folkslinux
/
CBL-Mariner
mirror of https://github.com/microsoft/CBL-Mariner.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Patch systemd CVEs: 2019-3842, 2019-3843, 2019-3844, 2019-6454, 2019-20386, 2020-1712, 2020-13776 (#248) 

* Patch CVE-2019-3842

* Patch CVE-2019-3843

* Fix URL in CVE-2019-3843.patch

* Patch CVE-2019-3844

* Patch CVE-2019-6454

* Update CVE-2019-6454 patch

* Patch CVE-2019-20386

* Patch CVE-2020-1712

* Patch CVE-2020-13776

* Update toolchain txt files

* Update systemd-bootstrap

* Fix toolchain aarch64

* Fix linting for systemd-bootstrap

* Address more systemd-bootstrap linting

* Addres systemd spec linting

* Add newline at end of systemd spec

* Fix systemd-bootstrap spec
This commit is contained in:
Nicolas Ontiveros 2020-11-03 15:40:13 -08:00 committed by GitHub
parent d8f24c1187
commit c98d311027
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 1626 additions and 217 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
SPECS/systemd/CVE-2019-20386.patch Normal file
View File

@ -0,0 +1,10 @@
--- a/src/login/logind-button.c
+++ b/src/login/logind-button.c
@@ -341,6 +341,7 @@
(void) button_set_mask(b);
+ b->io_event_source = sd_event_source_unref(b->io_event_source);
r = sd_event_add_io(b->manager->event, &b->io_event_source, b->fd, EPOLLIN, button_dispatch, b);
if (r < 0) {
log_error_errno(r, "Failed to add button event: %m");

134
SPECS/systemd/CVE-2019-3842.patch Normal file
View File

@ -0,0 +1,134 @@
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -37,6 +37,7 @@
int argc, const char **argv,
const char **class,
const char **type,
+ const char **desktop,
bool *debug) {
unsigned i;
@@ -45,24 +46,30 @@
assert(argc == 0 || argv);
for (i = 0; i < (unsigned) argc; i++) {
- if (startswith(argv[i], "class=")) {
+ const char *p;
+
+ if ((p = startswith(argv[i], "class="))) {
if (class)
- *class = argv[i] + 6;
+ *class = p;
- } else if (startswith(argv[i], "type=")) {
+ } else if ((p = startswith(argv[i], "type="))) {
if (type)
- *type = argv[i] + 5;
+ *type = p;
+
+ } else if ((p = startswith(argv[i], "desktop="))) {
+ if (desktop)
+ *desktop = p;
} else if (streq(argv[i], "debug")) {
if (debug)
*debug = true;
- } else if (startswith(argv[i], "debug=")) {
+ } else if ((p = startswith(argv[i], "debug="))) {
int k;
- k = parse_boolean(argv[i] + 6);
+ k = parse_boolean(p);
if (k < 0)
- pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring.");
+ pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring: %s", p);
else if (debug)
*debug = k;
@@ -274,6 +281,33 @@
return 0;
}
+ static const char* getenv_harder(pam_handle_t *handle, const char *key, const char *fallback) {
+ const char *v;
+
+ assert(handle);
+ assert(key);
+
+ /* Looks for an environment variable, preferrably in the environment block associated with the
+ * specified PAM handle, falling back to the process' block instead. Why check both? Because we want
+ * to permit configuration of session properties from unit files that invoke PAM services, so that
+ * PAM services don't have to be reworked to set systemd-specific properties, but these properties
+ * can still be set from the unit file Environment= block. */
+
+ v = pam_getenv(handle, key);
+ if (!isempty(v))
+ return v;
+
+ /* We use secure_getenv() here, since we might get loaded into su/sudo, which are SUID. Ideally
+ * they'd clean up the environment before invoking foreign code (such as PAM modules), but alas they
+ * currently don't (to be precise, they clean up the environment they pass to their children, but
+ * not their own environ[]). */
+ v = secure_getenv(key);
+ if (!isempty(v))
+ return v;
+
+ return fallback;
+}
+
_public_ PAM_EXTERN int pam_sm_open_session(
pam_handle_t *handle,
int flags,
@@ -288,7 +322,7 @@
*remote_user = NULL, *remote_host = NULL,
*seat = NULL,
*type = NULL, *class = NULL,
- *class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL,
+ *class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL, *desktop_pam = NULL,
*memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
int session_fd = -1, existing, r;
@@ -307,6 +341,7 @@
argc, argv,
&class_pam,
&type_pam,
+ &desktop_pam,
&debug) < 0)
return PAM_SESSION_ERR;
@@ -352,29 +387,11 @@
pam_get_item(handle, PAM_RUSER, (const void**) &remote_user);
pam_get_item(handle, PAM_RHOST, (const void**) &remote_host);
- seat = pam_getenv(handle, "XDG_SEAT");
- if (isempty(seat))
- seat = getenv("XDG_SEAT");
-
- cvtnr = pam_getenv(handle, "XDG_VTNR");
- if (isempty(cvtnr))
- cvtnr = getenv("XDG_VTNR");
-
- type = pam_getenv(handle, "XDG_SESSION_TYPE");
- if (isempty(type))
- type = getenv("XDG_SESSION_TYPE");
- if (isempty(type))
- type = type_pam;
-
- class = pam_getenv(handle, "XDG_SESSION_CLASS");
- if (isempty(class))
- class = getenv("XDG_SESSION_CLASS");
- if (isempty(class))
- class = class_pam;
-
- desktop = pam_getenv(handle, "XDG_SESSION_DESKTOP");
- if (isempty(desktop))
- desktop = getenv("XDG_SESSION_DESKTOP");
+ seat = getenv_harder(handle, "XDG_SEAT", NULL);
+ cvtnr = getenv_harder(handle, "XDG_VTNR", NULL);
+ type = getenv_harder(handle, "XDG_SESSION_TYPE", type_pam);
+ class = getenv_harder(handle, "XDG_SESSION_CLASS", class_pam);
+ desktop = getenv_harder(handle, "XDG_SESSION_DESKTOP", desktop_pam);
tty = strempty(tty);

