve/resolved-manager.c | 2 +- + src/resolve/resolved.conf.in | 2 +- + 3 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/man/resolved.conf.xml b/man/resolved.conf.xml +index c36c303..613b11a 100644 +--- a/man/resolved.conf.xml ++++ b/man/resolved.conf.xml +@@ -239,9 +239,9 @@ + + DNSStubListener= + Takes a boolean argument or one of udp and tcp. If +- udp (the default), a DNS stub resolver will listen for UDP requests on address 127.0.0.53 ++ udp, a DNS stub resolver will listen for UDP requests on address 127.0.0.53 + port 53. If tcp, the stub will listen for TCP requests on the same address and port. If +- yes, the stub listens for both UDP and TCP requests. If no, the stub ++ yes (the default), the stub listens for both UDP and TCP requests. If no, the stub + listener is disabled. + + Note that the DNS stub listener is turned off implicitly when its listening address and port are already +diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c +index d47f502..228ffc0 100644 +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -577,7 +577,7 @@ int manager_new(Manager **ret) { + m->dnssec_mode = DEFAULT_DNSSEC_MODE; + m->dns_over_tls_mode = DEFAULT_DNS_OVER_TLS_MODE; + m->enable_cache = true; +- m->dns_stub_listener_mode = DNS_STUB_LISTENER_UDP; ++ m->dns_stub_listener_mode = DNS_STUB_LISTENER_YES; + m->read_resolv_conf = true; + m->need_builtin_fallbacks = true; + m->etc_hosts_last = m->etc_hosts_mtime = USEC_INFINITY; +diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in +index 50601d6..7bb3a10 100644 +--- a/src/resolve/resolved.conf.in ++++ b/src/resolve/resolved.conf.in +@@ -20,4 +20,4 @@ + #DNSSEC=@DEFAULT_DNSSEC_MODE@ + #DNSOverTLS=@DEFAULT_DNS_OVER_TLS_MODE@ + #Cache=yes +-#DNSStubListener=udp ++#DNSStubListener=yes diff -Nru systemd-239/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch systemd-239/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch --- systemd-239/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,40 @@ +From: Dimitri John Ledkov +Date: Fri, 9 Feb 2018 15:57:54 +0000 +Subject: UBUNTU: resolved: disable global LLMNR and MulticastDNS by default. + +LP: #1739672 +--- + src/resolve/resolved-manager.c | 4 ++-- + src/resolve/resolved.conf.in | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c +index 01372fc..d47f502 100644 +--- a/src/resolve/resolved-manager.c ++++ b/src/resolve/resolved-manager.c +@@ -572,8 +572,8 @@ int manager_new(Manager **ret) { + m->dns_stub_udp_fd = m->dns_stub_tcp_fd = -1; + m->hostname_fd = -1; + +- m->llmnr_support = RESOLVE_SUPPORT_YES; +- m->mdns_support = RESOLVE_SUPPORT_YES; ++ m->llmnr_support = RESOLVE_SUPPORT_NO; ++ m->mdns_support = RESOLVE_SUPPORT_NO; + m->dnssec_mode = DEFAULT_DNSSEC_MODE; + m->dns_over_tls_mode = DEFAULT_DNS_OVER_TLS_MODE; + m->enable_cache = true; +diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in +index 2528340..50601d6 100644 +--- a/src/resolve/resolved.conf.in ++++ b/src/resolve/resolved.conf.in +@@ -15,8 +15,8 @@ + #DNS= + #FallbackDNS=@DNS_SERVERS@ + #Domains= +-#LLMNR=yes +-#MulticastDNS=yes ++#LLMNR=no ++#MulticastDNS=no + #DNSSEC=@DEFAULT_DNSSEC_MODE@ + #DNSOverTLS=@DEFAULT_DNS_OVER_TLS_MODE@ + #Cache=yes diff -Nru systemd-239/debian/patches/debian/UBUNTU-revert-networkd-unify-set-MTU.patch systemd-239/debian/patches/debian/UBUNTU-revert-networkd-unify-set-MTU.patch --- systemd-239/debian/patches/debian/UBUNTU-revert-networkd-unify-set-MTU.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-revert-networkd-unify-set-MTU.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,80 @@ +From: Dimitri John Ledkov +Date: Tue, 21 Aug 2018 21:47:55 +0100 +Subject: Revert "networkd: Unify set MTU" + +This reverts commit 44b598a1c9d11c23420a5ef45ff11bcb0ed195eb. + +Bug-Upstream: https://github.com/systemd/systemd/issues/9890 +--- + src/network/networkd-link.c | 44 ++++++++++++++++++++------------------------ + 1 file changed, 20 insertions(+), 24 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 2061ad6..d1b3c12 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1313,24 +1313,6 @@ int link_set_mtu(Link *link, uint32_t mtu) { + if (r < 0) + return log_link_error_errno(link, r, "Could not allocate RTM_SETLINK message: %m"); + +- /* If IPv6 not configured (no static IPv6 address and IPv6LL autoconfiguration is disabled) +- for this interface, or if it is a bridge slave, then disable IPv6 else enable it. */ +- (void) link_enable_ipv6(link); +- +- /* IPv6 protocol requires a minimum MTU of IPV6_MTU_MIN(1280) bytes +- on the interface. Bump up MTU bytes to IPV6_MTU_MIN. */ +- if (link_ipv6_enabled(link) && link->network->mtu < IPV6_MIN_MTU) { +- +- log_link_warning(link, "Bumping MTU to " STRINGIFY(IPV6_MIN_MTU) ", as " +- "IPv6 is requested and requires a minimum MTU of " STRINGIFY(IPV6_MIN_MTU) " bytes: %m"); +- +- link->network->mtu = IPV6_MIN_MTU; +- } +- +- r = sd_netlink_message_append_u32(req, IFLA_MTU, link->network->mtu); +- if (r < 0) +- return log_link_error_errno(link, r, "Could not set MTU: %m"); +- + r = sd_netlink_message_append_u32(req, IFLA_MTU, mtu); + if (r < 0) + return log_link_error_errno(link, r, "Could not append MTU: %m"); +@@ -1798,6 +1780,26 @@ int link_up(Link *link) { + return log_link_error_errno(link, r, "Could not set MAC address: %m"); + } + ++ /* If IPv6 not configured (no static IPv6 address and IPv6LL autoconfiguration is disabled) ++ for this interface, or if it is a bridge slave, then disable IPv6 else enable it. */ ++ (void) link_enable_ipv6(link); ++ ++ if (link->network->mtu != 0) { ++ /* IPv6 protocol requires a minimum MTU of IPV6_MTU_MIN(1280) bytes ++ on the interface. Bump up MTU bytes to IPV6_MTU_MIN. */ ++ if (link_ipv6_enabled(link) && link->network->mtu < IPV6_MIN_MTU) { ++ ++ log_link_warning(link, "Bumping MTU to " STRINGIFY(IPV6_MIN_MTU) ", as " ++ "IPv6 is requested and requires a minimum MTU of " STRINGIFY(IPV6_MIN_MTU) " bytes: %m"); ++ ++ link->network->mtu = IPV6_MIN_MTU; ++ } ++ ++ r = sd_netlink_message_append_u32(req, IFLA_MTU, link->network->mtu); ++ if (r < 0) ++ return log_link_error_errno(link, r, "Could not set MTU: %m"); ++ } ++ + r = sd_netlink_message_open_container(req, IFLA_AF_SPEC); + if (r < 0) + return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m"); +@@ -2871,12 +2873,6 @@ static int link_configure(Link *link) { + return r; + } + +- if (link->network->mtu > 0) { +- r = link_set_mtu(link, link->network->mtu); +- if (r < 0) +- return r; +- } +- + if (link_has_carrier(link) || link->network->configure_without_carrier) { + r = link_acquire_conf(link); + if (r < 0) diff -Nru systemd-239/debian/patches/debian/UBUNTU-test-execute-fix-execution-expectations-in-container.patch systemd-239/debian/patches/debian/UBUNTU-test-execute-fix-execution-expectations-in-container.patch --- systemd-239/debian/patches/debian/UBUNTU-test-execute-fix-execution-expectations-in-container.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-test-execute-fix-execution-expectations-in-container.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,37 @@ +From: Dimitri John Ledkov +Date: Thu, 26 Jul 2018 15:52:04 +0100 +Subject: test-execute: fix execution expectations in containers + +Under default LXD/LXC, certain tests fail as shown, thus conditionalize the +expectations... For some cases, the units fail to start due to permission +errors, or do run but exit badly. +--- + src/test/test-execute.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/test/test-execute.c b/src/test/test-execute.c +index fa8efdd..9e2c8e7 100644 +--- a/src/test/test-execute.c ++++ b/src/test/test-execute.c +@@ -600,13 +600,19 @@ static void test_exec_privatenetwork(Manager *m) { + + static void test_exec_oomscoreadjust(Manager *m) { + test(m, "exec-oomscoreadjust-positive.service", 0, CLD_EXITED); +- test(m, "exec-oomscoreadjust-negative.service", 0, CLD_EXITED); ++ if (detect_container() > 0) ++ test(m, "exec-oomscoreadjust-negative.service", 1, CLD_EXITED); ++ else ++ test(m, "exec-oomscoreadjust-negative.service", 0, CLD_EXITED); + } + + static void test_exec_ioschedulingclass(Manager *m) { + test(m, "exec-ioschedulingclass-none.service", 0, CLD_EXITED); + test(m, "exec-ioschedulingclass-idle.service", 0, CLD_EXITED); +- test(m, "exec-ioschedulingclass-realtime.service", 0, CLD_EXITED); ++ if (detect_container() > 0) ++ test(m, "exec-ioschedulingclass-realtime.service", 211, CLD_EXITED); ++ else ++ test(m, "exec-ioschedulingclass-realtime.service", 0, CLD_EXITED); + test(m, "exec-ioschedulingclass-best-effort.service", 0, CLD_EXITED); + } + diff -Nru systemd-239/debian/patches/debian/UBUNTU-test-fd-util-test_rearrange_stdio-fails-in-a-contain.patch systemd-239/debian/patches/debian/UBUNTU-test-fd-util-test_rearrange_stdio-fails-in-a-contain.patch --- systemd-239/debian/patches/debian/UBUNTU-test-fd-util-test_rearrange_stdio-fails-in-a-contain.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-test-fd-util-test_rearrange_stdio-fails-in-a-contain.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,31 @@ +From: Dimitri John Ledkov +Date: Thu, 26 Jul 2018 16:14:57 +0100 +Subject: test-fd-util: test_rearrange_stdio fails in a container. + +In LXD container, test_rearrange_stdio fails / aborts. +--- + src/test/test-fd-util.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/test/test-fd-util.c b/src/test/test-fd-util.c +index a04403d..a567ee0 100644 +--- a/src/test/test-fd-util.c ++++ b/src/test/test-fd-util.c +@@ -12,6 +12,7 @@ + #include "random-util.h" + #include "string-util.h" + #include "util.h" ++#include "virt.h" + + static void test_close_many(void) { + int fds[3]; +@@ -161,6 +162,9 @@ static void test_rearrange_stdio(void) { + pid_t pid; + int r; + ++ if (detect_container() > 0) ++ return; ++ + r = safe_fork("rearrange", FORK_WAIT|FORK_LOG, &pid); + assert_se(r >= 0); + diff -Nru systemd-239/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch systemd-239/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch --- systemd-239/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-test-fs-utils-detect-container.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,33 @@ +From: Dimitri John Ledkov +Date: Fri, 16 Feb 2018 13:22:49 +0000 +Subject: test/test-fs-util: detect container, in addition to root. + +On armhf, during autopkgtests, whilst root is avilable, full capabilities in +parent namespace are not, since the tests are run in an LXD container. + +This should resolve armhf test failure. +--- + src/test/test-fs-util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/test/test-fs-util.c b/src/test/test-fs-util.c +index b319745..2766f32 100644 +--- a/src/test/test-fs-util.c ++++ b/src/test/test-fs-util.c +@@ -17,6 +17,7 @@ + #include "strv.h" + #include "user-util.h" + #include "util.h" ++#include "virt.h" + + static void test_chase_symlinks(void) { + _cleanup_free_ char *result = NULL; +@@ -518,7 +519,7 @@ static void test_touch_file(void) { + assert_se((st.st_mode & 0777) == 0640); + assert_se(timespec_load(&st.st_mtim) == test_mtime); + +- if (geteuid() == 0) { ++ if (geteuid() == 0 && !detect_container()) { + a = strjoina(p, "/cdev"); + assert_se(mknod(a, 0775 | S_IFCHR, makedev(0, 0)) >= 0); + assert_se(touch_file(a, false, test_mtime, test_uid, test_gid, 0640) >= 0); diff -Nru systemd-239/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch systemd-239/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch --- systemd-239/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,26 @@ +From: Dimitri John Ledkov +Date: Wed, 8 Nov 2017 16:25:45 +0000 +Subject: UBUNTU: test-process-util: fails to verify cmdline changes in unpriv + user-namespace. + +Thus skip these asserts when running $ sudo ./test-process-util in an +unpriviledged user namespaced containers. + +(cherry picked from commit 86a4129d308602a1d2ba80b47863b32bec2059df) +--- + src/test/test-process-util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-process-util.c b/src/test/test-process-util.c +index fd4d174..201c0a3 100644 +--- a/src/test/test-process-util.c ++++ b/src/test/test-process-util.c +@@ -396,7 +396,7 @@ static void test_rename_process_now(const char *p, int ret) { + + assert_se(get_process_cmdline(0, 0, false, &cmdline) >= 0); + /* we cannot expect cmdline to be renamed properly without privileges */ +- if (geteuid() == 0) { ++ if (geteuid() == 0 && !running_in_userns()) { + log_info("cmdline = <%s>", cmdline); + assert_se(strneq(p, cmdline, STRLEN("test-process-util"))); + assert_se(startswith(p, cmdline)); diff -Nru systemd-239/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch systemd-239/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch --- systemd-239/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,23 @@ +From: Dimitri John Ledkov +Date: Wed, 1 Aug 2018 20:09:39 +0100 +Subject: test-sleep: skip test_fiemap upon inapproriate ioctl for device. + +On v4.4 kernels, on top of btrfs ephemeral lxd v3.0 containers generate this +other error code, instead of not supported. Skip the test for both error codes. +--- + src/test/test-sleep.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/test/test-sleep.c b/src/test/test-sleep.c +index a8ad302..b26453c 100644 +--- a/src/test/test-sleep.c ++++ b/src/test/test-sleep.c +@@ -26,7 +26,7 @@ static int test_fiemap(const char *path) { + if (fd < 0) + return log_error_errno(errno, "failed to open %s: %m", path); + r = read_fiemap(fd, &fiemap); +- if (r == -EOPNOTSUPP) { ++ if (IN_SET(r, -EOPNOTSUPP, -ENOTTY)) { + log_info("Skipping test, not supported"); + exit(EXIT_TEST_SKIP); + } diff -Nru systemd-239/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch systemd-239/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch --- systemd-239/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-test-test-functions-drop-all-prefixes.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,45 @@ +From: Dimitri John Ledkov +Date: Mon, 6 Nov 2017 16:00:13 +0000 +Subject: UBUNTU: test/test-functions: drop all prefixes + +When parsing and installing binaries mentioned in Exec*= lines the +5ed0dcf4d552271115d96d8d22b1a25494b85277 commit added parsing logic to drop +prefixes, including handling duplicate exclamation marks. But this did not +handle arbitrary combination of multiple prefixes, ie. StartExec=+-/bin/sh was +parsed as -/bin/sh which then would fail to install. + +Instead of using egrep and shell replacements, replace both with sed command +that does it all. This sed script extract a group of characters starting with a +/ up to the first space (if any) after the equals sign. This correctly handles +existing non-prefixed, prefixed, multiple-prefixed commands. + +About half commands seem to repeat themself, thus sort -u cuts the list of +binaries to install about in half. + +To validate change of behaviour both old and new functions were modified to +echo parsed binaries into separate files, and then diffed. The incorrect +-/bin/sh was missing in the new output. + +Without this patch tests fail on default Ubuntu installs. + +(cherry picked from commit 84c0a34987d00158e943e3151a1fe21caa78d40c) +--- + test/test-functions | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/test/test-functions b/test/test-functions +index e69420a..2e05298 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -433,9 +433,8 @@ install_execs() { + export PKG_CONFIG_PATH=$BUILD_DIR/src/core/ + systemdsystemunitdir=$(pkg-config --variable=systemdsystemunitdir systemd) + systemduserunitdir=$(pkg-config --variable=systemduserunitdir systemd) +- egrep -ho '^Exec[^ ]*=[^ ]+' $initdir/{$systemdsystemunitdir,$systemduserunitdir}/*.service \ +- | while read i; do +- i=${i##Exec*=}; i=${i##[@+\!-]}; i=${i##\!} ++ sed -n 's|^Exec[a-zA-Z]*=[^/]*\(/[^ ]*\).