428
SPECS/systemd/CVE-2019-3843.patch Normal file
View File

@ -0,0 +1,428 @@
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1,12 +1,14 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#include <errno.h>
+#include <fcntl.h>
#include <linux/seccomp.h>
#include <seccomp.h>
#include <stddef.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <sys/shm.h>
+#include <sys/stat.h>
#include "af-list.h"
#include "alloc-util.h"
@@ -1742,3 +1744,133 @@
return 0;
}
+
+int seccomp_restrict_suid_sgid(void) {
+ uint32_t arch;
+ int r;
+
+ SECCOMP_FOREACH_LOCAL_ARCH(arch) {
+ _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
+
+ r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ALLOW);
+ if (r < 0)
+ return r;
+
+ /* Checks the mode_t parameter of the following system calls:
+ *
+ * → chmod() + fchmod() + fchmodat()
+ * → open() + creat() + openat()
+ * → mkdir() + mkdirat()
+ * → mknod() + mknodat()
+ */
+
+ for (unsigned bit = 0; bit < 2; bit ++) {
+ /* Block S_ISUID in the first iteration, S_ISGID in the second */
+ mode_t m = bit == 0 ? S_ISUID : S_ISGID;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(chmod),
+ 1,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(fchmod),
+ 1,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(fchmodat),
+ 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(mkdir),
+ 1,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(mkdirat),
+ 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(mknod),
+ 1,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(mknodat),
+ 1,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(open),
+ 2,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT),
+ SCMP_A2(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(openat),
+ 2,
+ SCMP_A2(SCMP_CMP_MASKED_EQ, O_CREAT, O_CREAT),
+ SCMP_A3(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+
+ r = seccomp_rule_add_exact(
+ seccomp,
+ SCMP_ACT_ERRNO(EPERM),
+ SCMP_SYS(creat),
+ 1,
+ SCMP_A1(SCMP_CMP_MASKED_EQ, m, m));
+ if (r < 0)
+ break;
+ }
+ if (r < 0) {
+ log_debug_errno(r, "Failed to add suid/sgid rule for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ continue;
+ }
+
+ r = seccomp_load(seccomp);
+ if (IN_SET(r, -EPERM, -EACCES))
+ return r;
+ if (r < 0)
+ log_debug_errno(r, "Failed to apply suid/sgid restrictions for architecture %s, skipping: %m", seccomp_arch_to_string(arch));
+ }
+
+ return 0;
+}
\ No newline at end of file
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -85,6 +85,7 @@
int seccomp_restrict_realtime(void);
int seccomp_memory_deny_write_execute(void);
int seccomp_lock_personality(unsigned long personality);
+ int seccomp_restrict_suid_sgid(void);
extern const uint32_t seccomp_local_archs[];
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -769,6 +769,7 @@
SD_BUS_PROPERTY("ConfigurationDirectory", "as", NULL, offsetof(ExecContext, directories[EXEC_DIRECTORY_CONFIGURATION].paths), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("RestrictSUIDSGID", "b", bus_property_get_bool, offsetof(ExecContext, restrict_suid_sgid), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("RestrictNamespaces", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("BindPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
@@ -1127,6 +1128,9 @@
if (streq(name, "RestrictRealtime"))
return bus_set_transient_bool(u, name, &c->restrict_realtime, message, flags, error);
+ if (streq(name, "RestrictSUIDSGID"))
+ return bus_set_transient_bool(u, name, &c->restrict_suid_sgid, message, flags, error);
+
if (streq(name, "DynamicUser"))
return bus_set_transient_bool(u, name, &c->dynamic_user, message, flags, error);
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1366,6 +1366,7 @@
return context_has_address_families(c) ||
c->memory_deny_write_execute ||
c->restrict_realtime ||
+ c->restrict_suid_sgid ||
exec_context_restrict_namespaces_set(c) ||
c->protect_kernel_tunables ||
c->protect_kernel_modules ||
@@ -1470,6 +1471,19 @@
return seccomp_restrict_realtime();
}
+static int apply_restrict_suid_sgid(const Unit* u, const ExecContext *c) {
+ assert(u);
+ assert(c);
+
+ if (!c->restrict_suid_sgid)
+ return 0;
+
+ if (skip_seccomp_unavailable(u, "RestrictSUIDSGID="))
+ return 0;
+
+ return seccomp_restrict_suid_sgid();
+}
+
static int apply_protect_sysctl(const Unit *u, const ExecContext *c) {
assert(u);
assert(c);
@@ -3331,6 +3345,12 @@
return log_unit_error_errno(unit, r, "Failed to apply realtime restrictions: %m");
}
+ r = apply_restrict_suid_sgid(unit, context);
+ if (r < 0) {
+ *exit_status = EXIT_SECCOMP;
+ return log_unit_error_errno(unit, r, "Failed to apply SUID/SGID restrictions: %m");
+ }
+
r = apply_restrict_namespaces(unit, context);
if (r < 0) {
*exit_status = EXIT_SECCOMP;
@@ -3920,6 +3940,7 @@
"%sIgnoreSIGPIPE: %s\n"
"%sMemoryDenyWriteExecute: %s\n"
"%sRestrictRealtime: %s\n"
+ "%sRestrictSUIDSGID: %s\n"
"%sKeyringMode: %s\n",
prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/",
@@ -3938,6 +3959,7 @@
prefix, yes_no(c->ignore_sigpipe),
prefix, yes_no(c->memory_deny_write_execute),
prefix, yes_no(c->restrict_realtime),
+ prefix, yes_no(c->restrict_suid_sgid),
prefix, exec_keyring_mode_to_string(c->keyring_mode));
if (c->root_image)
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -260,6 +260,7 @@
bool memory_deny_write_execute;
bool restrict_realtime;
+ bool restrict_suid_sgid;
bool oom_score_adjust_set:1;
bool nice_set:1;
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -72,6 +72,7 @@
$1.MemoryDenyWriteExecute, config_parse_bool, 0, offsetof($1, exec_context.memory_deny_write_execute)
$1.RestrictNamespaces, config_parse_restrict_namespaces, 0, offsetof($1, exec_context)
$1.RestrictRealtime, config_parse_bool, 0, offsetof($1, exec_context.restrict_realtime)
+$1.RestrictSUIDSGID, config_parse_bool, 0, offsetof($1, exec_context.restrict_suid_sgid)
$1.RestrictAddressFamilies, config_parse_address_families, 0, offsetof($1, exec_context)
$1.LockPersonality, config_parse_bool, 0, offsetof($1, exec_context.lock_personality)',
`$1.SystemCallFilter, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
@@ -80,6 +81,7 @@
$1.MemoryDenyWriteExecute, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.RestrictNamespaces, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.RestrictRealtime, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
+$1.RestrictSUIDSGID, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.RestrictAddressFamilies, config_parse_warn_compat, DISABLED_CONFIGURATION, 0
$1.LockPersonality, config_parse_warn_compat, DISABLED_CONFIGURATION, 0')
$1.LimitCPU, config_parse_rlimit, RLIMIT_CPU, offsetof($1, exec_context.rlimit)
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -697,7 +697,7 @@
"PrivateMounts", "NoNewPrivileges", "SyslogLevelPrefix",
"MemoryDenyWriteExecute", "RestrictRealtime", "DynamicUser", "RemoveIPC",
"ProtectKernelTunables", "ProtectKernelModules", "ProtectControlGroups",
- "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality"))
+ "MountAPIVFS", "CPUSchedulingResetOnFork", "LockPersonality", "RestrictSUIDSGID"))
return bus_append_parse_boolean(m, field, eq);
--- a/test/fuzz-corpus/unit-file/directives.service
+++ b/test/fuzz-corpus/unit-file/directives.service
@@ -847,6 +847,7 @@
RestrictAddressFamilies=
RestrictNamespaces=
RestrictRealtime=
+RestrictSUIDSGID=
RuntimeDirectory=
RuntimeDirectoryMode=
RuntimeDirectoryPreserve=
--- a/doc/TRANSIENT-SETTINGS.md
+++ b/doc/TRANSIENT-SETTINGS.md
@@ -147,6 +147,7 @@
✓ MemoryDenyWriteExecute=
✓ RestrictNamespaces=
✓ RestrictRealtime=
+✓ RestrictSUIDSGID=
✓ RestrictAddressFamilies=
✓ LockPersonality=
✓ LimitCPU=
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -31,6 +31,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -27,6 +27,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service sethostname
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -26,6 +26,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallArchitectures=native
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -27,6 +27,7 @@
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK
SystemCallFilter=@system-service
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -27,6 +27,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -28,6 +28,7 @@
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK
SystemCallFilter=@system-service
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -33,6 +33,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
SystemCallFilter=@system-service
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -36,6 +36,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -25,6 +25,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@system-service @clock
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -35,6 +35,7 @@
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
+RestrictSUIDSGID=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RuntimeDirectory=systemd/timesync
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -27,8 +27,9 @@
TasksMax=infinity
PrivateMounts=yes
MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
SystemCallFilter=@system-service @module @raw-io
SystemCallErrorNumber=EPERM
SystemCallArchitectures=native