*|\1|gp' $initdir/{$systemdsystemunitdir,$systemduserunitdir}/*.service \ ++ | sort -u | while read i; do + # some {rc,halt}.local scripts and programs are okay to not exist, the rest should + inst $i || [ "${i%.local}" != "$i" ] || [ "${i%systemd-update-done}" != "$i" ] + done diff -Nru systemd-239/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch systemd-239/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch --- systemd-239/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,23 @@ +From: Dimitri John Ledkov +Date: Fri, 16 Feb 2018 13:28:31 +0000 +Subject: test/test-functions: launch qemu with -vga none + +When booting ppc64el virtual machines, they require seabios, unless -vga none +is specified. Since we do a direct kernel & initrd boot, with -nographic, we +really have no need for vga or seabios in this case. +--- + test/test-functions | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/test/test-functions b/test/test-functions +index 2e05298..cad414e 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -133,6 +133,7 @@ $KERNEL_APPEND \ + -net none \ + -m 512M \ + -nographic \ ++-vga none \ + -kernel $KERNEL_BIN \ + -drive format=raw,cache=unsafe,file=${TESTDIR}/rootdisk.img \ + " diff -Nru systemd-239/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch systemd-239/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch --- systemd-239/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,38 @@ +From: Dimitri John Ledkov +Date: Thu, 26 Jul 2018 14:22:25 +0100 +Subject: units: block CAP_SYS_MODULE units in containers too + +lxd/lxc usually keep the usernamespace capabilities, whilst in practice one +does not have these in the initial namespace. Thus add additional condition +!container, such that sys-kernel-config.mount and systemd-modules.load.service +are not started in the lxd containers. This should make default lxd containers +start non-degraded. +--- + units/sys-kernel-config.mount | 1 + + units/systemd-modules-load.service.in | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount +index e213ca5..57ba0b1 100644 +--- a/units/sys-kernel-config.mount ++++ b/units/sys-kernel-config.mount +@@ -14,6 +14,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems + DefaultDependencies=no + ConditionPathExists=/sys/kernel/config + ConditionCapability=CAP_SYS_RAWIO ++ConditionVirtualization=!container + After=systemd-modules-load.service + Before=sysinit.target + +diff --git a/units/systemd-modules-load.service.in b/units/systemd-modules-load.service.in +index 26abe21..73a8d67 100644 +--- a/units/systemd-modules-load.service.in ++++ b/units/systemd-modules-load.service.in +@@ -14,6 +14,7 @@ DefaultDependencies=no + Conflicts=shutdown.target + Before=sysinit.target shutdown.target + ConditionCapability=CAP_SYS_MODULE ++ConditionVirtualization=!container + ConditionDirectoryNotEmpty=|/lib/modules-load.d + ConditionDirectoryNotEmpty=|/usr/lib/modules-load.d + ConditionDirectoryNotEmpty=|/usr/local/lib/modules-load.d diff -Nru systemd-239/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch systemd-239/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch --- systemd-239/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-units-disable-journald-watchdog.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Thu, 4 Oct 2018 15:25:50 +0100 +Subject: units: Disable journald Watchdog + https://github.com/systemd/systemd/issues/9079 + +LP: #1773148 +--- + units/systemd-journald.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in +index 6fa4362..b3e5499 100644 +--- a/units/systemd-journald.service.in ++++ b/units/systemd-journald.service.in +@@ -23,7 +23,6 @@ Restart=always + RestartSec=0 + StandardOutput=null + Nice=-1 +-WatchdogSec=3min + FileDescriptorStoreMax=4224 + CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE + MemoryDenyWriteExecute=yes diff -Nru systemd-239/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch systemd-239/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch --- systemd-239/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,42 @@ +From: Dimitri John Ledkov +Date: Mon, 26 Mar 2018 13:17:01 +0100 +Subject: wait-online: exit, if no links are managed. + +(cherry picked from commit 19d11f607ac0f8b1e31f72a8e9d3d44371b9dadb) +--- + src/network/wait-online/manager.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/src/network/wait-online/manager.c b/src/network/wait-online/manager.c +index ccda93b..c971f91 100644 +--- a/src/network/wait-online/manager.c ++++ b/src/network/wait-online/manager.c +@@ -36,6 +36,7 @@ bool manager_all_configured(Manager *m) { + Link *l; + char **ifname; + bool one_ready = false; ++ bool none_managed = true; + + /* wait for all the links given on the command line to appear */ + STRV_FOREACH(ifname, m->interfaces) { +@@ -66,6 +67,11 @@ bool manager_all_configured(Manager *m) { + return false; + } + ++ if (STR_IN_SET(l->state, "configured", "failed")) { ++ log_info("managing: %s", l->ifname); ++ none_managed = false; ++ } ++ + if (l->operational_state && + STR_IN_SET(l->operational_state, "degraded", "routable")) + /* we wait for at least one link to be ready, +@@ -73,7 +79,7 @@ bool manager_all_configured(Manager *m) { + one_ready = true; + } + +- return one_ready; ++ return one_ready || none_managed; + } + + static int manager_process_link(sd_netlink *rtnl, sd_netlink_message *mm, void *userdata) { diff -Nru systemd-239/debian/patches/debian/Ubuntu-UseDomains-by-default.patch systemd-239/debian/patches/debian/Ubuntu-UseDomains-by-default.patch --- systemd-239/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/Ubuntu-UseDomains-by-default.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,75 @@ +From: Dimitri John Ledkov +Date: Thu, 20 Jul 2017 13:48:31 +0100 +Subject: Set UseDomains to true, by default, on Ubuntu. + +On Ubuntu, fallback DNS servers are disabled, therefore we do not leak queries +to a preset 3rd party by default. In resolved, dnssec is also disabled by +default, as too much of the internet is broken and using Ubuntu users to debug +the internet is not very productive - most of the time the end-user cannot fix +or know how to notify the site owners about the dnssec mistakes. Inherintally +the DHCP acquired DNS servers are therefore trusted, and are free to spoof +records. Not trusting DNS search domains, in such scenario, provides limited +security or privacy benefits. From user point of view, this also appears to be +a regression from previous Ubuntu releases which do trust DHCP acquired search +domains by default. + +Therefore we are enabling UseDomains by default on Ubuntu. + +Users may override this setting in the .network files by specifying +[DHCP|IPv6AcceptRA] UseDomains=no|route options. +--- + man/systemd.network.xml | 6 +++--- + src/network/networkd-network.c | 2 ++ + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index f0076cd..5f3eba3 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -301,7 +301,7 @@ + IPv6AcceptRA=. + + Furthermore, note that by default the domain name +- specified through DHCP is not used for name resolution. ++ specified through DHCP, on Ubuntu, are used for name resolution. + See option below. + + See the [DHCP] section below for further configuration options for the DHCP client +@@ -1214,7 +1214,7 @@ + the setting. If set to route, the domain name received from + the DHCP server will be used for routing DNS queries only, but not for searching, similar to the effect of + the setting when the argument is prefixed with ~. Defaults to +- false. ++ true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +@@ -1390,7 +1390,7 @@ + the effect of the setting. If set to route, the domain name + received via IPv6 RA will be used for routing DNS queries only, but not for searching, similar to the + effect of the setting when the argument is prefixed with +- ~. Defaults to false. ++ ~. Defaults to true on Ubuntu. + + It is recommended to enable this option only on trusted networks, as setting this affects resolution + of all host names, in particular of single-label names. It is generally safer to use the supplied domain +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 6bfd017..fa18617 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -194,6 +194,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->dhcp_use_routes = true; + /* NOTE: this var might be overwriten by network_apply_anonymize_if_set */ + network->dhcp_send_hostname = true; ++ network->dhcp_use_domains = DHCP_USE_DOMAINS_YES; + /* To enable/disable RFC7844 Anonymity Profiles */ + network->dhcp_anonymize = false; + network->dhcp_route_metric = DHCP_ROUTE_METRIC; +@@ -246,6 +247,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->multicast = -1; + network->allmulticast = -1; + network->ipv6_accept_ra_use_dns = true; ++ network->ipv6_accept_ra_use_domains = DHCP_USE_DOMAINS_YES; + network->ipv6_accept_ra_route_table = RT_TABLE_MAIN; + network->ipv6_mtu = 0; + diff -Nru systemd-239/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch systemd-239/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch --- systemd-239/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,39 @@ +From: Dimitri John Ledkov +Date: Tue, 1 Aug 2017 17:38:05 +0100 +Subject: core: in execute, soft fail setting Nice priority, + when permissions are denied + +In unpriviledged containers Nice priority setting may not be permitted. Thus +log and ignore permission failure to set Nice priority in such +environments. This is similar to how OOMScoreAdjust is treated. +--- + src/core/execute.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/src/core/execute.c b/src/core/execute.c +index 8ac69d1..9e04016 100644 +--- a/src/core/execute.c ++++ b/src/core/execute.c +@@ -2947,11 +2947,17 @@ static int exec_child( + } + } + +- if (context->nice_set) +- if (setpriority(PRIO_PROCESS, 0, context->nice) < 0) { +- *exit_status = EXIT_NICE; +- return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m"); +- } ++ if (context->nice_set) { ++ r = setpriority(PRIO_PROCESS, 0, context->nice); ++ if (r == -EPERM || r == -EACCES) { ++ log_open(); ++ log_unit_debug_errno(unit, r, "Failed to adjust Nice setting, assuming containerized execution, ignoring: %m"); ++ log_close(); ++ } else if (r < 0) { ++ *exit_status = EXIT_NICE; ++ return log_unit_error_errno(unit, errno, "Failed to set up process scheduling priority (nice level): %m"); ++ } ++ } + + if (context->cpu_sched_set) { + struct sched_param param = { diff -Nru systemd-239/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch systemd-239/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch --- systemd-239/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,22 @@ +From: Dimitri John Ledkov +Date: Wed, 2 Aug 2017 00:40:28 +0100 +Subject: units: set ConditionVirtualization=!private-users on journald audit + socket + +As it fails to start in an unpriviledged container. +--- + units/systemd-journald-audit.socket | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/units/systemd-journald-audit.socket b/units/systemd-journald-audit.socket +index cb8b774..6649934 100644 +--- a/units/systemd-journald-audit.socket ++++ b/units/systemd-journald-audit.socket +@@ -14,6 +14,7 @@ DefaultDependencies=no + Before=sockets.target + ConditionSecurity=audit + ConditionCapability=CAP_AUDIT_READ ++ConditionVirtualization=!private-users + + [Socket] + Service=systemd-journald.service diff -Nru systemd-239/debian/patches/debian/Use-Debian-specific-config-files.patch systemd-239/debian/patches/debian/Use-Debian-specific-config-files.patch --- systemd-239/debian/patches/debian/Use-Debian-specific-config-files.patch 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/patches/debian/Use-Debian-specific-config-files.patch 2018-10-04 14:58:51.000000000 +0000 @@ -390,10 +390,10 @@ return r; } diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c -index 82eb213..accdffa 100644 +index 3b70939..cffaf07 100644 --- a/src/timedate/timedated.c +++ b/src/timedate/timedated.c -@@ -203,6 +203,7 @@ static int context_read_data(Context *c) { +@@ -211,6 +211,7 @@ static int context_read_data(Context *c) { static int context_write_data_timezone(Context *c) { _cleanup_free_ char *p = NULL; int r = 0; @@ -401,7 +401,7 @@ assert(c); -@@ -210,6 +211,9 @@ static int context_write_data_timezone(Context *c) { +@@ -218,6 +219,9 @@ static int context_write_data_timezone(Context *c) { if (unlink("/etc/localtime") < 0 && errno != ENOENT) r = -errno; @@ -411,7 +411,7 @@ return r; } -@@ -221,6 +225,12 @@ static int context_write_data_timezone(Context *c) { +@@ -229,6 +233,12 @@ static int context_write_data_timezone(Context *c) { if (r < 0) return r; diff -Nru systemd-239/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch systemd-239/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch --- systemd-239/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch 2018-10-04 14:58:51.000000000 +0000 @@ -239,10 +239,10 @@ + + diff --git a/meson.build b/meson.build -index 04331dd..4cca9fe 100644 +index e1dc2ca..654bc3f 100644 --- a/meson.build +++ b/meson.build -@@ -2181,6 +2181,14 @@ executable('systemd-makefs', +@@ -2202,6 +2202,14 @@ executable('systemd-makefs', install : true, install_dir : rootlibexecdir) diff -Nru systemd-239/debian/patches/exec-util-in-execute_directories-support-initial-exec-env.patch systemd-239/debian/patches/exec-util-in-execute_directories-support-initial-exec-env.patch --- systemd-239/debian/patches/exec-util-in-execute_directories-support-initial-exec-env.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/exec-util-in-execute_directories-support-initial-exec-env.