25
SPECS/systemd/CVE-2019-3844.patch Normal file
View File

@ -0,0 +1,25 @@
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4131,14 +4131,20 @@
return -ENOMEM;
}
- /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID
- * around in the file system or on IPC objects. Hence enforce a strict sandbox. */
+ /* If the dynamic user option is on, let's make sure that the unit can't leave its
+ * UID/GID around in the file system or on IPC objects. Hence enforce a strict
+ * sandbox. */
ec->private_tmp = true;
ec->remove_ipc = true;
ec->protect_system = PROTECT_SYSTEM_STRICT;
if (ec->protect_home == PROTECT_HOME_NO)
ec->protect_home = PROTECT_HOME_READ_ONLY;
+
+ /* Make sure this service can neither benefit from SUID/SGID binaries nor create
+ * them. */
+ ec->no_new_privileges = true;
+ ec->restrict_suid_sgid = true;
}
}

187
SPECS/systemd/CVE-2019-6454.patch Normal file
View File

@ -0,0 +1,187 @@
--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
@@ -45,7 +45,7 @@
if (slash)
return false;
- return true;
+ return (q - p) <= BUS_PATH_SIZE_MAX;
}
char* object_path_startswith(const char *a, const char *b) {
--- a/src/libsystemd/sd-bus/bus-internal.h
+++ b/src/libsystemd/sd-bus/bus-internal.h
@@ -333,6 +333,10 @@
#define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
#define BUS_AUTH_SIZE_MAX (64*1024)
+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
+ * to not clash unnecessarily with real-life applications. */
+#define BUS_PATH_SIZE_MAX (64*1024)
#define BUS_CONTAINER_DEPTH 128
--- a/src/libsystemd/sd-bus/bus-objects.c
+++ b/src/libsystemd/sd-bus/bus-objects.c
@@ -1134,7 +1134,8 @@
const char *path,
sd_bus_error *error) {
- char *prefix;
+ _cleanup_free_ char *prefix = NULL;
+ size_t pl;
int r;
assert(bus);
@@ -1150,7 +1151,12 @@
return 0;
/* Second, add fallback vtables registered for any of the prefixes */
- prefix = alloca(strlen(path) + 1);
+ pl = strlen(path);
+ assert(pl <= BUS_PATH_SIZE_MAX);
+ prefix = new(char, pl + 1);
+ if (!prefix)
+ return -ENOMEM;
+
OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
if (r < 0)
@@ -1346,6 +1352,7 @@
}
int bus_process_object(sd_bus *bus, sd_bus_message *m) {
+ _cleanup_free_ char *prefix = NULL;
int r;
size_t pl;
bool found_object = false;
@@ -1370,9 +1377,11 @@
assert(m->member);
pl = strlen(m->path);
+ assert(pl <= BUS_PATH_SIZE_MAX);
+ prefix = new(char, pl + 1);
+ if (!prefix)
+ return -ENOMEM;
do {
- char prefix[pl+1];
-
bus->nodes_modified = false;
r = object_find_and_run(bus, m, m->path, false, &found_object);
@@ -1499,9 +1508,15 @@
n = hashmap_get(bus->nodes, path);
if (!n) {
- char *prefix;
+ _cleanup_free_ char *prefix = NULL;
+ size_t pl;
+
+ pl = strlen(path);
+ assert(pl <= BUS_PATH_SIZE_MAX);
+ prefix = new(char, pl + 1);
+ if (!prefix)
+ return -ENOMEM;
- prefix = alloca(strlen(path) + 1);
OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
n = hashmap_get(bus->nodes, prefix);
if (n)
@@ -2091,8 +2106,9 @@
char **names) {
BUS_DONT_DESTROY(bus);
+ _cleanup_free_ char *prefix = NULL;
bool found_interface = false;
- char *prefix;
+ size_t pl;
int r;
assert_return(bus, -EINVAL);
@@ -2110,6 +2126,12 @@
included in the PropertiesChanged message. */
if (names && names[0] == NULL)
return 0;
+
+ pl = strlen(path);
+ assert(pl <= BUS_PATH_SIZE_MAX);
+ prefix = new(char, pl + 1);
+ if (!prefix)
+ return -ENOMEM;
do {
bus->nodes_modified = false;
@@ -2252,7 +2274,8 @@
static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
_cleanup_set_free_ Set *s = NULL;
- char *prefix;
+ _cleanup_free_ char *prefix = NULL;
+ size_t pl;
int r;
assert(bus);
@@ -2297,7 +2320,12 @@
if (bus->nodes_modified)
return 0;
- prefix = alloca(strlen(path) + 1);
+ pl = strlen(path);
+ assert(pl <= BUS_PATH_SIZE_MAX);
+ prefix = new(char, pl + 1);
+ if (!prefix)
+ return -ENOMEM;
+
OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
if (r < 0)
@@ -2436,7 +2464,8 @@
static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
_cleanup_set_free_ Set *s = NULL;
- char *prefix;
+ _cleanup_free_ char *prefix = NULL;
+ size_t pl;
int r;
assert(bus);
@@ -2468,7 +2497,12 @@
if (bus->nodes_modified)
return 0;
- prefix = alloca(strlen(path) + 1);
+ pl = strlen(path);
+ assert(pl <= BUS_PATH_SIZE_MAX);
+ prefix = new(char, pl + 1);
+ if (!prefix)
+ return -ENOMEM;
+
OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
if (r < 0)
@@ -2618,7 +2652,8 @@
const char *path,
const char *interface) {
- char *prefix;
+ _cleanup_free_ char *prefix = NULL;
+ size_t pl;
int r;
assert(bus);
@@ -2632,7 +2667,12 @@
if (bus->nodes_modified)
return 0;
- prefix = alloca(strlen(path) + 1);
+ pl = strlen(path);
+ assert(pl <= BUS_PATH_SIZE_MAX);
+ prefix = new(char, pl + 1);
+ if (!prefix)
+ return -ENOMEM;
+
OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
if (r != 0)