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,229 @@ +From: Dimitri John Ledkov +Date: Wed, 12 Sep 2018 18:19:13 +0100 +Subject: exec-util: in execute_directories, support initial exec environment + +(cherry picked from commit 78ec1bb436fb18df3b56212c442cc4775a136d1a) +--- + src/basic/exec-util.c | 13 +++++++++---- + src/basic/exec-util.h | 3 ++- + src/core/manager.c | 4 ++-- + src/core/shutdown.c | 2 +- + src/sleep/sleep.c | 4 ++-- + src/test/test-exec-util.c | 43 ++++++++++++++++++++++++++++++++++++------- + 6 files changed, 52 insertions(+), 17 deletions(-) + +diff --git a/src/basic/exec-util.c b/src/basic/exec-util.c +index 7e336f9..e8af191 100644 +--- a/src/basic/exec-util.c ++++ b/src/basic/exec-util.c +@@ -71,11 +71,12 @@ static int do_execute( + gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX], + void* const callback_args[_STDOUT_CONSUME_MAX], + int output_fd, +- char *argv[]) { ++ char *argv[], ++ char *envp[]) { + + _cleanup_hashmap_free_free_ Hashmap *pids = NULL; + _cleanup_strv_free_ char **paths = NULL; +- char **path; ++ char **path, **e; + int r; + + /* We fork this all off from a child process so that we can somewhat cleanly make +@@ -100,6 +101,9 @@ static int do_execute( + if (timeout != USEC_INFINITY) + alarm(DIV_ROUND_UP(timeout, USEC_PER_SEC)); + ++ STRV_FOREACH(e, envp) ++ putenv(*e); ++ + STRV_FOREACH(path, paths) { + _cleanup_free_ char *t = NULL; + _cleanup_close_ int fd = -1; +@@ -166,7 +170,8 @@ int execute_directories( + usec_t timeout, + gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX], + void* const callback_args[_STDOUT_CONSUME_MAX], +- char *argv[]) { ++ char *argv[], ++ char *envp[]) { + + char **dirs = (char**) directories; + _cleanup_close_ int fd = -1; +@@ -197,7 +202,7 @@ int execute_directories( + if (r < 0) + return r; + if (r == 0) { +- r = do_execute(dirs, timeout, callbacks, callback_args, fd, argv); ++ r = do_execute(dirs, timeout, callbacks, callback_args, fd, argv, envp); + _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); + } + +diff --git a/src/basic/exec-util.h b/src/basic/exec-util.h +index 8b1f181..003814c 100644 +--- a/src/basic/exec-util.h ++++ b/src/basic/exec-util.h +@@ -18,6 +18,7 @@ int execute_directories( + usec_t timeout, + gather_stdout_callback_t const callbacks[_STDOUT_CONSUME_MAX], + void* const callback_args[_STDOUT_CONSUME_MAX], +- char *argv[]); ++ char *argv[], ++ char *envp[]); + + extern const gather_stdout_callback_t gather_environment[_STDOUT_CONSUME_MAX]; +diff --git a/src/core/manager.c b/src/core/manager.c +index 930df4e..c12eb05 100644 +--- a/src/core/manager.c ++++ b/src/core/manager.c +@@ -3736,7 +3736,7 @@ static int manager_run_environment_generators(Manager *m) { + if (!generator_path_any(paths)) + return 0; + +- return execute_directories(paths, DEFAULT_TIMEOUT_USEC, gather_environment, args, NULL); ++ return execute_directories(paths, DEFAULT_TIMEOUT_USEC, gather_environment, args, NULL, NULL); + } + + static int manager_run_generators(Manager *m) { +@@ -3768,7 +3768,7 @@ static int manager_run_generators(Manager *m) { + + RUN_WITH_UMASK(0022) + execute_directories((const char* const*) paths, DEFAULT_TIMEOUT_USEC, +- NULL, NULL, (char**) argv); ++ NULL, NULL, (char**) argv, NULL); + + finish: + lookup_paths_trim_generator(&m->lookup_paths); +diff --git a/src/core/shutdown.c b/src/core/shutdown.c +index 038345b..5bf332d 100644 +--- a/src/core/shutdown.c ++++ b/src/core/shutdown.c +@@ -435,7 +435,7 @@ int main(int argc, char *argv[]) { + arguments[0] = NULL; + arguments[1] = arg_verb; + arguments[2] = NULL; +- execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments); ++ execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments, NULL); + + if (can_initrd) { + r = switch_root_initramfs(); +diff --git a/src/sleep/sleep.c b/src/sleep/sleep.c +index f26aa45..f16e8c2 100644 +--- a/src/sleep/sleep.c ++++ b/src/sleep/sleep.c +@@ -162,7 +162,7 @@ static int execute(char **modes, char **states) { + return log_error_errno(r, "Failed to write mode to /sys/power/disk: %m");; + } + +- execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments); ++ execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments, NULL); + + log_struct(LOG_INFO, + "MESSAGE_ID=" SD_MESSAGE_SLEEP_START_STR, +@@ -179,7 +179,7 @@ static int execute(char **modes, char **states) { + "SLEEP=%s", arg_verb); + + arguments[1] = (char*) "post"; +- execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments); ++ execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, arguments, NULL); + + return r; + } +diff --git a/src/test/test-exec-util.c b/src/test/test-exec-util.c +index cfc8b5f..e7690ed 100644 +--- a/src/test/test-exec-util.c ++++ b/src/test/test-exec-util.c +@@ -16,6 +16,7 @@ + #include "fs-util.h" + #include "log.h" + #include "macro.h" ++#include "path-util.h" + #include "rm-rf.h" + #include "string-util.h" + #include "strv.h" +@@ -115,9 +116,9 @@ static void test_execute_directory(bool gather_stdout) { + assert_se(chmod(mask2e, 0755) == 0); + + if (gather_stdout) +- execute_directories(dirs, DEFAULT_TIMEOUT_USEC, ignore_stdout, ignore_stdout_args, NULL); ++ execute_directories(dirs, DEFAULT_TIMEOUT_USEC, ignore_stdout, ignore_stdout_args, NULL, NULL); + else +- execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, NULL); ++ execute_directories(dirs, DEFAULT_TIMEOUT_USEC, NULL, NULL, NULL, NULL); + + assert_se(chdir(template_lo) == 0); + assert_se(access("it_works", F_OK) >= 0); +@@ -182,7 +183,7 @@ static void test_execution_order(void) { + assert_se(chmod(override, 0755) == 0); + assert_se(chmod(masked, 0755) == 0); + +- execute_directories(dirs, DEFAULT_TIMEOUT_USEC, ignore_stdout, ignore_stdout_args, NULL); ++ execute_directories(dirs, DEFAULT_TIMEOUT_USEC, ignore_stdout, ignore_stdout_args, NULL, NULL); + + assert_se(read_full_file(output, &contents, NULL) >= 0); + assert_se(streq(contents, "30-override\n80-foo\n90-bar\nlast\n")); +@@ -264,7 +265,7 @@ static void test_stdout_gathering(void) { + assert_se(chmod(name2, 0755) == 0); + assert_se(chmod(name3, 0755) == 0); + +- r = execute_directories(dirs, DEFAULT_TIMEOUT_USEC, gather_stdout, args, NULL); ++ r = execute_directories(dirs, DEFAULT_TIMEOUT_USEC, gather_stdout, args, NULL, NULL); + assert_se(r >= 0); + + log_info("got: %s", output); +@@ -275,7 +276,7 @@ static void test_stdout_gathering(void) { + static void test_environment_gathering(void) { + char template[] = "/tmp/test-exec-util.XXXXXXX", **p; + const char *dirs[] = {template, NULL}; +- const char *name, *name2, *name3; ++ const char *name, *name2, *name3, *old; + int r; + + char **tmp = NULL; /* this is only used in the forked process, no cleanup here */ +@@ -321,7 +322,32 @@ static void test_environment_gathering(void) { + assert_se(chmod(name2, 0755) == 0); + assert_se(chmod(name3, 0755) == 0); + +- r = execute_directories(dirs, DEFAULT_TIMEOUT_USEC, gather_environment, args, NULL); ++ /* When booting in containers or without initramfs there might not be ++ * any PATH in the environ and if there is no PATH /bin/sh built-in ++ * PATH may leak and override systemd's DEFAULT_PATH which is not ++ * good. Force our own PATH in environment, to prevent expansion of sh ++ * built-in $PATH */ ++ old = getenv("PATH"); ++ r = setenv("PATH", "no-sh-built-in-path", 1); ++ assert_se(r >= 0); ++ ++ r = execute_directories(dirs, DEFAULT_TIMEOUT_USEC, gather_environment, args, NULL, NULL); ++ assert_se(r >= 0); ++ ++ STRV_FOREACH(p, env) ++ log_info("got env: \"%s\"", *p); ++ ++ assert_se(streq(strv_env_get(env, "A"), "22:23:24")); ++ assert_se(streq(strv_env_get(env, "B"), "12")); ++ assert_se(streq(strv_env_get(env, "C"), "001")); ++ assert_se(streq(strv_env_get(env, "PATH"), "no-sh-built-in-path:/no/such/file")); ++ ++ /* now retest with "default" path passed in, as created by ++ * manager_default_environment */ ++ env = strv_free(env); ++ env = strv_new("PATH=" DEFAULT_PATH, NULL); ++ ++ r = execute_directories(dirs, DEFAULT_TIMEOUT_USEC, gather_environment, args, NULL, env); + assert_se(r >= 0); + + STRV_FOREACH(p, env) +@@ -330,7 +356,10 @@ static void test_environment_gathering(void) { + assert_se(streq(strv_env_get(env, "A"), "22:23:24")); + assert_se(streq(strv_env_get(env, "B"), "12")); + assert_se(streq(strv_env_get(env, "C"), "001")); +- assert_se(endswith(strv_env_get(env, "PATH"), ":/no/such/file")); ++ assert_se(streq(strv_env_get(env, "PATH"), DEFAULT_PATH ":/no/such/file")); ++ ++ /* reset environ PATH */ ++ (void) setenv("PATH", old, 1); + } + + int main(int argc, char *argv[]) { diff -Nru systemd-239/debian/patches/journald-fixed-assertion-failure-when-system-journal-rota.patch systemd-239/debian/patches/journald-fixed-assertion-failure-when-system-journal-rota.patch --- systemd-239/debian/patches/journald-fixed-assertion-failure-when-system-journal-rota.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/journald-fixed-assertion-failure-when-system-journal-rota.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,25 @@ +From: =?utf-8?q?Renaud_M=C3=A9trich?= + <1163635+rmetrich@users.noreply.github.com> +Date: Mon, 3 Sep 2018 05:42:39 +0200 +Subject: journald: fixed assertion failure when system journal rotation fails + (#9893) + +(cherry picked from commit fd790d6f09b10a87b007b71403cb018f18ff91c9) +--- + src/journal/journald-server.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c +index 4f1550e..b6e7a9c 100644 +--- a/src/journal/journald-server.c ++++ b/src/journal/journald-server.c +@@ -1036,7 +1036,8 @@ int server_flush_to_var(Server *s, bool require_flag_file) { + r = 0; + + finish: +- journal_file_post_change(s->system_journal); ++ if (s->system_journal) ++ journal_file_post_change(s->system_journal); + + s->runtime_journal = journal_file_close(s->runtime_journal); + diff -Nru systemd-239/debian/patches/journald-free-the-allocated-memory-before-returning-from-.patch systemd-239/debian/patches/journald-free-the-allocated-memory-before-returning-from-.patch --- systemd-239/debian/patches/journald-free-the-allocated-memory-before-returning-from-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/journald-free-the-allocated-memory-before-returning-from-.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,25 @@ +From: Evgeny Vereshchagin +Date: Fri, 10 Aug 2018 12:52:07 +0000 +Subject: journald: free the allocated memory before returning from + dev_kmsg_record + +This fixes a minor memory leak. + +(cherry picked from commit 30eddcd51b8a472e05d3b8d1f0b89fbd3e094d71) +--- + src/journal/journald-kmsg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald-kmsg.c b/src/journal/journald-kmsg.c +index 7ad6733..7644beb 100644 +--- a/src/journal/journald-kmsg.c ++++ b/src/journal/journald-kmsg.c +@@ -191,7 +191,7 @@ static void dev_kmsg_record(Server *s, char *p, size_t l) { + + e = memchr(k, '\n', l); + if (!e) +- return; ++ goto finish; + + *e = 0; + diff -Nru systemd-239/debian/patches/journald-make-it-clear-that-dev_kmsg_record-modifies-the-.patch systemd-239/debian/patches/journald-make-it-clear-that-dev_kmsg_record-modifies-the-.patch --- systemd-239/debian/patches/journald-make-it-clear-that-dev_kmsg_record-modifies-the-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/journald-make-it-clear-that-dev_kmsg_record-modifies-the-.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,27 @@ +From: Evgeny Vereshchagin +Date: Fri, 10 Aug 2018 12:45:42 +0000 +Subject: journald: make it clear that dev_kmsg_record modifies the string + passed to it + +The function replaces a couple commas, a semicolon and the final newline with +zero bytes in the string passed to it. The 'const' seems to have been added +by accident during a bulk edit (more specifically 3b3154df7e2773332bb814). + +(cherry picked from commit 1e0c5fc2a76e4f3d508331f410899c50493e1fc9) +--- + src/journal/journald-kmsg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald-kmsg.c b/src/journal/journald-kmsg.c +index e9aff13..7ad6733 100644 +--- a/src/journal/journald-kmsg.c ++++ b/src/journal/journald-kmsg.c +@@ -93,7 +93,7 @@ static bool is_us(const char *identifier, const char *pid) { + streq(identifier, program_invocation_short_name); + } + +-static void dev_kmsg_record(Server *s, const char *p, size_t l) { ++static void dev_kmsg_record(Server *s, char *p, size_t l) { + + _cleanup_free_ char *message = NULL, *syslog_priority = NULL, *syslog_pid = NULL, *syslog_facility = NULL, *syslog_identifier = NULL, *source_time = NULL, *identifier = NULL, *pid = NULL; + struct iovec iovec[N_IOVEC_META_FIELDS + 7 + N_IOVEC_KERNEL_FIELDS + 2 + N_IOVEC_UDEV_FIELDS]; diff -Nru systemd-239/debian/patches/man-Document-networkd-states-in-networkctl-1-10033.patch systemd-239/debian/patches/man-Document-networkd-states-in-networkctl-1-10033.patch --- systemd-239/debian/patches/man-Document-networkd-states-in-networkctl-1-10033.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/man-Document-networkd-states-in-networkctl-1-10033.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,107 @@ +From: Julian Andres Klode +Date: Fri, 7 Sep 2018 16:39:44 +0200 +Subject: man: Document networkd states in networkctl(1) (#10033) + +The manpage gives example outputs with the states, but it never +explains what the states are. + +Fixes #575 + +(cherry picked from commit abcf95e95e32485e462a8312bc63cd746325a7ce) +--- + man/networkctl.xml | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 82 insertions(+) + +diff --git a/man/networkctl.xml b/man/networkctl.xml +index 8c750cc..9dea555 100644 +--- a/man/networkctl.xml ++++ b/man/networkctl.xml +@@ -92,6 +92,88 @@ + 4 virbr0-nic ether off unmanaged + + 4 links listed. ++ ++ The operational status is one of the following: ++ ++ ++ off ++ ++ the device is powered down ++ ++ ++ ++ no-carrier ++ ++ the device is powered up, but it does not yet have a carrier ++ ++ ++ ++ dormant ++ ++ the device has a carrier, but is not yet ready for normal traffic ++ ++ ++ ++ carrier ++ ++ the link has a carrier ++ ++ ++ ++ degraded ++ ++ the link has carrier and addresses valid on the local link configured ++ ++ ++ ++ routable ++ ++ the link has carrier and routable address configured ++ ++ ++ ++ ++ ++ The setup status is one of the following: ++ ++ ++ pending ++ ++ udev is still processing the link, we don't yet know if we will manage it ++ ++ ++ ++ failed ++ ++ networkd failed to manage the link ++ ++ ++ ++ configuring ++ ++ in the process of retrieving configuration or configuring the link ++ ++ ++ ++ configured ++ ++ link configured successfully ++ ++ ++ ++ unmanaged ++ ++ networkd is not handling the link ++ ++ ++ ++ linger ++ ++ the link is gone, but has not yet been dropped by networkd ++ ++ ++ ++ + + + diff -Nru systemd-239/debian/patches/meson-unify-linux-stat.h-check-with-other-checks-and-use-.patch systemd-239/debian/patches/meson-unify-linux-stat.h-check-with-other-checks-and-use-.patch --- systemd-239/debian/patches/meson-unify-linux-stat.h-check-with-other-checks-and-use-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/meson-unify-linux-stat.h-check-with-other-checks-and-use-.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,72 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Wed, 18 Jul 2018 17:26:17 +0200 +Subject: meson: unify linux/stat.h check with other checks and use + _GNU_SOURCE + +Using _GNU_SOURCE is better because that's how we include the headers in the +actual build, and some headers define different stuff when it is defined. +sys/stat.h for example defines 'struct statx' conditionally. + +(cherry picked from commit 9c869d08d82c73f62ab3527567858ce4b0cf1257) +--- + meson.build | 20 ++++++++++++++------ + src/basic/missing.h | 2 +- + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/meson.build b/meson.build +index f1f4611..e1dc2ca 100644 +--- a/meson.build ++++ b/meson.build +@@ -421,11 +421,9 @@ decl_headers = ''' + #include + #include + #include +-#include + #include + ''' + # FIXME: key_serial_t is only defined in keyutils.h, this is bound to fail +-# FIXME: these should use -D_GNU_SOURCE, since that is defined at build time + + foreach decl : ['char16_t', + 'char32_t', +@@ -436,13 +434,23 @@ foreach decl : ['char16_t', + ] + + # We get -1 if the size cannot be determined +- have = cc.sizeof(decl, prefix : decl_headers) > 0 ++ have = cc.sizeof(decl, prefix : decl_headers, args : '-D_GNU_SOURCE') > 0 ++ ++ if decl == 'struct statx' ++ if have ++ want_linux_stat_h = false ++ else ++ have = cc.sizeof(decl, ++ prefix : decl_headers + '#include ', ++ args : '-D_GNU_SOURCE') > 0 ++ want_linux_stat_h = have ++ endif ++ endif ++ + conf.set10('HAVE_' + decl.underscorify().to_upper(), have) + endforeach + +-conf.set10('HAVE_STRUCT_STATX_IN_SYS_STAT_H', cc.sizeof('struct statx', prefix : ''' +-#include +-''', args : '-D_GNU_SOURCE') > 0) ++conf.set10('WANT_LINUX_STAT_H', want_linux_stat_h) + + foreach decl : [['IFLA_INET6_ADDR_GEN_MODE', 'linux/if_link.h'], + ['IN6_ADDR_GEN_MODE_STABLE_PRIVACY', 'linux/if_link.h'], +diff --git a/src/basic/missing.h b/src/basic/missing.h +index 14ad3d4..9044683 100644 +--- a/src/basic/missing.h ++++ b/src/basic/missing.h +@@ -24,7 +24,7 @@ + #include + #include + +-#if !HAVE_STRUCT_STATX_IN_SYS_STAT_H ++#if WANT_LINUX_STAT_H + #include + #endif + diff -Nru systemd-239/debian/patches/network-DHCP-ignore-error-in-setting-hostname-when-it-is-.patch systemd-239/debian/patches/network-DHCP-ignore-error-in-setting-hostname-when-it-is-.patch --- systemd-239/debian/patches/network-DHCP-ignore-error-in-setting-hostname-when-it-is-.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/network-DHCP-ignore-error-in-setting-hostname-when-it-is-.