43
SPECS/systemd/CVE-2020-13776.patch Normal file
View File

@ -0,0 +1,43 @@
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@@ -49,7 +49,7 @@
assert(s);
assert_cc(sizeof(uid_t) == sizeof(uint32_t));
- r = safe_atou32(s, &uid);
+ r = safe_atou32_full(s, 10, &uid);
if (r < 0)
return r;
--- a/src/test/test-user-util.c
+++ b/src/test/test-user-util.c
@@ -49,6 +49,14 @@
r = parse_uid("asdsdas", &uid);
assert_se(r == -EINVAL);
+
+ r = parse_uid("0x1234", &uid);
+ assert_se(r == -EINVAL);
+ assert_se(uid == 100);
+
+ r = parse_uid("01234", &uid);
+ assert_se(r == 0);
+ assert_se(uid == 1234);
}
static void test_uid_ptr(void) {
--- a/src/basic/parse-util.h
+++ b/src/basic/parse-util.h
@@ -50,6 +50,11 @@
int safe_atoi16(const char *s, int16_t *ret);
+static inline int safe_atou32_full(const char *s, unsigned base, uint32_t *ret_u) {
+ assert_cc(sizeof(uint32_t) == sizeof(unsigned));
+ return safe_atou_full(s, base, (unsigned*) ret_u);
+}
+
static inline int safe_atou32(const char *s, uint32_t *ret_u) {
assert_cc(sizeof(uint32_t) == sizeof(unsigned));
return safe_atou(s, (unsigned*) ret_u);

409
SPECS/systemd/CVE-2020-1712.patch Normal file
View File

@ -0,0 +1,409 @@
--- a/src/shared/bus-util.c
+++ b/src/shared/bus-util.c
@@ -319,10 +319,9 @@
typedef struct AsyncPolkitQuery {
sd_bus_message *request, *reply;
- sd_bus_message_handler_t callback;
- void *userdata;
sd_bus_slot *slot;
Hashmap *registry;
+ sd_event_source *defer_event_source;
} AsyncPolkitQuery;
static void async_polkit_query_free(AsyncPolkitQuery *q) {
@@ -338,9 +337,22 @@
sd_bus_message_unref(q->request);
sd_bus_message_unref(q->reply);
+ sd_event_source_disable_unref(q->defer_event_source);
free(q);
}
+static int async_polkit_defer(sd_event_source *s, void *userdata) {
+ AsyncPolkitQuery *q = userdata;
+
+ assert(s);
+
+ /* This is called as idle event source after we processed the async polkit reply, hopefully after the
+ * method call we re-enqueued has been properly processed. */
+
+ async_polkit_query_free(q);
+ return 0;
+}
+
static int async_polkit_callback(sd_bus_message *reply, void *userdata, sd_bus_error *error) {
_cleanup_(sd_bus_error_free) sd_bus_error error_buffer = SD_BUS_ERROR_NULL;
AsyncPolkitQuery *q = userdata;
@@ -349,19 +361,44 @@
assert(reply);
assert(q);
+ assert(q->slot);
q->slot = sd_bus_slot_unref(q->slot);
+
+ assert(!q->reply);
q->reply = sd_bus_message_ref(reply);
+ /* Now, let's dispatch the original message a second time be re-enqueing. This will then traverse the
+ * whole message processing again, and thus re-validating and re-retrieving the "userdata" field
+ * again.
+ *
+ * We install an idle event loop event to clean-up the PolicyKit request data when we are idle again,
+ * i.e. after the second time the message is processed is complete. */
+
+ assert(!q->defer_event_source);
+ r = sd_event_add_defer(sd_bus_get_event(sd_bus_message_get_bus(reply)), &q->defer_event_source, async_polkit_defer, q);
+ if (r < 0)
+ goto fail;
+
+ r = sd_event_source_set_priority(q->defer_event_source, SD_EVENT_PRIORITY_IDLE);
+ if (r < 0)
+ goto fail;
+
+ r = sd_event_source_set_enabled(q->defer_event_source, SD_EVENT_ONESHOT);
+ if (r < 0)
+ goto fail;
+
r = sd_bus_message_rewind(q->request, true);
- if (r < 0) {
- r = sd_bus_reply_method_errno(q->request, r, NULL);
- goto finish;
- }
-
- r = q->callback(q->request, q->userdata, &error_buffer);
- r = bus_maybe_reply_error(q->request, r, &error_buffer);
+ if (r < 0)
+ goto fail;
-finish:
+ r = sd_bus_enqueue_for_read(sd_bus_message_get_bus(q->request), q->request);
+ if (r < 0)
+ goto fail;
+
+ return 1;
+fail:
+ log_debug_errno(r, "Processing asynchronous PolicyKit reply failed, ignoring: %m");
+ (void) sd_bus_reply_method_errno(q->request, r, NULL);
async_polkit_query_free(q);
return r;
@@ -382,11 +419,12 @@
#if ENABLE_POLKIT
_cleanup_(sd_bus_message_unrefp) sd_bus_message *pk = NULL;
AsyncPolkitQuery *q;
- const char *sender, **k, **v;
+ const char **k, **v;
sd_bus_message_handler_t callback;
void *userdata;
int c;
#endif
+ const char *sender;
int r;
assert(call);
@@ -444,20 +482,11 @@
else if (r > 0)
return 1;
-#if ENABLE_POLKIT
- if (sd_bus_get_current_message(call->bus) != call)
- return -EINVAL;
-
- callback = sd_bus_get_current_handler(call->bus);
- if (!callback)
- return -EINVAL;
-
- userdata = sd_bus_get_current_userdata(call->bus);
-
sender = sd_bus_message_get_sender(call);
if (!sender)
return -EBADMSG;
+#if ENABLE_POLKIT
c = sd_bus_message_get_allow_interactive_authorization(call);
if (c < 0)
return c;
@@ -509,8 +538,6 @@
return -ENOMEM;
q->request = sd_bus_message_ref(call);
- q->callback = callback;
- q->userdata = userdata;
r = hashmap_put(*registry, call, q);
if (r < 0) {
--- a/src/libsystemd/libsystemd.sym
+++ b/src/libsystemd/libsystemd.sym
@@ -556,6 +556,7 @@
LIBSYSTEMD_239 {
global:
+ sd_bus_enqueue_for_read;
sd_bus_open_with_description;
sd_bus_open_user_with_description;
sd_bus_open_system_with_description;
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -148,13 +148,13 @@
assert(b);
while (b->rqueue_size > 0)