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,62 @@ +From: Yu Watanabe +Date: Thu, 2 Aug 2018 16:31:10 +0900 +Subject: network: DHCP: ignore error in setting hostname when it is given by + uname() + +C.f. #9759. + +(cherry picked from commit a8494759b4f14af5337391727ba295ab708b92f9) +--- + src/network/networkd-dhcp4.c | 9 ++++++++- + src/network/networkd-dhcp6.c | 11 +++++++++-- + 2 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c +index 34c1f63..653c971 100644 +--- a/src/network/networkd-dhcp4.c ++++ b/src/network/networkd-dhcp4.c +@@ -597,7 +597,14 @@ static int dhcp4_set_hostname(Link *link) { + hn = hostname; + } + +- return sd_dhcp_client_set_hostname(link->dhcp_client, hn); ++ r = sd_dhcp_client_set_hostname(link->dhcp_client, hn); ++ if (r == -EINVAL && hostname) ++ /* Ignore error when the machine's hostname is not suitable to send in DHCP packet. */ ++ log_link_warning_errno(link, r, "DHCP4 CLIENT: Failed to set hostname from kernel hostname, ignoring: %m"); ++ else if (r < 0) ++ return log_link_error_errno(link, r, "DHCP4 CLIENT: Failed to set hostname: %m"); ++ ++ return 0; + } + + static bool promote_secondaries_enabled(const char *ifname) { +diff --git a/src/network/networkd-dhcp6.c b/src/network/networkd-dhcp6.c +index fb72940..9566f22 100644 +--- a/src/network/networkd-dhcp6.c ++++ b/src/network/networkd-dhcp6.c +@@ -453,7 +453,14 @@ static int dhcp6_set_hostname(sd_dhcp6_client *client, Link *link) { + hn = hostname; + } + +- return sd_dhcp6_client_set_fqdn(client, hn); ++ r = sd_dhcp6_client_set_fqdn(client, hn); ++ if (r == -EINVAL && hostname) ++ /* Ignore error when the machine's hostname is not suitable to send in DHCP packet. */ ++ log_link_warning_errno(link, r, "DHCP6 CLIENT: Failed to set hostname from kernel hostname, ignoring: %m"); ++ else if (r < 0) ++ return log_link_error_errno(link, r, "DHCP6 CLIENT: Failed to set hostname: %m"); ++ ++ return 0; + } + + int dhcp6_configure(Link *link) { +@@ -495,7 +502,7 @@ int dhcp6_configure(Link *link) { + + r = dhcp6_set_hostname(client, link); + if (r < 0) +- goto error; ++ return r; + + r = sd_dhcp6_client_set_ifindex(client, link->ifindex); + if (r < 0) diff -Nru systemd-239/debian/patches/network-add-missing-sd_netlink_unref.patch systemd-239/debian/patches/network-add-missing-sd_netlink_unref.patch --- systemd-239/debian/patches/network-add-missing-sd_netlink_unref.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/network-add-missing-sd_netlink_unref.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,21 @@ +From: Yu Watanabe +Date: Fri, 20 Jul 2018 11:23:24 +0900 +Subject: network: add missing sd_netlink_unref() + +(cherry picked from commit e42699438a2c8a28ef1319e55409b706c341fb02) +--- + src/network/networkd-manager.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c +index 1c48660..e80d7f5 100644 +--- a/src/network/networkd-manager.c ++++ b/src/network/networkd-manager.c +@@ -1468,6 +1468,7 @@ void manager_free(Manager *m) { + set_free_with_destructor(m->rules_saved, routing_policy_rule_free); + + sd_netlink_unref(m->rtnl); ++ sd_netlink_unref(m->genl); + sd_event_unref(m->event); + + sd_resolve_unref(m->resolve); diff -Nru systemd-239/debian/patches/network-also-check-that-Hostname-is-a-valid-DNS-domain-na.patch systemd-239/debian/patches/network-also-check-that-Hostname-is-a-valid-DNS-domain-na.patch --- systemd-239/debian/patches/network-also-check-that-Hostname-is-a-valid-DNS-domain-na.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/network-also-check-that-Hostname-is-a-valid-DNS-domain-na.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,48 @@ +From: Yu Watanabe +Date: Thu, 2 Aug 2018 16:28:23 +0900 +Subject: network: also check that Hostname= is a valid DNS domain name + +(cherry picked from commit 6528693a94821e0e13a8e112fb481c4ab0c62688) +--- + src/network/networkd-network.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 429aac5..ccf5d6d 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -966,7 +966,8 @@ int config_parse_hostname( + void *data, + void *userdata) { + +- char **hostname = data, *hn = NULL; ++ _cleanup_free_ char *hn = NULL; ++ char **hostname = data; + int r; + + assert(filename); +@@ -979,13 +980,20 @@ int config_parse_hostname( + + if (!hostname_is_valid(hn, false)) { + log_syntax(unit, LOG_ERR, filename, line, 0, "Hostname is not valid, ignoring assignment: %s", rvalue); +- free(hn); + return 0; + } + +- free(*hostname); +- *hostname = hostname_cleanup(hn); +- return 0; ++ r = dns_name_is_valid(hn); ++ if (r < 0) { ++ log_syntax(unit, LOG_ERR, filename, line, r, "Failed to check validity of hostname '%s', ignoring assignment: %m", rvalue); ++ return 0; ++ } ++ if (r == 0) { ++ log_syntax(unit, LOG_ERR, filename, line, 0, "Hostname is not a valid DNS domain name, ignoring assignment: %s", rvalue); ++ return 0; ++ } ++ ++ return free_and_replace(*hostname, hn); + } + + int config_parse_timezone( diff -Nru systemd-239/debian/patches/network-free-routes-assigned-to-link.patch systemd-239/debian/patches/network-free-routes-assigned-to-link.patch --- systemd-239/debian/patches/network-free-routes-assigned-to-link.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/network-free-routes-assigned-to-link.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,35 @@ +From: Yu Watanabe +Date: Wed, 18 Jul 2018 13:07:27 +0900 +Subject: network: free routes assigned to link + +(cherry picked from commit ddfc4f6e348ef8909f7c1df22f50a446d2b468ee) +--- + src/network/networkd-link.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index bc5d72a..7cbb979 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -492,11 +492,21 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) { + static void link_free(Link *link) { + Address *address; + Link *carrier; ++ Route *route; + Iterator i; + + if (!link) + return; + ++ while ((route = set_first(link->routes))) ++ route_free(route); ++ ++ while ((route = set_first(link->routes_foreign))) ++ route_free(route); ++ ++ link->routes = set_free(link->routes); ++ link->routes_foreign = set_free(link->routes_foreign); ++ + while ((address = set_first(link->addresses))) + address_free(address); + diff -Nru systemd-239/debian/patches/network-simplify-link_free.patch systemd-239/debian/patches/network-simplify-link_free.patch --- systemd-239/debian/patches/network-simplify-link_free.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/network-simplify-link_free.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,32 @@ +From: Yu Watanabe +Date: Wed, 18 Jul 2018 13:06:34 +0900 +Subject: network: simplify link_free() + +(cherry picked from commit 0ade014c8b74d702130132b2833a67ab29c1689a) +--- + src/network/networkd-link.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 4afcf84..bc5d72a 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -497,14 +497,13 @@ static void link_free(Link *link) { + if (!link) + return; + +- while (!set_isempty(link->addresses)) +- address_free(set_first(link->addresses)); ++ while ((address = set_first(link->addresses))) ++ address_free(address); + +- while (!set_isempty(link->addresses_foreign)) +- address_free(set_first(link->addresses_foreign)); ++ while ((address = set_first(link->addresses_foreign))) ++ address_free(address); + + link->addresses = set_free(link->addresses); +- + link->addresses_foreign = set_free(link->addresses_foreign); + + while ((address = link->pool_addresses)) { diff -Nru systemd-239/debian/patches/networkd-fix-overflow-check.patch systemd-239/debian/patches/networkd-fix-overflow-check.patch --- systemd-239/debian/patches/networkd-fix-overflow-check.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/networkd-fix-overflow-check.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,62 @@ +From: Lennart Poettering +Date: Mon, 16 Jul 2018 12:31:50 +0200 +Subject: networkd: fix overflow check + +Fixes: #9591 +(cherry picked from commit 9fb96abdfd412540bcc2959ee56ff4a14750ee3d) +--- + src/network/networkd-dhcp6.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/src/network/networkd-dhcp6.c b/src/network/networkd-dhcp6.c +index 0fcd2ca..fb72940 100644 +--- a/src/network/networkd-dhcp6.c ++++ b/src/network/networkd-dhcp6.c +@@ -119,7 +119,7 @@ static int dhcp6_pd_prefix_distribute(Link *dhcp6_link, Iterator *i, + Link *link; + Manager *manager = dhcp6_link->manager; + union in_addr_union prefix; +- uint8_t n_prefixes, n_used = 0; ++ uint64_t n_prefixes, n_used = 0; + _cleanup_free_ char *buf = NULL; + int r; + +@@ -132,17 +132,17 @@ static int dhcp6_pd_prefix_distribute(Link *dhcp6_link, Iterator *i, + if (r < 0) + return r; + +- n_prefixes = 1 << (64 - pd_prefix_len); ++ n_prefixes = UINT64_C(1) << (64 - pd_prefix_len); + + (void) in_addr_to_string(AF_INET6, &prefix, &buf); +- log_link_debug(dhcp6_link, "Assigning up to %u prefixes from %s/%u", ++ log_link_debug(dhcp6_link, "Assigning up to %" PRIu64 " prefixes from %s/%u", + n_prefixes, strnull(buf), pd_prefix_len); + + while (hashmap_iterate(manager->links, i, (void **)&link, NULL)) { + Link *assigned_link; + + if (n_used == n_prefixes) { +- log_link_debug(dhcp6_link, "Assigned %u/%u prefixes from %s/%u", ++ log_link_debug(dhcp6_link, "Assigned %" PRIu64 "/%" PRIu64 " prefixes from %s/%u", + n_used, n_prefixes, strnull(buf), pd_prefix_len); + + return -EAGAIN; +@@ -169,7 +169,7 @@ static int dhcp6_pd_prefix_distribute(Link *dhcp6_link, Iterator *i, + continue; + + } else +- log_link_debug(link, "Assigned prefix %u/%u %s/64 to link", ++ log_link_debug(link, "Assigned prefix %" PRIu64 "/%" PRIu64 " %s/64 to link", + n_used + 1, n_prefixes, strnull(buf)); + + n_used++; +@@ -181,7 +181,7 @@ static int dhcp6_pd_prefix_distribute(Link *dhcp6_link, Iterator *i, + + if (n_used < n_prefixes) { + Route *route; +- int n = n_used; ++ uint64_t n = n_used; + + r = route_new(&route); + if (r < 0) diff -Nru systemd-239/debian/patches/resolvconf-fixes-for-the-compatibility-interface.patch systemd-239/debian/patches/resolvconf-fixes-for-the-compatibility-interface.patch --- systemd-239/debian/patches/resolvconf-fixes-for-the-compatibility-interface.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolvconf-fixes-for-the-compatibility-interface.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,59 @@ +From: Filipe Brandenburger +Date: Mon, 25 Jun 2018 18:07:48 -0700 +Subject: resolvconf: fixes for the compatibility interface + +Also use compat_main() when called as `resolvconf`, since the interface +is closer to that of `systemd-resolve`. + +Use a heap allocated string to set arg_ifname, since a stack allocated +one would be lost after the function returns. (This last one broke the +case where an interface name was suffixed with a dot, such as in +`resolvconf -a tap0.dhcp`.) + +Tested: + $ build/resolvconf -a nonexistent.abc +Date: Mon, 25 Jun 2018 13:20:35 +0900 +Subject: resolve: dns_scope_network_good() does not returns negative errno + +(cherry picked from commit 86b112a315464604f4b40222d8bbd912432d640c) +--- + src/resolve/resolved-dns-transaction.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index 905cad6..d61ec09 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -1408,10 +1408,7 @@ static int dns_transaction_prepare(DnsTransaction *t, usec_t ts) { + + dns_transaction_stop_timeout(t); + +- r = dns_scope_network_good(t->scope); +- if (r < 0) +- return r; +- if (r == 0) { ++ if (!dns_scope_network_good(t->scope)) { + dns_transaction_complete(t, DNS_TRANSACTION_NETWORK_DOWN); + return 0; + } diff -Nru systemd-239/debian/patches/resolve-do-not-compress-target-names-in-SRV-records.patch systemd-239/debian/patches/resolve-do-not-compress-target-names-in-SRV-records.patch --- systemd-239/debian/patches/resolve-do-not-compress-target-names-in-SRV-records.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolve-do-not-compress-target-names-in-SRV-records.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,26 @@ +From: Yu Watanabe +Date: Wed, 8 Aug 2018 14:30:40 +0900 +Subject: resolve: do not compress target names in SRV records + +Fixes #9793. + +(cherry picked from commit b2776a60f371de0cefd4141a68ada8f594f14560) +--- + src/resolve/resolved-dns-packet.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 5266014..c218033 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -854,7 +854,9 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, const DnsAns + if (r < 0) + goto fail; + +- r = dns_packet_append_name(p, rr->srv.name, true, false, NULL); ++ /* RFC 2782 states "Unless and until permitted by future standards ++ * action, name compression is not to be used for this field." */ ++ r = dns_packet_append_name(p, rr->srv.name, false, false, NULL); + break; + + case DNS_TYPE_PTR: diff -Nru systemd-239/debian/patches/resolve-do-not-hit-CNAME-or-DNAME-entry-in-NODATA-cache-9.patch systemd-239/debian/patches/resolve-do-not-hit-CNAME-or-DNAME-entry-in-NODATA-cache-9.patch --- systemd-239/debian/patches/resolve-do-not-hit-CNAME-or-DNAME-entry-in-NODATA-cache-9.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolve-do-not-hit-CNAME-or-DNAME-entry-in-NODATA-cache-9.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,33 @@ +From: Yu Watanabe +Date: Mon, 13 Aug 2018 14:32:33 +0900 +Subject: resolve: do not hit CNAME or DNAME entry in NODATA cache (#9836) + +Fixes #9833. + +(cherry picked from commit 3740146a4cbd99883af79e375ee4836206dcea4e) +--- + src/resolve/resolved-dns-cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c +index 23cd662..03b11a5 100644 +--- a/src/resolve/resolved-dns-cache.c ++++ b/src/resolve/resolved-dns-cache.c +@@ -792,7 +792,7 @@ static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, D + if (dns_type_may_redirect(k->type)) { + /* Check if we have a CNAME record instead */ + i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_CNAME, n)); +- if (i) ++ if (i && i->type != DNS_CACHE_NODATA) + return i; + + /* OK, let's look for cached DNAME records. */ +@@ -801,7 +801,7 @@ static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, D + return NULL; + + i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_DNAME, n)); +- if (i) ++ if (i && i->type != DNS_CACHE_NODATA) + return i; + + /* Jump one label ahead */ diff -Nru systemd-239/debian/patches/resolve-fix-error-handling-of-dns_name_is_valid.patch systemd-239/debian/patches/resolve-fix-error-handling-of-dns_name_is_valid.patch --- systemd-239/debian/patches/resolve-fix-error-handling-of-dns_name_is_valid.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolve-fix-error-handling-of-dns_name_is_valid.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,37 @@ +From: Yu Watanabe +Date: Thu, 2 Aug 2018 16:54:27 +0900 +Subject: resolve: fix error handling of dns_name_is_valid() + +(cherry picked from commit 10c6e7e51ec515a509698120ea13cb2e0a325a3a) +--- + src/resolve/resolved-dns-trust-anchor.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c +index 533e438..bf5b07c 100644 +--- a/src/resolve/resolved-dns-trust-anchor.c ++++ b/src/resolve/resolved-dns-trust-anchor.c +@@ -218,7 +218,10 @@ static int dns_trust_anchor_load_positive(DnsTrustAnchor *d, const char *path, u + if (r < 0) + return log_warning_errno(r, "Unable to parse domain in line %s:%u: %m", path, line); + +- if (!dns_name_is_valid(domain)) { ++ r = dns_name_is_valid(domain); ++ if (r < 0) ++ return log_warning_errno(r, "Failed to chack validity of domain name '%s', at line %s:%u, ignoring line: %m", domain, path, line); ++ if (r == 0) { + log_warning("Domain name %s is invalid, at line %s:%u, ignoring line.", domain, path, line); + return -EINVAL; + } +@@ -385,7 +388,10 @@ static int dns_trust_anchor_load_negative(DnsTrustAnchor *d, const char *path, u + if (r < 0) + return log_warning_errno(r, "Unable to parse line %s:%u: %m", path, line); + +- if (!dns_name_is_valid(domain)) { ++ r = dns_name_is_valid(domain); ++ if (r < 0) ++ return log_warning_errno(r, "Failed to chack validity of domain name '%s', at line %s:%u, ignoring line: %m", domain, path, line); ++ if (r == 0) { + log_warning("Domain name %s is invalid, at line %s:%u, ignoring line.", domain, path, line); + return -EINVAL; + } diff -Nru systemd-239/debian/patches/resolve-fix-return-value-type-of-dns_answer_has_dname_for.patch systemd-239/debian/patches/resolve-fix-return-value-type-of-dns_answer_has_dname_for.patch --- systemd-239/debian/patches/resolve-fix-return-value-type-of-dns_answer_has_dname_for.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolve-fix-return-value-type-of-dns_answer_has_dname_for.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,44 @@ +From: Yu Watanabe +Date: Mon, 25 Jun 2018 13:23:16 +0900 +Subject: resolve: fix return value type of dns_answer_has_dname_for_cname() + +(cherry picked from commit a5042ec4d7840f79d49688f07bf9bae7203ac50e) +--- + src/resolve/resolved-dns-answer.c | 3 +-- + src/resolve/resolved-dns-answer.h | 2 +- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c +index 26caa63..66dc5d0 100644 +--- a/src/resolve/resolved-dns-answer.c ++++ b/src/resolve/resolved-dns-answer.c +@@ -799,7 +799,7 @@ void dns_answer_dump(DnsAnswer *answer, FILE *f) { + } + } + +-bool dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname) { ++int dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname) { + DnsResourceRecord *rr; + int r; + +@@ -830,7 +830,6 @@ bool dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname) { + return r; + if (r > 0) + return 1; +- + } + + return 0; +diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h +index aff594a..9ce7d62 100644 +--- a/src/resolve/resolved-dns-answer.h ++++ b/src/resolve/resolved-dns-answer.h +@@ -65,7 +65,7 @@ int dns_answer_remove_by_rr(DnsAnswer **a, DnsResourceRecord *rr); + int dns_answer_copy_by_key(DnsAnswer **a, DnsAnswer *source, const DnsResourceKey *key, DnsAnswerFlags or_flags); + int dns_answer_move_by_key(DnsAnswer **to, DnsAnswer **from, const DnsResourceKey *key, DnsAnswerFlags or_flags); + +-bool dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname); ++int dns_answer_has_dname_for_cname(DnsAnswer *a, DnsResourceRecord *cname); + + static inline size_t dns_answer_size(DnsAnswer *a) { + return a ? a->n_rrs : 0; diff -Nru systemd-239/debian/patches/resolve-reduce-number-of-conversions-between-ifname-and-i.patch systemd-239/debian/patches/resolve-reduce-number-of-conversions-between-ifname-and-i.patch --- systemd-239/debian/patches/resolve-reduce-number-of-conversions-between-ifname-and-i.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolve-reduce-number-of-conversions-between-ifname-and-i.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,704 @@ +From: Yu Watanabe +Date: Tue, 26 Jun 2018 16:41:22 +0900 +Subject: resolve: reduce number of conversions between ifname and ifindex + +This also fixes minor memleak introduced in +654457e560c5723b90b419f7651b87040aade07e. + +(cherry picked from commit a661dc36f68b5ebb1247a503533f8067ff8c0432) +--- + src/resolve/resolvconf-compat.c | 28 +---- + src/resolve/resolvectl.c | 265 ++++++++++++++++++++-------------------- + src/resolve/resolvectl.h | 8 +- + 3 files changed, 142 insertions(+), 159 deletions(-) + +diff --git a/src/resolve/resolvconf-compat.c b/src/resolve/resolvconf-compat.c +index 0723458..bf7b7b1 100644 +--- a/src/resolve/resolvconf-compat.c ++++ b/src/resolve/resolvconf-compat.c +@@ -109,7 +109,6 @@ int resolvconf_parse_argv(int argc, char *argv[]) { + TYPE_EXCLUSIVE, /* -x */ + } type = TYPE_REGULAR; + +- const char *dot, *iface; + int c, r; + + assert(argc >= 0); +@@ -202,30 +201,11 @@ int resolvconf_parse_argv(int argc, char *argv[]) { + return -EINVAL; + } + +- dot = strchr(argv[optind], '.'); +- if (dot) { +- iface = strndup(argv[optind], dot - argv[optind]); +- log_debug("Ignoring protocol specifier '%s'.", dot + 1); +- } else +- iface = argv[optind]; +- optind++; +- +- if (parse_ifindex(iface, &arg_ifindex) < 0) { +- int ifi; +- +- ifi = if_nametoindex(iface); +- if (ifi <= 0) { +- if (errno == ENODEV && arg_ifindex_permissive) { +- log_debug("Interface '%s' not found, but -f specified, ignoring.", iface); +- return 0; /* done */ +- } ++ r = ifname_mangle(argv[optind], false); ++ if (r <= 0) ++ return r; + +- return log_error_errno(errno, "Unknown interface '%s': %m", iface); +- } +- +- arg_ifindex = ifi; +- arg_ifname = iface; +- } ++ optind++; + + if (arg_mode == MODE_SET_LINK) { + unsigned n = 0; +diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c +index e9e395e..d04c756 100644 +--- a/src/resolve/resolvectl.c ++++ b/src/resolve/resolvectl.c +@@ -28,8 +28,8 @@ + #include "verbs.h" + + static int arg_family = AF_UNSPEC; +-int arg_ifindex = 0; +-const char *arg_ifname = NULL; ++static int arg_ifindex = 0; ++static char *arg_ifname = NULL; + static uint16_t arg_type = 0; + static uint16_t arg_class = 0; + static bool arg_legend = true; +@@ -66,7 +66,7 @@ typedef enum StatusMode { + STATUS_NTA, + } StatusMode; + +-static int parse_ifindex_with_warn(const char *s) { ++static int parse_ifindex_and_warn(const char *s) { + int ifi; + + assert(s); +@@ -74,12 +74,66 @@ static int parse_ifindex_with_warn(const char *s) { + if (parse_ifindex(s, &ifi) < 0) { + ifi = if_nametoindex(s); + if (ifi <= 0) +- return log_error_errno(errno, "Unknown interface %s: %m", s); ++ return log_error_errno(errno, "Unknown interface '%s': %m", s); + } + + return ifi; + } + ++int ifname_mangle(const char *s, bool allow_loopback) { ++ _cleanup_free_ char *iface = NULL; ++ const char *dot; ++ int r; ++ ++ assert(s); ++ ++ if (arg_ifname) { ++ assert(arg_ifindex >= 0); ++ ++ if (!allow_loopback && arg_ifindex == LOOPBACK_IFINDEX) { ++ log_error("Interface can't be the loopback interface (lo). Sorry."); ++ return -EINVAL; ++ } ++ ++ return 1; ++ } ++ ++ dot = strchr(s, '.'); ++ if (dot) { ++ iface = strndup(s, dot - s); ++ if (!iface) ++ return log_oom(); ++ ++ log_debug("Ignoring protocol specifier '%s'.", dot + 1); ++ } else { ++ iface = strdup(s); ++ if (!iface) ++ return log_oom(); ++ } ++ ++ if (parse_ifindex(iface, &r) < 0) { ++ r = if_nametoindex(iface); ++ if (r <= 0) { ++ if (errno == ENODEV && arg_ifindex_permissive) { ++ log_debug("Interface '%s' not found, but -f specified, ignoring.", iface); ++ return 0; /* done */ ++ } ++ ++ return log_error_errno(errno, "Unknown interface '%s': %m", iface); ++ } ++ } ++ ++ if (!allow_loopback && r == LOOPBACK_IFINDEX) { ++ log_error("Interface can't be the loopback interface (lo). Sorry."); ++ return -EINVAL; ++ } ++ ++ arg_ifindex = r; ++ arg_ifname = TAKE_PTR(iface); ++ ++ return 1; ++} ++ + static void print_source(uint64_t flags, usec_t rtt) { + char rtt_str[FORMAT_TIMESTAMP_MAX]; + +@@ -113,18 +167,14 @@ static int resolve_host(sd_bus *bus, const char *name) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *req = NULL, *reply = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + const char *canonical = NULL; +- char ifname[IF_NAMESIZE] = ""; + unsigned c = 0; +- int r; + uint64_t flags; + usec_t ts; ++ int r; + + assert(name); + +- if (arg_ifindex > 0 && !if_indextoname(arg_ifindex, ifname)) +- return log_error_errno(errno, "Failed to resolve interface name for index %i: %m", arg_ifindex); +- +- log_debug("Resolving %s (family %s, interface %s).", name, af_to_name(arg_family) ?: "*", isempty(ifname) ? "*" : ifname); ++ log_debug("Resolving %s (family %s, interface %s).", name, af_to_name(arg_family) ?: "*", isempty(arg_ifname) ? "*" : arg_ifname); + + r = sd_bus_message_new_method_call( + bus, +@@ -154,6 +204,7 @@ static int resolve_host(sd_bus *bus, const char *name) { + + while ((r = sd_bus_message_enter_container(reply, 'r', "iiay")) > 0) { + _cleanup_free_ char *pretty = NULL; ++ char ifname[IF_NAMESIZE] = ""; + int ifindex, family; + const void *a; + size_t sz; +@@ -182,7 +233,6 @@ static int resolve_host(sd_bus *bus, const char *name) { + return -EINVAL; + } + +- ifname[0] = 0; + if (ifindex > 0 && !if_indextoname(ifindex, ifname)) + log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex); + +@@ -379,7 +429,6 @@ static int output_rr_packet(const void *d, size_t l, int ifindex) { + static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_t type, bool warn_missing) { + _cleanup_(sd_bus_message_unrefp) sd_bus_message *req = NULL, *reply = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +- char ifname[IF_NAMESIZE] = ""; + unsigned n = 0; + uint64_t flags; + int r; +@@ -388,10 +437,7 @@ static int resolve_record(sd_bus *bus, const char *name, uint16_t class, uint16_ + + assert(name); + +- if (arg_ifindex > 0 && !if_indextoname(arg_ifindex, ifname)) +- return log_error_errno(errno, "Failed to resolve interface name for index %i: %m", arg_ifindex); +- +- log_debug("Resolving %s %s %s (interface %s).", name, dns_class_to_string(class), dns_type_to_string(type), isempty(ifname) ? "*" : ifname); ++ log_debug("Resolving %s %s %s (interface %s).", name, dns_class_to_string(class), dns_type_to_string(type), isempty(arg_ifname) ? "*" : arg_ifname); + + r = sd_bus_message_new_method_call( + bus, +@@ -645,7 +691,6 @@ static int resolve_service(sd_bus *bus, const char *name, const char *type, cons + const char *canonical_name, *canonical_type, *canonical_domain; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *req = NULL, *reply = NULL; + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; +- char ifname[IF_NAMESIZE] = ""; + size_t indent, sz; + uint64_t flags; + const char *p; +@@ -659,15 +704,12 @@ static int resolve_service(sd_bus *bus, const char *name, const char *type, cons + name = empty_to_null(name); + type = empty_to_null(type); + +- if (arg_ifindex > 0 && !if_indextoname(arg_ifindex, ifname)) +- return log_error_errno(errno, "Failed to resolve interface name for index %i: %m", arg_ifindex); +- + if (name) +- log_debug("Resolving service \"%s\" of type %s in %s (family %s, interface %s).", name, type, domain, af_to_name(arg_family) ?: "*", isempty(ifname) ? "*" : ifname); ++ log_debug("Resolving service \"%s\" of type %s in %s (family %s, interface %s).", name, type, domain, af_to_name(arg_family) ?: "*", isempty(arg_ifname) ? "*" : arg_ifname); + else if (type) +- log_debug("Resolving service type %s of %s (family %s, interface %s).", type, domain, af_to_name(arg_family) ?: "*", isempty(ifname) ? "*" : ifname); ++ log_debug("Resolving service type %s of %s (family %s, interface %s).", type, domain, af_to_name(arg_family) ?: "*", isempty(arg_ifname) ? "*" : arg_ifname); + else +- log_debug("Resolving service type %s (family %s, interface %s).", domain, af_to_name(arg_family) ?: "*", isempty(ifname) ? "*" : ifname); ++ log_debug("Resolving service type %s (family %s, interface %s).", domain, af_to_name(arg_family) ?: "*", isempty(arg_ifname) ? "*" : arg_ifname); + + r = sd_bus_message_new_method_call( + bus, +@@ -726,6 +768,7 @@ static int resolve_service(sd_bus *bus, const char *name, const char *type, cons + + while ((r = sd_bus_message_enter_container(reply, 'r', "iiay")) > 0) { + _cleanup_free_ char *pretty = NULL; ++ char ifname[IF_NAMESIZE] = ""; + int ifindex, family; + const void *a; + +@@ -753,7 +796,6 @@ static int resolve_service(sd_bus *bus, const char *name, const char *type, cons + return -EINVAL; + } + +- ifname[0] = 0; + if (ifindex > 0 && !if_indextoname(ifindex, ifname)) + log_warning_errno(errno, "Failed to resolve interface name for index %i: %m", ifindex); + +@@ -1828,7 +1870,7 @@ static int verb_status(int argc, char **argv, void *userdata) { + STRV_FOREACH(ifname, argv + 1) { + int ifindex; + +- ifindex = parse_ifindex_with_warn(*ifname); ++ ifindex = parse_ifindex_and_warn(*ifname); + if (ifindex < 0) + continue; + +@@ -1855,25 +1897,20 @@ static int verb_dns(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *req = NULL; + sd_bus *bus = userdata; +- int ifindex, r; + char **p; ++ int r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_DNS); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + if (argc == 2) +- return status_ifindex(bus, ifindex, NULL, STATUS_DNS, NULL); ++ return status_ifindex(bus, arg_ifindex, NULL, STATUS_DNS, NULL); + + r = sd_bus_message_new_method_call( + bus, +@@ -1885,7 +1922,7 @@ static int verb_dns(int argc, char **argv, void *userdata) { + if (r < 0) + return bus_log_create_error(r); + +- r = sd_bus_message_append(req, "i", ifindex); ++ r = sd_bus_message_append(req, "i", arg_ifindex); + if (r < 0) + return bus_log_create_error(r); + +@@ -1924,7 +1961,7 @@ static int verb_dns(int argc, char **argv, void *userdata) { + r = sd_bus_call(bus, req, 0, &error, NULL); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) +- return log_interface_is_managed(r, ifindex); ++ return log_interface_is_managed(r, arg_ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -1940,25 +1977,20 @@ static int verb_domain(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *req = NULL; + sd_bus *bus = userdata; +- int ifindex, r; + char **p; ++ int r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_DOMAIN); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + if (argc == 2) +- return status_ifindex(bus, ifindex, NULL, STATUS_DOMAIN, NULL); ++ return status_ifindex(bus, arg_ifindex, NULL, STATUS_DOMAIN, NULL); + + r = sd_bus_message_new_method_call( + bus, +@@ -1970,7 +2002,7 @@ static int verb_domain(int argc, char **argv, void *userdata) { + if (r < 0) + return bus_log_create_error(r); + +- r = sd_bus_message_append(req, "i", ifindex); ++ r = sd_bus_message_append(req, "i", arg_ifindex); + if (r < 0) + return bus_log_create_error(r); + +@@ -2003,7 +2035,7 @@ static int verb_domain(int argc, char **argv, void *userdata) { + r = sd_bus_call(bus, req, 0, &error, NULL); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) +- return log_interface_is_managed(r, ifindex); ++ return log_interface_is_managed(r, arg_ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -2018,24 +2050,19 @@ static int verb_domain(int argc, char **argv, void *userdata) { + static int verb_llmnr(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + sd_bus *bus = userdata; +- int ifindex, r; ++ int r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_LLMNR); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + if (argc == 2) +- return status_ifindex(bus, ifindex, NULL, STATUS_LLMNR, NULL); ++ return status_ifindex(bus, arg_ifindex, NULL, STATUS_LLMNR, NULL); + + r = sd_bus_call_method(bus, + "org.freedesktop.resolve1", +@@ -2044,10 +2071,10 @@ static int verb_llmnr(int argc, char **argv, void *userdata) { + "SetLinkLLMNR", + &error, + NULL, +- "is", ifindex, argv[2]); ++ "is", arg_ifindex, argv[2]); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) +- return log_interface_is_managed(r, ifindex); ++ return log_interface_is_managed(r, arg_ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -2062,24 +2089,19 @@ static int verb_llmnr(int argc, char **argv, void *userdata) { + static int verb_mdns(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + sd_bus *bus = userdata; +- int ifindex, r; ++ int r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_MDNS); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + if (argc == 2) +- return status_ifindex(bus, ifindex, NULL, STATUS_MDNS, NULL); ++ return status_ifindex(bus, arg_ifindex, NULL, STATUS_MDNS, NULL); + + r = sd_bus_call_method(bus, + "org.freedesktop.resolve1", +@@ -2088,10 +2110,10 @@ static int verb_mdns(int argc, char **argv, void *userdata) { + "SetLinkMulticastDNS", + &error, + NULL, +- "is", ifindex, argv[2]); ++ "is", arg_ifindex, argv[2]); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) +- return log_interface_is_managed(r, ifindex); ++ return log_interface_is_managed(r, arg_ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -2106,24 +2128,19 @@ static int verb_mdns(int argc, char **argv, void *userdata) { + static int verb_dns_over_tls(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + sd_bus *bus = userdata; +- int ifindex, r; ++ int r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_PRIVATE); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + if (argc == 2) +- return status_ifindex(bus, ifindex, NULL, STATUS_PRIVATE, NULL); ++ return status_ifindex(bus, arg_ifindex, NULL, STATUS_PRIVATE, NULL); + + r = sd_bus_call_method(bus, + "org.freedesktop.resolve1", +@@ -2132,10 +2149,10 @@ static int verb_dns_over_tls(int argc, char **argv, void *userdata) { + "SetLinkDNSOverTLS", + &error, + NULL, +- "is", ifindex, argv[2]); ++ "is", arg_ifindex, argv[2]); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) +- return log_interface_is_managed(r, ifindex); ++ return log_interface_is_managed(r, arg_ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -2150,24 +2167,19 @@ static int verb_dns_over_tls(int argc, char **argv, void *userdata) { + static int verb_dnssec(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + sd_bus *bus = userdata; +- int ifindex, r; ++ int r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_DNSSEC); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + if (argc == 2) +- return status_ifindex(bus, ifindex, NULL, STATUS_DNSSEC, NULL); ++ return status_ifindex(bus, arg_ifindex, NULL, STATUS_DNSSEC, NULL); + + r = sd_bus_call_method(bus, + "org.freedesktop.resolve1", +@@ -2176,10 +2188,10 @@ static int verb_dnssec(int argc, char **argv, void *userdata) { + "SetLinkDNSSEC", + &error, + NULL, +- "is", ifindex, argv[2]); ++ "is", arg_ifindex, argv[2]); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) +- return log_interface_is_managed(r, ifindex); ++ return log_interface_is_managed(r, arg_ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -2195,31 +2207,27 @@ static int verb_nta(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + _cleanup_(sd_bus_message_unrefp) sd_bus_message *req = NULL; + sd_bus *bus = userdata; +- int ifindex, i, r; ++ char **p; ++ int r; + + assert(bus); + + if (argc <= 1) + return status_all(bus, STATUS_NTA); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + if (argc == 2) +- return status_ifindex(bus, ifindex, NULL, STATUS_NTA, NULL); ++ return status_ifindex(bus, arg_ifindex, NULL, STATUS_NTA, NULL); + +- for (i = 2; i < argc; i++) { +- r = dns_name_is_valid(argv[i]); ++ STRV_FOREACH(p, argv + 2) { ++ r = dns_name_is_valid(*p); + if (r < 0) +- return log_error_errno(r, "Failed to validate specified domain %s: %m", argv[i]); ++ return log_error_errno(r, "Failed to validate specified domain %s: %m", *p); + if (r == 0) { +- log_error("Domain not valid: %s", argv[i]); ++ log_error("Domain not valid: %s", *p); + return -EINVAL; + } + } +@@ -2234,7 +2242,7 @@ static int verb_nta(int argc, char **argv, void *userdata) { + if (r < 0) + return bus_log_create_error(r); + +- r = sd_bus_message_append(req, "i", ifindex); ++ r = sd_bus_message_append(req, "i", arg_ifindex); + if (r < 0) + return bus_log_create_error(r); + +@@ -2245,7 +2253,7 @@ static int verb_nta(int argc, char **argv, void *userdata) { + r = sd_bus_call(bus, req, 0, &error, NULL); + if (r < 0) { + if (sd_bus_error_has_name(&error, BUS_ERROR_LINK_BUSY)) +- return log_interface_is_managed(r, ifindex); ++ return log_interface_is_managed(r, arg_ifindex); + + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -2260,18 +2268,13 @@ static int verb_nta(int argc, char **argv, void *userdata) { + static int verb_revert_link(int argc, char **argv, void *userdata) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; + sd_bus *bus = userdata; +- int ifindex, r; ++ int r; + + assert(bus); + +- ifindex = parse_ifindex_with_warn(argv[1]); +- if (ifindex < 0) +- return ifindex; +- +- if (ifindex == LOOPBACK_IFINDEX) { +- log_error("Interface can't be the loopback interface (lo). Sorry."); +- return -EINVAL; +- } ++ r = ifname_mangle(argv[1], false); ++ if (r < 0) ++ return r; + + r = sd_bus_call_method(bus, + "org.freedesktop.resolve1", +@@ -2280,7 +2283,7 @@ static int verb_revert_link(int argc, char **argv, void *userdata) { + "RevertLink", + &error, + NULL, +- "i", ifindex); ++ "i", arg_ifindex); + if (r < 0) { + if (arg_ifindex_permissive && + sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_LINK)) +@@ -2490,12 +2493,10 @@ static int compat_parse_argv(int argc, char *argv[]) { + break; + + case 'i': +- r = parse_ifindex_with_warn(optarg); ++ arg_ifname = mfree(arg_ifname); ++ r = ifname_mangle(optarg, true); + if (r < 0) + return r; +- +- arg_ifname = optarg; +- arg_ifindex = r; + break; + + case 't': +@@ -2792,11 +2793,10 @@ static int native_parse_argv(int argc, char *argv[]) { + break; + + case 'i': +- r = parse_ifindex_with_warn(optarg); ++ arg_ifname = mfree(arg_ifname); ++ r = ifname_mangle(optarg, true); + if (r < 0) + return r; +- +- arg_ifindex = r; + break; + + case 't': +@@ -3015,6 +3015,8 @@ static int compat_main(int argc, char *argv[], sd_bus *bus) { + return translate("status", NULL, argc - optind, argv + optind, bus); + + case MODE_SET_LINK: ++ assert(arg_ifname); ++ + if (arg_set_dns) { + r = translate("dns", arg_ifname, strv_length(arg_set_dns), arg_set_dns, bus); + if (r < 0) +@@ -3060,6 +3062,8 @@ static int compat_main(int argc, char *argv[], sd_bus *bus) { + return r; + + case MODE_REVERT_LINK: ++ assert(arg_ifname); ++ + return translate("revert", arg_ifname, 0, NULL, bus); + + case _MODE_INVALID: +@@ -3103,6 +3107,7 @@ finish: + sd_bus_flush_close_unref(bus); + pager_close(); + ++ free(arg_ifname); + strv_free(arg_set_dns); + strv_free(arg_set_domain); + strv_free(arg_set_nta); +diff --git a/src/resolve/resolvectl.h b/src/resolve/resolvectl.h +index 6ecaa4f..c5404de 100644 +--- a/src/resolve/resolvectl.h ++++ b/src/resolve/resolvectl.h +@@ -4,10 +4,6 @@ + #include + #include + +-extern int arg_ifindex; +-extern const char *arg_ifname; +-extern bool arg_ifindex_permissive; +- + typedef enum ExecutionMode { + MODE_RESOLVE_HOST, + MODE_RESOLVE_RECORD, +@@ -25,6 +21,8 @@ typedef enum ExecutionMode { + } ExecutionMode; + + extern ExecutionMode arg_mode; +- + extern char **arg_set_dns; + extern char **arg_set_domain; ++extern bool arg_ifindex_permissive; ++ ++int ifname_mangle(const char *s, bool allow_loopback); diff -Nru systemd-239/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch systemd-239/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch --- systemd-239/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,74 @@ +From: Dimitri John Ledkov +Date: Wed, 28 Mar 2018 23:05:17 +0100 +Subject: resolved: Mitigate DVE-2018-0001, + by retrying NXDOMAIN without EDNS0. + +Some captive portals, lie and do not respond with the captive portal IP +address, if the query is with EDNS0 enabled and DO bit set to zero. Thus retry +all domain name look ups with less secure methods, upon NXDOMAIN. + +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/bionic/+source/systemd/+bug/1766969 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/bionic/+source/systemd/+bug/1727237 +Bug-DNS: https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md +(cherry picked from commit cc0a0eb1a9379a81256d68d65f8450a487c0ab12) +--- + src/resolve/resolved-dns-transaction.c | 38 +++++++++++++++++++++++++++++----- + 1 file changed, 33 insertions(+), 5 deletions(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index c60b821..905cad6 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -378,12 +378,12 @@ static int dns_transaction_pick_server(DnsTransaction *t) { + if (!server) + return -ESRCH; + +- /* If we changed the server invalidate the feature level clamping, as the new server might have completely +- * different properties. */ +- if (server != t->server) ++ /* If we changed the server invalidate the current & clamp feature levels, as the new server might have ++ * completely different properties. */ ++ if (server != t->server) { + t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID; +- +- t->current_feature_level = dns_server_possible_feature_level(server); ++ t->current_feature_level = dns_server_possible_feature_level(server); ++ } + + /* Clamp the feature level if that is requested. */ + if (t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID && +@@ -1062,6 +1062,34 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) { + return; + } + ++ /* Some captive portals are special in that the Aruba/Datavalet hardware will miss replacing the ++ * packets with the local server IP to point to the authenticated side of the network if EDNS0 is ++ * enabled. Instead they return NXDOMAIN, with DO bit set to zero... nothing to see here, yet respond ++ * with the captive portal IP, when using UDP level. ++ * ++ * Common portal names that fail like so are: ++ * secure.datavalet.io ++ * securelogin.arubanetworks.com ++ * securelogin.networks.mycompany.com ++ * ++ * Thus retry NXDOMAIN RCODES for "secure" things with a lower feature level. ++ * ++ * Do not "clamp" the feature level down, as the captive portal should not be lying for the wider ++ * internet (e.g. _other_ queries were observed fine with EDNS0 on these networks) ++ * ++ * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md ++ */ ++ if (DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN && t->current_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0) { ++ char key_str[DNS_RESOURCE_KEY_STRING_MAX]; ++ dns_resource_key_to_string(t->key, key_str, sizeof key_str); ++ t->current_feature_level = t->current_feature_level - 1; ++ log_warning("Server returned error %s, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level %s.", ++ dns_rcode_to_string(DNS_PACKET_RCODE(p)), ++ dns_server_feature_level_to_string(t->current_feature_level)); ++ dns_transaction_retry(t, false /* use the same server */); ++ return; ++ } ++ + if (DNS_PACKET_RCODE(p) == DNS_RCODE_REFUSED) { + /* This server refused our request? If so, try again, use a different server */ + log_debug("Server returned REFUSED, switching servers, and retrying."); diff -Nru systemd-239/debian/patches/resolved-assert-t-server-is-set-in-dns_transaction_emit_t.patch systemd-239/debian/patches/resolved-assert-t-server-is-set-in-dns_transaction_emit_t.patch --- systemd-239/debian/patches/resolved-assert-t-server-is-set-in-dns_transaction_emit_t.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/resolved-assert-t-server-is-set-in-dns_transaction_emit_t.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,33 @@ +From: Filipe Brandenburger +Date: Tue, 12 Jun 2018 12:52:39 -0700 +Subject: resolved: assert t->server is set in dns_transaction_emit_tcp. + +Uncovered by Coverity. Fixes CID 1393390. + +(cherry picked from commit b02a7e1aeadda724976290528fb864f99f1e396b) +--- + src/resolve/resolved-dns-transaction.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c +index d61ec09..663c343 100644 +--- a/src/resolve/resolved-dns-transaction.c ++++ b/src/resolve/resolved-dns-transaction.c +@@ -653,6 +653,8 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { + + #if ENABLE_DNS_OVER_TLS + if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) { ++ assert(t->server); ++ + r = gnutls_init(&gs, GNUTLS_CLIENT | GNUTLS_ENABLE_FALSE_START | GNUTLS_NONBLOCK); + if (r < 0) + return r; +@@ -666,7 +668,7 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) { + if (r < 0) + return r; + +- if (t->server && t->server->tls_session_data.size > 0) ++ if (t->server->tls_session_data.size > 0) + gnutls_session_set_data(gs, t->server->tls_session_data.data, t->server->tls_session_data.size); + + gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); diff -Nru systemd-239/debian/patches/series systemd-239/debian/patches/series --- systemd-239/debian/patches/series 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/patches/series 2018-10-04 14:58:51.000000000 +0000 @@ -1,3 +1,4 @@ +resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch sleep-fix-printf-format-of-fiemap-fields.patch timesync-changes-type-of-drift_freq-to-int64_t.patch sleep-fix-one-more-printf-format-of-a-fiemap-field.patch @@ -8,6 +9,42 @@ sysusers-tmpfiles-re-create-systemd-network-systemd-resol.patch test-Drop-SKIP_INITRD-for-QEMU-based-tests.patch network-link-Fix-logic-error-in-matching-devices-by-MAC.patch +Re-add-uaccess-tag-for-dev-kvm.patch +Do-not-apply-uaccess-tag-for-dev-kvm-if-mode-is-0666.patch +timedate-increment-reference-count-of-sd_bus_message.patch +timedate-defer-the-property-changed-signal-until-job-of-s.patch +core-Actually-use-the-resolved-path-for-TemporaryFileSyst.patch +umount-Don-t-use-options-from-fstab-on-remount.patch +cryptsetup-add-support-for-sector-size-option-8881.patch +build-sys-Detect-whether-struct-statx-is-defined-in-sys-s.patch +meson-unify-linux-stat.h-check-with-other-checks-and-use-.patch +resolve-dns_scope_network_good-does-not-returns-negative-.patch +resolve-fix-return-value-type-of-dns_answer_has_dname_for.patch +core-job-add-check-for-return-of-job_type_merge_and_colla.patch +resolved-assert-t-server-is-set-in-dns_transaction_emit_t.patch +resolvconf-fixes-for-the-compatibility-interface.patch +resolve-reduce-number-of-conversions-between-ifname-and-i.patch +cryptsetup-Add-dependency-on-loopback-setup-to-generated-.patch +network-simplify-link_free.patch +network-free-routes-assigned-to-link.patch +network-add-missing-sd_netlink_unref.patch +networkd-fix-overflow-check.patch +core-fix-gid-when-DynamicUser-yes-with-static-User.patch +network-also-check-that-Hostname-is-a-valid-DNS-domain-na.patch +network-DHCP-ignore-error-in-setting-hostname-when-it-is-.patch +syslog-fix-segfault-in-syslog_parse_priority.patch +resolve-do-not-compress-target-names-in-SRV-records.patch +journald-make-it-clear-that-dev_kmsg_record-modifies-the-.patch +journald-free-the-allocated-memory-before-returning-from-.patch +resolve-do-not-hit-CNAME-or-DNAME-entry-in-NODATA-cache-9.patch +Networkd-Start-DHCP-server-when-link-is-up.patch +journald-fixed-assertion-failure-when-system-journal-rota.patch +resolve-fix-error-handling-of-dns_name_is_valid.patch +man-Document-networkd-states-in-networkctl-1-10033.patch +systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch +exec-util-in-execute_directories-support-initial-exec-env.patch +core-execute-environment_generators-with-manager-s-enviro.patch +core-execute-generators-with-manager-s-environmnet.patch debian/Use-Debian-specific-config-files.patch debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch debian/Make-run-lock-tmpfs-an-API-fs.patch @@ -26,5 +63,27 @@ debian/Add-env-variable-for-machine-ID-path.patch debian/Revert-udev-rules-Permission-changes-for-dev-dri-renderD.patch debian/Revert-systemctl-when-removing-enablement-or-mask-symlink.patch -debian/Revert-udev-rules-Permission-changes-for-dev-kvm.patch debian/Drop-seccomp-system-call-filter-for-udev.patch +debian/Skip-starting-systemd-remount-fs.service-in-containers.patch +debian/Ubuntu-UseDomains-by-default.patch +debian/Ubuntu-core-in-execute-soft-fail-setting-Nice-priority-when.patch +debian/Ubuntu-units-set-ConditionVirtualization-private-users-on-j.patch +debian/UBUNTU-drop-kernel.-settings-from-sysctl-defaults-shipped.patch +debian/UBUNTU-test-test-functions-drop-all-prefixes.patch +debian/UBUNTU-test-process-util-fails-to-verify-cmdline-changes-in-unpr.patch +debian/UBUNTU-resolved-disable-global-LLMNR-and-MulticastDNS.patch +debian/UBUNTU-Add-AssumedApparmorLabel-unconfined-to-timedate1-dbus.patch +debian/UBUNTU-test-fs-utils-detect-container.patch +debian/UBUNTU-test-test-functions-launch-qemu-with-vga-none.patch +debian/UBUNTU-wait-online-exit-if-no-links-are-managed.patch +debian/UBUNTU-journald.service-set-Nice-1-to-dodge-watchdog-on-soft-loc.patch +debian/UBUNTU-resolved-Listen-on-both-TCP-and-UDP-by-default.patch +debian/UBUNTU-networkd-if-RA-was-implicit-do-not-await-ndisc_con.patch +debian/UBUNTU-units-block-CAP_SYS_MODULE-units-in-containers-too.patch +debian/UBUNTU-test-execute-fix-execution-expectations-in-container.patch +debian/UBUNTU-test-fd-util-test_rearrange_stdio-fails-in-a-contain.patch +debian/UBUNTU-test-sleep-skip-test_fiemap-upon-inapproriate-ioctl-.patch +debian/UBUNTU-revert-networkd-unify-set-MTU.patch +debian/UBUNTU-Support-system-image-read-only-etc.patch +debian/UBUNTU-bump-selftest-timeouts.patch +debian/UBUNTU-units-disable-journald-watchdog.patch diff -Nru systemd-239/debian/patches/syslog-fix-segfault-in-syslog_parse_priority.patch systemd-239/debian/patches/syslog-fix-segfault-in-syslog_parse_priority.patch --- systemd-239/debian/patches/syslog-fix-segfault-in-syslog_parse_priority.