- sd_bus_message_unref(b->rqueue[--b->rqueue_size]);
+ bus_message_unref_queued(b->rqueue[--b->rqueue_size], b);
b->rqueue = mfree(b->rqueue);
b->rqueue_allocated = 0;
while (b->wqueue_size > 0)
- sd_bus_message_unref(b->wqueue[--b->wqueue_size]);
+ bus_message_unref_queued(b->wqueue[--b->wqueue_size], b);
b->wqueue = mfree(b->wqueue);
b->wqueue_allocated = 0;
@@ -493,7 +493,7 @@
/* Insert at the very front */
memmove(bus->rqueue + 1, bus->rqueue, sizeof(sd_bus_message*) * bus->rqueue_size);
- bus->rqueue[0] = TAKE_PTR(m);
+ bus->rqueue[0] = bus_message_ref_queued(m, bus);
bus->rqueue_size++;
return 0;
@@ -1716,7 +1716,7 @@
* anyway. */
bus->wqueue_size--;
- sd_bus_message_unref(bus->wqueue[0]);
+ bus_message_unref_queued(bus->wqueue[0], bus);
memmove(bus->wqueue, bus->wqueue + 1, sizeof(sd_bus_message*) * bus->wqueue_size);
bus->windex = 0;
@@ -1838,7 +1838,7 @@
* of the wqueue array is always allocated so
* that we always can remember how much was
* written. */
- bus->wqueue[0] = sd_bus_message_ref(m);
+ bus->wqueue[0] = bus_message_ref_queued(m, bus);
bus->wqueue_size = 1;
bus->windex = idx;
}
@@ -1852,7 +1852,7 @@
if (!GREEDY_REALLOC(bus->wqueue, bus->wqueue_allocated, bus->wqueue_size + 1))
return -ENOMEM;
- bus->wqueue[bus->wqueue_size++] = sd_bus_message_ref(m);
+ bus->wqueue[bus->wqueue_size++] = bus_message_ref_queued(m, bus);
}
finish:
@@ -2084,7 +2084,7 @@
if (incoming->reply_cookie == cookie) {
/* Found a match! */
-
+ bus_message_unref_queued(bus->rqueue[i], bus);
memmove(bus->rqueue + i, bus->rqueue + i + 1, sizeof(sd_bus_message*) * (bus->rqueue_size - i - 1));
bus->rqueue_size--;
log_debug_bus_message(incoming);
@@ -2118,6 +2118,7 @@
incoming->sender &&
streq(bus->unique_name, incoming->sender)) {
+ bus_message_unref_queued(bus->rqueue[i], bus);
memmove(bus->rqueue + i, bus->rqueue + i + 1, sizeof(sd_bus_message*) * (bus->rqueue_size - i - 1));
bus->rqueue_size--;
@@ -4075,3 +4076,27 @@
*ret = bus->wqueue_size;
return 0;
}
+
+_public_ int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m) {
+ int r;
+
+ assert_return(bus, -EINVAL);
+ assert_return(bus = bus_resolve(bus), -ENOPKG);
+ assert_return(m, -EINVAL);
+ assert_return(m->sealed, -EINVAL);
+ assert_return(!bus_pid_changed(bus), -ECHILD);
+
+ if (!BUS_IS_OPEN(bus->state))
+ return -ENOTCONN;
+
+ /* Re-enqueue a message for reading. This is primarily useful for PolicyKit-style authentication,
+ * where we want accept a message, then determine we need to interactively authenticate the user, and then
+ * when we want to process the message again. */
+
+ r = bus_rqueue_make_room(bus);
+ if (r < 0)
+ return r;
+
+ bus->rqueue[bus->rqueue_size++] = bus_message_ref_queued(m, bus);
+ return 0;
+}
--- a/src/systemd/sd-bus.h
+++ b/src/systemd/sd-bus.h
@@ -193,6 +193,7 @@
int sd_bus_process_priority(sd_bus *bus, int64_t max_priority, sd_bus_message **r);
int sd_bus_wait(sd_bus *bus, uint64_t timeout_usec);
int sd_bus_flush(sd_bus *bus);
+int sd_bus_enqueue_for_read(sd_bus *bus, sd_bus_message *m);
sd_bus_slot* sd_bus_get_current_slot(sd_bus *bus);
sd_bus_message* sd_bus_get_current_message(sd_bus *bus);
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -876,28 +876,78 @@
return 0;
}
-_public_ sd_bus_message* sd_bus_message_ref(sd_bus_message *m) {
+_public_ sd_bus_message* sd_bus_message_ref(sd_bus_message *m) {
if (!m)
return NULL;
- assert(m->n_ref > 0);
+ /* We are fine if this message so far was either explicitly reffed or not reffed but queued into at
+ * least one bus connection object. */
+ assert(m->n_ref > 0 || m->n_queued > 0);
+
m->n_ref++;
+ /* Each user reference to a bus message shall also be considered a ref on the bus */
+ sd_bus_ref(m->bus);
return m;
}
_public_ sd_bus_message* sd_bus_message_unref(sd_bus_message *m) {
-
if (!m)
return NULL;
assert(m->n_ref > 0);
+
+ sd_bus_unref(m->bus); /* Each regular ref is also a ref on the bus connection. Let's hence drop it