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/syslog-fix-segfault-in-syslog_parse_priority.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,105 @@ +From: Yu Watanabe +Date: Wed, 8 Aug 2018 18:27:15 +0900 +Subject: syslog: fix segfault in syslog_parse_priority() + +(cherry picked from commit a5ee33b951cfa22db53d0274c9c6c0d9d4dae39d) +--- + src/basic/syslog-util.c | 20 +++++++++++--------- + src/journal/test-journal-syslog.c | 20 ++++++++++++++++++++ + 2 files changed, 31 insertions(+), 9 deletions(-) + +diff --git a/src/basic/syslog-util.c b/src/basic/syslog-util.c +index 21461fa..fe12948 100644 +--- a/src/basic/syslog-util.c ++++ b/src/basic/syslog-util.c +@@ -10,7 +10,8 @@ + + int syslog_parse_priority(const char **p, int *priority, bool with_facility) { + int a = 0, b = 0, c = 0; +- int k; ++ const char *end; ++ size_t k; + + assert(p); + assert(*p); +@@ -19,21 +20,22 @@ int syslog_parse_priority(const char **p, int *priority, bool with_facility) { + if ((*p)[0] != '<') + return 0; + +- if (!strchr(*p, '>')) ++ end = strchr(*p, '>'); ++ if (!end) + return 0; + +- if ((*p)[2] == '>') { ++ k = end - *p; ++ assert(k > 0); ++ ++ if (k == 2) + c = undecchar((*p)[1]); +- k = 3; +- } else if ((*p)[3] == '>') { ++ else if (k == 3) { + b = undecchar((*p)[1]); + c = undecchar((*p)[2]); +- k = 4; +- } else if ((*p)[4] == '>') { ++ } else if (k == 4) { + a = undecchar((*p)[1]); + b = undecchar((*p)[2]); + c = undecchar((*p)[3]); +- k = 5; + } else + return 0; + +@@ -46,7 +48,7 @@ int syslog_parse_priority(const char **p, int *priority, bool with_facility) { + else + *priority = (*priority & LOG_FACMASK) | c; + +- *p += k; ++ *p += k + 1; + return 1; + } + +diff --git a/src/journal/test-journal-syslog.c b/src/journal/test-journal-syslog.c +index 9ba86f6..c6aadbb 100644 +--- a/src/journal/test-journal-syslog.c ++++ b/src/journal/test-journal-syslog.c +@@ -4,6 +4,7 @@ + #include "journald-syslog.h" + #include "macro.h" + #include "string-util.h" ++#include "syslog-util.h" + + static void test_syslog_parse_identifier(const char* str, + const char *ident, const char*pid, int ret) { +@@ -18,10 +19,29 @@ static void test_syslog_parse_identifier(const char* str, + assert_se(pid == pid2 || streq_ptr(pid, pid2)); + } + ++static void test_syslog_parse_priority(const char *str, int priority, int ret) { ++ const char *buf = str; ++ int priority2, ret2; ++ ++ ret2 = syslog_parse_priority(&buf, &priority2, false); ++ ++ assert_se(ret == ret2); ++ if (ret2 == 1) ++ assert_se(priority == priority2); ++} ++ + int main(void) { + test_syslog_parse_identifier("pidu[111]: xxx", "pidu", "111", 11); + test_syslog_parse_identifier("pidu: xxx", "pidu", NULL, 6); + test_syslog_parse_identifier("pidu xxx", NULL, NULL, 0); + ++ test_syslog_parse_priority("<>", 0, 0); ++ test_syslog_parse_priority("<>aaa", 0, 0); ++ test_syslog_parse_priority("", 0, 0); ++ test_syslog_parse_priority("aaa", 0, 0); ++ test_syslog_parse_priority(" ", 0, 0); ++ test_syslog_parse_priority(" aaa", 0, 0); ++ /* TODO: add test cases of valid priorities */ ++ + return 0; + } diff -Nru systemd-239/debian/patches/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch systemd-239/debian/patches/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch --- systemd-239/debian/patches/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/systemctl-correctly-proceed-to-immediate-shutdown-if-sche.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,33 @@ +From: Dimitri John Ledkov +Date: Tue, 11 Sep 2018 10:41:56 +0100 +Subject: systemctl: correctly proceed to immediate shutdown if scheduling + fails + +Actually check the return code from logind_schedule_shutdown() and proceed to +immediate shutdown if that fails. Negative return codes can be returned if +systemctl is compiled without logind support, or if logind otherwise failed +(either too old, disabled/masked, or it is incomplete +systemd-shim/systemd-service implementation). + +(cherry picked from commit 940bec70bb29b105acefd540cd4c7b0b29571de1) +--- + src/systemctl/systemctl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c +index f072ad0..79de664 100644 +--- a/src/systemctl/systemctl.c ++++ b/src/systemctl/systemctl.c +@@ -8394,8 +8394,10 @@ static int halt_main(void) { + if (r < 0) + return r; + +- if (arg_when > 0) +- return logind_schedule_shutdown(); ++ /* Delayed shutdown requested, and was successful */ ++ if (arg_when > 0 && logind_schedule_shutdown() == 0) ++ return 0; ++ /* no delay, or logind failed or is not at all available */ + + if (geteuid() != 0) { + if (arg_dry_run || arg_force > 0) { diff -Nru systemd-239/debian/patches/timedate-defer-the-property-changed-signal-until-job-of-s.patch systemd-239/debian/patches/timedate-defer-the-property-changed-signal-until-job-of-s.patch --- systemd-239/debian/patches/timedate-defer-the-property-changed-signal-until-job-of-s.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/timedate-defer-the-property-changed-signal-until-job-of-s.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,177 @@ +From: Yu Watanabe +Date: Sun, 22 Jul 2018 23:10:02 +0900 +Subject: timedate: defer the property changed signal until job of + starting/stopping NTP service is finished + +Before this, the property changed signal is emitted immediately after +StartUnit/StopUnit method is called. So, the running state of the NTP +client service may not updated. +This makes the timing of emitting property changed signal is deferred +until job of starting/stopping NTP client service is completed. + +Fixes #9672. + +(cherry picked from commit 3af0a96c0fcc623bd16649fc3640396a657cf9ef) +--- + src/timedate/timedated.c | 78 ++++++++++++++++++++++++++++++++++++++++-------- + 1 file changed, 65 insertions(+), 13 deletions(-) + +diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c +index a66ea22..3b70939 100644 +--- a/src/timedate/timedated.c ++++ b/src/timedate/timedated.c +@@ -45,6 +45,9 @@ typedef struct Context { + Hashmap *polkit_registry; + sd_bus_message *cache; + ++ sd_bus_slot *slot_job_removed; ++ char *path_ntp_unit; ++ + LIST_HEAD(UnitStatusInfo, units); + } Context; + +@@ -73,6 +76,9 @@ static void context_free(Context *c) { + bus_verify_polkit_async_registry_free(c->polkit_registry); + sd_bus_message_unref(c->cache); + ++ sd_bus_slot_unref(c->slot_job_removed); ++ free(c->path_ntp_unit); ++ + while ((p = c->units)) { + LIST_REMOVE(units, c->units, p); + unit_status_info_free(p); +@@ -344,17 +350,55 @@ static int context_update_ntp_status(Context *c, sd_bus *bus, sd_bus_message *m) + return 0; + } + +-static int unit_start_or_stop(UnitStatusInfo *u, sd_bus *bus, sd_bus_error *error, bool start) { ++static int match_job_removed(sd_bus_message *m, void *userdata, sd_bus_error *error) { ++ const char *path; ++ Context *c = userdata; ++ int r; ++ ++ assert(c); ++ assert(m); ++ ++ r = sd_bus_message_read(m, "uoss", NULL, &path, NULL, NULL); ++ if (r < 0) { ++ bus_log_parse_error(r); ++ return 0; ++ } ++ ++ if (!streq_ptr(path, c->path_ntp_unit)) ++ return 0; ++ ++ (void) sd_bus_emit_properties_changed(sd_bus_message_get_bus(m), "/org/freedesktop/timedate1", "org.freedesktop.timedate1", "NTP", NULL); ++ ++ c->slot_job_removed = sd_bus_slot_unref(c->slot_job_removed); ++ c->path_ntp_unit = mfree(c->path_ntp_unit); ++ ++ return 0; ++} ++ ++static int unit_start_or_stop(Context *c, UnitStatusInfo *u, sd_bus *bus, sd_bus_error *error, bool start) { ++ _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; ++ _cleanup_(sd_bus_slot_unrefp) sd_bus_slot *slot = NULL; ++ const char *path; + int r; + ++ assert(c); + assert(u); + assert(bus); + assert(error); + +- /* Call context_update_ntp_status() to update UnitStatusInfo before calling this. */ ++ /* This method may be called frequently. Forget the previous job if it has not completed yet. */ ++ c->slot_job_removed = sd_bus_slot_unref(c->slot_job_removed); + +- if (streq(u->active_state, "active") == start) +- return 0; ++ r = sd_bus_match_signal_async( ++ bus, ++ &slot, ++ "org.freedesktop.systemd1", ++ "/org/freedesktop/systemd1", ++ "org.freedesktop.systemd1.Manager", ++ "JobRemoved", ++ match_job_removed, NULL, c); ++ if (r < 0) ++ return r; + + r = sd_bus_call_method( + bus, +@@ -363,13 +407,22 @@ static int unit_start_or_stop(UnitStatusInfo *u, sd_bus *bus, sd_bus_error *erro + "org.freedesktop.systemd1.Manager", + start ? "StartUnit" : "StopUnit", + error, +- NULL, ++ &reply, + "ss", + u->name, + "replace"); + if (r < 0) + return r; + ++ r = sd_bus_message_read(reply, "o", &path); ++ if (r < 0) ++ return bus_log_parse_error(r); ++ ++ r = free_and_strdup(&c->path_ntp_unit, path); ++ if (r < 0) ++ return log_oom(); ++ ++ c->slot_job_removed = TAKE_PTR(slot); + return 0; + } + +@@ -421,8 +474,9 @@ static int unit_enable_or_disable(UnitStatusInfo *u, sd_bus *bus, sd_bus_error * + error, + NULL, + NULL); +- if (r < 0) +- return r; ++ if (r < 0) ++ return r; ++ + return 0; + } + +@@ -812,7 +866,7 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error + if (q < 0) + r = q; + +- q = unit_start_or_stop(u, bus, error, enable); ++ q = unit_start_or_stop(c, u, bus, error, enable); + if (q < 0) + r = q; + } +@@ -826,17 +880,17 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error + if (r < 0) + continue; + +- r = unit_start_or_stop(u, bus, error, enable); ++ r = unit_start_or_stop(c, u, bus, error, enable); + break; + } + +- else if (context_ntp_service_is_active(c) <= 0) ++ else + LIST_FOREACH(units, u, c->units) { + if (!streq(u->load_state, "loaded") || + !streq(u->unit_file_state, "enabled")) + continue; + +- r = unit_start_or_stop(u, bus, error, enable); ++ r = unit_start_or_stop(c, u, bus, error, enable); + break; + } + +@@ -845,8 +899,6 @@ static int method_set_ntp(sd_bus_message *m, void *userdata, sd_bus_error *error + + log_info("Set NTP to %sd", enable_disable(enable)); + +- (void) sd_bus_emit_properties_changed(bus, "/org/freedesktop/timedate1", "org.freedesktop.timedate1", "NTP", NULL); +- + return sd_bus_reply_method_return(m, NULL); + } + diff -Nru systemd-239/debian/patches/timedate-increment-reference-count-of-sd_bus_message.patch systemd-239/debian/patches/timedate-increment-reference-count-of-sd_bus_message.patch --- systemd-239/debian/patches/timedate-increment-reference-count-of-sd_bus_message.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/timedate-increment-reference-count-of-sd_bus_message.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,64 @@ +From: Yu Watanabe +Date: Sat, 21 Jul 2018 23:07:53 +0900 +Subject: timedate: increment reference count of sd_bus_message + +The commit 5d280742b645a69a19e7f9131adc0c95f5c7fa07 introduces a +barrier to suppress calling context_update_ntp_status() multiple times. +However, it just stores the address of sd_bus_message object. So, +when an address is reused on the subsequent message, then the status +of NTP clients are not updated. + +This makes the stored message object is referenced by the context +object. So, the subsequent message is on cirtainly different address. + +(cherry picked from commit 2770af85ac04fd14af2f6bcdf4d3967ed6f2e36f) +--- + src/timedate/timedated.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c +index 82eb213..a66ea22 100644 +--- a/src/timedate/timedated.c ++++ b/src/timedate/timedated.c +@@ -43,6 +43,7 @@ typedef struct Context { + char *zone; + bool local_rtc; + Hashmap *polkit_registry; ++ sd_bus_message *cache; + + LIST_HEAD(UnitStatusInfo, units); + } Context; +@@ -70,6 +71,7 @@ static void context_free(Context *c) { + + free(c->zone); + bus_verify_polkit_async_registry_free(c->polkit_registry); ++ sd_bus_message_unref(c->cache); + + while ((p = c->units)) { + LIST_REMOVE(units, c->units, p); +@@ -301,18 +303,20 @@ static int context_update_ntp_status(Context *c, sd_bus *bus, sd_bus_message *m) + { "UnitFileState", "s", NULL, offsetof(UnitStatusInfo, unit_file_state) }, + {} + }; +- static sd_bus_message *_m = NULL; + UnitStatusInfo *u; + int r; + + assert(c); + assert(bus); + +- /* Suppress multiple call of context_update_ntp_status() within single DBus transaction. */ +- if (m && m == _m) +- return 0; ++ /* Suppress calling context_update_ntp_status() multiple times within single DBus transaction. */ ++ if (m) { ++ if (m == c->cache) ++ return 0; + +- _m = m; ++ sd_bus_message_unref(c->cache); ++ c->cache = sd_bus_message_ref(m); ++ } + + LIST_FOREACH(units, u, c->units) { + _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL; diff -Nru systemd-239/debian/patches/umount-Don-t-use-options-from-fstab-on-remount.patch systemd-239/debian/patches/umount-Don-t-use-options-from-fstab-on-remount.patch --- systemd-239/debian/patches/umount-Don-t-use-options-from-fstab-on-remount.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-239/debian/patches/umount-Don-t-use-options-from-fstab-on-remount.patch 2018-10-04 14:58:51.000000000 +0000 @@ -0,0 +1,77 @@ +From: aszlig +Date: Mon, 20 Aug 2018 05:33:58 +0200 +Subject: umount: Don't use options from fstab on remount + +The fstab entry may contain comment/application-specific options, like +for example x-systemd.automount or x-initrd.mount. + +With the recent switch to libmount, the mount options during remount are +now gathered via mnt_fs_get_options(), which returns the merged fstab +options with the effective options in mountinfo. + +Unfortunately if one of these application-specific options are set in +fstab, the remount will fail with -EINVAL. + +In systemd 238: + + Remounting '/test-x-initrd-mount' read-only in with options + 'errors=continue,user_xattr,acl'. + +In systemd 239: + + Remounting '/test-x-initrd-mount' read-only in with options + 'errors=continue,user_xattr,acl,x-initrd.mount'. + Failed to remount '/test-x-initrd-mount' read-only: Invalid argument + +So instead of using mnt_fs_get_options(), we're now using both +mnt_fs_get_fs_options() and mnt_fs_get_vfs_options() and merging the +results together so we don't get any non-relevant options from fstab. + +Signed-off-by: aszlig +(cherry picked from commit 66c91c3a23f684482e33e54c7bbaaf69384b7d11) +(cherry picked from commit c38499d476026d999558a7eee9c95ca2fa41e115) +--- + src/core/umount.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/core/umount.c b/src/core/umount.c +index 241fe6f..8ed1074 100644 +--- a/src/core/umount.c ++++ b/src/core/umount.c +@@ -72,7 +72,8 @@ int mount_points_list_get(const char *mountinfo, MountPoint **head) { + + for (;;) { + struct libmnt_fs *fs; +- const char *path, *options, *fstype; ++ const char *path, *fstype; ++ _cleanup_free_ char *options = NULL; + _cleanup_free_ char *p = NULL; + unsigned long remount_flags = 0u; + _cleanup_free_ char *remount_options = NULL; +@@ -92,9 +93,25 @@ int mount_points_list_get(const char *mountinfo, MountPoint **head) { + if (cunescape(path, UNESCAPE_RELAX, &p) < 0) + return log_oom(); + +- options = mnt_fs_get_options(fs); + fstype = mnt_fs_get_fstype(fs); + ++ /* Combine the generic VFS options with the FS-specific ++ * options. Duplicates are not a problem here, because the only ++ * options that should come up twice are typically ro/rw, which ++ * are turned into MS_RDONLY or the invertion of it. ++ * ++ * Even if there are duplicates later in mount_option_mangle() ++ * it shouldn't hurt anyways as they override each other. ++ */ ++ if (!strextend_with_separator(&options, ",", ++ mnt_fs_get_vfs_options(fs), ++ NULL)) ++ return log_oom(); ++ if (!strextend_with_separator(&options, ",", ++ mnt_fs_get_fs_options(fs), ++ NULL)) ++ return log_oom(); ++ + /* Ignore mount points we can't unmount because they + * are API or because we are keeping them open (like + * /dev/console). Also, ignore all mounts below API diff -Nru systemd-239/debian/rules systemd-239/debian/rules --- systemd-239/debian/rules 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/rules 2018-10-04 14:58:51.000000000 +0000 @@ -65,7 +65,8 @@ -Dsystem-uid-max=999 \ -Dsystem-gid-max=999 \ -Dnobody-user=nobody \ - -Dnobody-group=nogroup + -Dnobody-group=nogroup \ + -Ddev-kvm-mode=0660 # resolved's DNSSEC support is still not mature enough, don't enable it by # default on stable Debian or any Ubuntu releases @@ -196,7 +197,6 @@ rm -f debian/install/*/usr/share/doc/systemd/LICENSE.