+ * here. Note we have to do this before decrementing our own n_ref here, since
+ * otherwise, if this message is currently queued sd_bus_unref() might call
+ * bus_message_unref_queued() for this which might then destroy the message
+ * while we are still processing it. */
m->n_ref--;
- if (m->n_ref > 0)
+ if (m->n_ref > 0 || m->n_queued > 0)
+ return NULL;
+
+ /* Unset the bus field if neither the user has a reference nor this message is queued. We are careful
+ * to reset the field only after the last reference to the bus is dropped, after all we might keep
+ * multiple references to the bus, once for each reference kept on ourselves. */
+ m->bus = NULL;
+
+ return message_free(m);
+}
+
+sd_bus_message* bus_message_ref_queued(sd_bus_message *m, sd_bus *bus) {
+ if (!m)
+ return NULL;
+
+ /* If this is a different bus than the message is associated with, then implicitly turn this into a
+ * regular reference. This means that you can create a memory leak by enqueuing a message generated
+ * on one bus onto another at the same time as enqueueing a message from the second one on the first,
+ * as we'll not detect the cyclic references there. */
+ if (bus != m->bus)
+ return sd_bus_message_ref(m);
+
+ assert(m->n_ref > 0 || m->n_queued > 0);
+ m->n_queued++;
+
+ return m;
+}
+
+sd_bus_message* bus_message_unref_queued(sd_bus_message *m, sd_bus *bus) {
+ if (!m)
+ return NULL;
+
+ if (bus != m->bus)
+ return sd_bus_message_unref(m);
+
+ assert(m->n_queued > 0);
+ m->n_queued--;
+
+ if (m->n_ref > 0 || m->n_queued > 0)
return NULL;
+ m->bus = NULL;
+
return message_free(m);
}
--- a/src/libsystemd/sd-bus/bus-message.h
+++ b/src/libsystemd/sd-bus/bus-message.h
@@ -51,7 +51,16 @@
};
struct sd_bus_message {
- unsigned n_ref;
+ /* Caveat: a message can be referenced in two different ways: the main (user-facing) way will also
+ * pin the bus connection object the message is associated with. The secondary way ("queued") is used
+ * when a message is in the read or write queues of the bus connection object, which will not pin the
+ * bus connection object. This is necessary so that we don't have to have a pair of cyclic references
+ * between a message that is queued and its connection: as soon as a message is only referenced by
+ * the connection (by means of being queued) and the connection itself has no other references it
+ * will be freed. */
+
+ unsigned n_ref; /* Counter of references that pin the connection */
+ unsigned n_queued; /* Counter of references that do not pin the connection */
sd_bus *bus;
@@ -216,3 +225,6 @@
void bus_message_set_sender_driver(sd_bus *bus, sd_bus_message *m);
void bus_message_set_sender_local(sd_bus *bus, sd_bus_message *m);
+
+sd_bus_message* bus_message_ref_queued(sd_bus_message *m, sd_bus *bus);
+sd_bus_message* bus_message_unref_queued(sd_bus_message *m, sd_bus *bus);
\ No newline at end of file
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -1117,7 +1117,7 @@
bus->fds = NULL;
bus->n_fds = 0;
- bus->rqueue[bus->rqueue_size++] = t;
+ bus->rqueue[bus->rqueue_size++] = bus_message_ref_queued(t, bus);
return 1;
}
--- a/src/systemd/sd-event.h
+++ b/src/systemd/sd-event.h
@@ -84,6 +84,7 @@
int sd_event_new(sd_event **e);
sd_event* sd_event_ref(sd_event *e);
sd_event* sd_event_unref(sd_event *e);
+sd_event_source* sd_event_source_disable_unref(sd_event_source *s);
int sd_event_add_io(sd_event *e, sd_event_source **s, int fd, uint32_t events, sd_event_io_handler_t callback, void *userdata);
int sd_event_add_time(sd_event *e, sd_event_source **s, clockid_t clock, uint64_t usec, uint64_t accuracy, sd_event_time_handler_t callback, void *userdata);
--- a/src/libsystemd/sd-event/sd-event.c
+++ b/src/libsystemd/sd-event/sd-event.c
@@ -580,6 +580,12 @@
return NULL;
}
+_public_ sd_event_source* sd_event_source_disable_unref(sd_event_source *s) {
+ if (s)
+ (void) sd_event_source_set_enabled(s, SD_EVENT_OFF);
+ return sd_event_source_unref(s);
+}
+
static bool event_pid_changed(sd_event *e) {
assert(e);