* rm -f debian/install/*/var/log/README rm -f debian/install/*/etc/init.d/README - rm -f debian/install/*/usr/lib/sysctl.d/50-default.conf rm -f debian/install/*/etc/X11/xinit/xinitrc.d/50-systemd-user.sh rmdir -p --ignore-fail-on-non-empty debian/install/*/etc/X11/xinit/xinitrc.d/ rm -f debian/install/*/lib/systemd/system/halt-local.service @@ -252,13 +252,15 @@ install --mode=644 debian/extra/rules-ubuntu/*.rules debian/udev/lib/udev/rules.d/ cp -a debian/extra/units-ubuntu/* debian/systemd/lib/systemd/system/ install --mode=755 debian/extra/set-cpufreq debian/systemd/lib/systemd/ + install -D --mode=755 debian/extra/dhclient-enter-resolved-hook debian/systemd/etc/dhcp/dhclient-enter-hooks.d/resolved endif override_dh_missing: dh_missing --sourcedir debian/install/deb $(DH_MISSING) override_dh_installinit: - dh_installinit --no-start + dh_installinit --no-scripts -psystemd + dh_installinit --no-start -Nsystemd PROJECT_VERSION ?= $(shell awk '/PACKAGE_VERSION/ {print $$3}' build-deb/config.h | tr -d \") diff -Nru systemd-239/debian/systemd.postinst systemd-239/debian/systemd.postinst --- systemd-239/debian/systemd.postinst 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/systemd.postinst 2018-10-04 14:58:51.000000000 +0000 @@ -39,6 +39,32 @@ systemctl enable systemd-timesyncd.service || true fi +# Enable resolved by default on new installs installs and upgrades +if dpkg --compare-versions "$2" lt "234-1ubuntu2~"; then + systemctl enable systemd-resolved.service || true +fi + +# Drop stock /etc/rc.local on upgrades +if dpkg --compare-versions "$2" lt "234-2ubuntu11~"; then + if [ -f /etc/rc.local ]; then + if [ "10fd9f051accb6fd1f753f2d48371890" = "$(md5sum /etc/rc.local | cut -d\ -f1)" ]; then + echo Removing empty /etc/rc.local + rm -f /etc/rc.local || true + fi + fi +fi + +# Use stub resolve.conf by default on new installs +if [ -z "$2" ]; then + mkdir -p /run/systemd/resolve + if [ -e /etc/resolv.conf ]; then + cp /etc/resolv.conf /run/systemd/resolve/stub-resolv.conf + fi + # If /etc/resolv.conf is a bind-mount, moving or replacing + # /etc/resolv.conf may fail + ln -snf ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf || true +fi + # Enable ondemand by default on new installs installs and upgrades if [ -e /lib/systemd/system/ondemand.service ] && dpkg --compare-versions "$2" lt "231-7~"; then systemctl enable ondemand.service || true @@ -96,6 +122,15 @@ # Setup system users and groups addgroup --quiet --system systemd-journal +# Enable persistent journal, in auto-mode, by default on new installs installs and upgrades +if dpkg --compare-versions "$2" lt "235-3ubuntu3~"; then + mkdir -p /var/log/journal + # create tmpfiles only when running systemd, otherwise %b substitution fails + if [ -d /run/systemd/system ]; then + systemd-tmpfiles --create --prefix /var/log/journal + fi +fi + # We need to stop running services before we call adduser RESTART="" if dpkg --compare-versions "$2" lt-nl "239-6"; then @@ -117,6 +152,13 @@ # Initial update of the Message Catalogs database _update_catalog +# Disable networkd when upgrading from broken versions 8..10. Turns out +# enabling networkd unconditionally has long boot time side-effects +if dpkg --compare-versions "$2" gt "234-2ubuntu8~" && + dpkg --compare-versions "$2" lt "234-2ubuntu11~"; then + systemctl disable systemd-networkd-wait-online.service || true +fi + if [ -n "$2" ]; then _systemctl daemon-reexec || true # don't restart logind; this can be done again once this gets implemented: @@ -155,4 +197,10 @@ rm -f /var/lib/systemd/clock fi +# Process all tmpfiles that we ship, including any overrides in +# runtime-dir/sysadmin-dir/other packages (e.g. rsyslog) +# +# Ignore if this fails, because e.g. %b will fail on WSL +systemd-tmpfiles --create || : + #DEBHELPER# diff -Nru systemd-239/debian/systemd.postrm systemd-239/debian/systemd.postrm --- systemd-239/debian/systemd.postrm 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/systemd.postrm 2018-10-04 14:58:51.000000000 +0000 @@ -8,6 +8,7 @@ rm -f /etc/systemd/system/getty.target.wants/getty@tty1.service rm -f /etc/systemd/system/multi-user.target.wants/remote-fs.target rm -f /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service + rm -f /etc/systemd/system/dbus-org.freedesktop.timesync1.service rmdir --ignore-fail-on-non-empty /etc/systemd/system/getty.target.wants 2> /dev/null || true rmdir --ignore-fail-on-non-empty /etc/systemd/system/multi-user.target.wants 2> /dev/null || true rmdir --ignore-fail-on-non-empty /etc/systemd/system/sysinit.target.wants 2> /dev/null || true diff -Nru systemd-239/debian/systemd.prerm systemd-239/debian/systemd.prerm --- systemd-239/debian/systemd.prerm 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/systemd.prerm 1970-01-01 00:00:00.000000000 +0000 @@ -1,15 +0,0 @@ -#! /bin/sh - -set -e - -# -# Prevent systemd from being removed if it's the active init. That -# will not work. -# - -if [ "$1" = "remove" ] && [ -d /run/systemd/system ]; then - echo "systemd is the active init system, please switch to another before removing systemd." - exit 1 -fi - -#DEBHELPER# diff -Nru systemd-239/debian/tests/boot-and-services systemd-239/debian/tests/boot-and-services --- systemd-239/debian/tests/boot-and-services 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/tests/boot-and-services 2018-10-04 14:58:51.000000000 +0000 @@ -61,12 +61,14 @@ subprocess.call(['journalctl', '-b', '-u', f]) self.assertEqual(failed, []) - def test_lightdm(self): - out = subprocess.check_output(['ps', 'u', '-C', 'lightdm']) - self.assertIn(b'lightdm --session', out) + @unittest.skipUnless(subprocess.call(['which', 'gdm3'], stdout=subprocess.DEVNULL) == 0, 'gdm3 not found') + @unittest.skipUnless(subprocess.call(['ps', 'u', '-C', 'gdm-x-session'], stdout=subprocess.DEVNULL) == 0, 'gdm-x-session failed to start') + def test_gdm3(self): + out = subprocess.check_output(['ps', 'u', '-C', 'gdm-x-session']) + self.assertIn(b'gdm-x-session gnome-session', out) out = subprocess.check_output(['ps', 'u', '-C', 'Xorg']) - self.assertIn(b':0', out) - self.active_unit('lightdm') + self.assertIn(b'Xorg vt1', out) + self.active_unit('gdm') def test_dbus(self): out = subprocess.check_output( @@ -105,7 +107,12 @@ with open('/var/log/syslog') as f: log = f.read() # has kernel messages - self.assertRegex(log, 'kernel:.*[cC]ommand line:') + try: + self.assertRegex(log, 'kernel:.*[cC]ommand line:') + except AssertionError: + # hm syslog is trimmed, for some reason?! + subprocess.call(['journalctl', '-k']) + self.assertRegex(log, 'kernel:.*') # has init messages self.assertRegex(log, 'systemd.*Reached target Graphical Interface') # has other services @@ -245,7 +252,7 @@ subprocess.call(['journalctl', '--sync']) systemctl = subprocess.Popen( ['systemctl', 'status', '-overbose', '-l', 'systemd-nspawn@c1'], - stdout=subprocess.PIPE) + stdout=subprocess.PIPE, stderr=subprocess.PIPE) out = systemctl.communicate()[0].decode('UTF-8', 'replace') self.assertEqual(systemctl.returncode, 3, out) self.assertNotIn('failed', out) diff -Nru systemd-239/debian/tests/boot-smoke systemd-239/debian/tests/boot-smoke --- systemd-239/debian/tests/boot-smoke 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/tests/boot-smoke 2018-10-04 14:58:51.000000000 +0000 @@ -29,32 +29,59 @@ done fi else + ret=0 + + echo "waiting to boot..." + TIMEOUT=35 + while [ $TIMEOUT -ge 0 ]; do + state="$(systemctl is-system-running || true)" + case $state in + running|degraded) + break + ;; + *) + sleep 1 + TIMEOUT=$((TIMEOUT - 1)) + ;; + esac + done + echo "checking for failed unmounts for user systemd" JOURNAL=$(journalctl) if echo "$JOURNAL" | grep -E "systemd\[([2-9]|[1-9][0-9]+)\].*Failed unmounting"; then - exit 1 + ret=1 fi - echo "checking for connection timeouts" + echo "checking for connection timeouts (non fatal)" if echo "$JOURNAL" | grep "Connection timed out"; then - exit 1 + # systemd-udevd started to time out resolving group 'colord' + # yet, not reproducible locally, investigating + ret=0 fi echo "checking that polkitd runs" - pidof polkitd + if ! pidof polkitd; then + echo "polkitd is NOT running" + ret=1 + fi + + echo "checking failed jobs (non fatal)" + if [ "$state" != "running" ]; then + echo "systemctl is-system-running returns: $state" + systemctl --no-pager --no-legend list-jobs > $ADT_ARTIFACTS/running-jobs.txt || true + fi echo "checking that there are no running jobs" - TIMEOUT=10 - while [ $TIMEOUT -ge 0 ]; do - running="$(systemctl --no-pager --no-legend list-jobs || true)" - [ -n "$running" ] || break - TIMEOUT=$((TIMEOUT - 1)) - done + running="$(systemctl --no-pager --no-legend list-jobs || true)" if [ -n "$running" ]; then echo "running jobs after remaining timeout $TIMEOUT: $running" journalctl --sync journalctl -ab > $ADT_ARTIFACTS/journal.txt udevadm info --export-db > $ADT_ARTIFACTS/udevdb.txt - exit 1 + ret=1 + fi + + if [ "$ret" != "0" ]; then + exit $ret fi fi diff -Nru systemd-239/debian/tests/control systemd-239/debian/tests/control --- systemd-239/debian/tests/control 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/tests/control 2018-10-04 14:58:51.000000000 +0000 @@ -1,5 +1,6 @@ Tests: timedated, hostnamed, localed-locale, localed-x11-keymap Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -8,6 +9,7 @@ Tests: logind Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -17,6 +19,7 @@ Tests: unit-config Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -28,6 +31,7 @@ Tests: storage Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -41,6 +45,7 @@ Tests: networkd-test.py Tests-Directory: test Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -56,6 +61,7 @@ Tests: build-login Depends: systemd, + udev, libpam-systemd, libnss-systemd, acl, @@ -73,13 +79,14 @@ Tests: boot-and-services Depends: systemd-sysv, + systemd, + udev, systemd-container, systemd-coredump, libpam-systemd, xserver-xorg-video-dummy, xserver-xorg, - lightdm, - lightdm-gtk-greeter | lightdm-greeter, + gdm3 [!s390x], cron, network-manager, busybox-static, @@ -90,6 +97,7 @@ Tests: udev Depends: systemd-tests, + udev, python3, tree, perl, @@ -98,6 +106,7 @@ Tests: root-unittests Depends: systemd-tests, + udev, libpam-systemd, tree, perl, @@ -125,7 +134,9 @@ isc-dhcp-client, iputils-ping, strace, - qemu-system-x86 [amd64], + qemu-system-x86 [amd64 i386], + qemu-system-arm [arm64 armhf], + qemu-system-s390x [s390x], less, pkg-config, gcc, @@ -165,9 +176,11 @@ systemd-journal-remote, systemd-container, systemd-sysv, + systemd, + udev, network-manager, policykit-1, - lightdm, + gdm3 [!s390x], xserver-xorg-video-dummy, Restrictions: needs-recommends, needs-root, isolation-container, allow-stderr, breaks-testbed diff -Nru systemd-239/debian/tests/systemd-fsckd systemd-239/debian/tests/systemd-fsckd --- systemd-239/debian/tests/systemd-fsckd 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/tests/systemd-fsckd 2018-10-04 14:58:51.000000000 +0000 @@ -7,6 +7,7 @@ import inspect import fileinput import os +import platform import subprocess import shutil import stat @@ -44,6 +45,7 @@ # ensure we have our root fsck enabled by default (it detects it runs in a vm and doesn't pull the target) # note that it can already exists in case of a reboot (as there was no tearDown as we wanted) os.makedirs(os.path.dirname(SYSTEMD_FSCK_ROOT_ENABLE_PATH), exist_ok=True) + os.makedirs('/var/log/journal', exist_ok=True) with suppress(FileExistsError): os.symlink(SYSTEMD_FSCK_ROOT_PATH, SYSTEMD_FSCK_ROOT_ENABLE_PATH) enable_plymouth() @@ -96,7 +98,10 @@ self.assertFsckdStop() self.assertWasRunning('process-killer') self.assertFalse(self.is_failed_unit('process-killer')) - self.assertFsckProceeded() + self.assertWasRunning('systemd-fsckd') + self.assertFalse(self.is_failed_unit('systemd-fsckd')) + self.assertTrue(self.is_failed_unit('systemd-fsck-root')) + self.assertWasRunning('plymouth-start') self.assertSystemRunning() def test_systemd_fsck_with_failure(self): @@ -120,11 +125,12 @@ else: self.assertFsckdStop() self.assertProcessKilled() - self.assertFalse(self.is_failed_unit('systemd-fsck-root')) + self.assertTrue(self.is_failed_unit('systemd-fsck-root')) self.assertTrue(self.is_failed_unit('systemd-fsckd')) self.assertWasRunning('plymouth-start') self.assertSystemRunning() + @unittest.expectedFailure def test_systemd_fsck_with_plymouth_failure(self): '''Ensure that a failing plymouth doesn't prevent fsckd to reconnect/exit''' if not self._after_reboot: @@ -219,7 +225,7 @@ subprocess.check_call(['systemctl', 'enable', 'process-killer'], stderr=subprocess.DEVNULL) -def enable_plymouth(enable=True): +def enable_plymouth_grub(enable=True): '''ensure plymouth is enabled in grub config (doesn't reboot)''' plymouth_enabled = 'splash' in open('/boot/grub/grub.cfg').read() if enable and not plymouth_enabled: @@ -238,6 +244,23 @@ subprocess.check_call(['update-grub'], stderr=subprocess.DEVNULL) +def enable_plymouth_zipl(enable=True, ziplconf='/etc/zipl.conf'): + '''ensure plymouth is enabled in zipl config (doesn't reboot)''' + plymouth_enabled = 'splash' in open(ziplconf).read() + if enable and not plymouth_enabled: + subprocess.check_call(['sed', '-i', 's/^\(parameters.*\)/\\1 splash quiet/', ziplconf], stderr=subprocess.DEVNULL) + elif not enable and plymouth_enabled: + subprocess.check_call(['sed', '-i', 's/ splash quiet//g', ziplconf], stderr=subprocess.DEVNULL) + subprocess.check_call(['zipl'], stderr=subprocess.DEVNULL) + + +def enable_plymouth(enable=True): + if platform.processor() == 's390x': + enable_plymouth_zipl(enable) + else: + enable_plymouth_grub(enable) + + def boot_with_systemd_distro(): '''Reboot with systemd as init and distro setup for grub''' enable_plymouth() @@ -259,6 +282,10 @@ print('SKIP: root file system is being checked by initramfs already') sys.exit(0) + if platform.processor() == 'aarch64': + print('SKIP: cannot reboot properly on arm64, see https://bugs.launchpad.net/ubuntu/+source/nova/+bug/1748280') + sys.exit(0) + all_tests = getAllTests(FsckdTest) reboot_marker = os.getenv('ADT_REBOOT_MARK') diff -Nru systemd-239/debian/tests/upstream systemd-239/debian/tests/upstream --- systemd-239/debian/tests/upstream 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/tests/upstream 2018-10-04 14:58:51.000000000 +0000 @@ -5,7 +5,7 @@ # even after installing policycoreutils this fails with # "Failed to install /usr/libexec/selinux/hll/pp" -BLACKLIST="TEST-06-SELINUX" +BLACKLIST="TEST-06-SELINUX TEST-16-EXTEND-TIMEOUT" # quiesce Makefile.guess; not really relevant as systemd/nspawn run from # installed packages diff -Nru systemd-239/debian/udev-udeb.install systemd-239/debian/udev-udeb.install --- systemd-239/debian/udev-udeb.install 2018-07-22 11:40:15.000000000 +0000 +++ systemd-239/debian/udev-udeb.install 2018-10-04 14:58:51.000000000 +0000 @@ -18,3 +18,4 @@ ../../extra/rules/73-special-net-names.rules lib/udev/rules.d/ ../../extra/rules/73-usb-net-by-mac.rules lib/udev/rules.d/ ../../extra/start-udev lib/debian-installer/ +../../extra/modprobe.d-udeb/scsi-mod-scan-sync.conf lib/modprobe.d/