272
SPECS/systemd/systemd-bootstrap.spec
View File

@ -1,65 +1,70 @@
Summary: Bootstrap version of systemd. Workaround for systemd circular dependency.
Name: systemd-bootstrap
Version: 239
Release: 29%{?dist}
License: LGPLv2+ and GPLv2+ and MIT
URL: https://www.freedesktop.org/wiki/Software/systemd/
Group: System Environment/Security
Vendor: Microsoft Corporation
Distribution: Mariner
#Source0: https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
Source0: systemd-%{version}.tar.gz
Source1: 50-security-hardening.conf
Source2: systemd.cfg
Source3: 99-dhcp-en.network
Patch0: 01-enoX-uses-instance-number-for-vmware-hv.patch
Patch1: 02-install-general-aliases.patch
Patch2: systemd-239-default-dns-from-env.patch
Patch3: systemd-macros.patch
Patch4: systemd-239-query-duid.patch
Summary: Bootstrap version of systemd. Workaround for systemd circular dependency.
Name: systemd-bootstrap
Version: 239
Release: 30%{?dist}
License: LGPLv2+ AND GPLv2+ AND MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Security
URL: https://www.freedesktop.org/wiki/Software/systemd/
#Source0: https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
Source0: systemd-%{version}.tar.gz
Source1: 50-security-hardening.conf
Source2: systemd.cfg
Source3: 99-dhcp-en.network
Patch0: 01-enoX-uses-instance-number-for-vmware-hv.patch
Patch1: 02-install-general-aliases.patch
Patch2: systemd-239-default-dns-from-env.patch
Patch3: systemd-macros.patch
Patch4: systemd-239-query-duid.patch
# Fix glibc-2.28 build issue. Checked in upstream after v239
Patch5: systemd-239-glibc-build-fix.patch
Patch6: systemd-239-revert-mtu.patch
Patch7: systemd-239-CVE-2018-15688.patch
Patch8: systemd-239-CVE-2018-15686.patch
Patch9: systemd-239-CVE-2018-15687.patch
Patch10: systemd-239-CVE-2018-16864.patch
Patch11: systemd-239-CVE-2018-16865.patch
Patch12: systemd-239-CVE-2018-16866.patch
Patch13: Backport-FOREACH_STRING-fix-for-gcc9.patch
Patch14: Disable-argument-to-mount_cgroup_controllers.patch
Patch5: systemd-239-glibc-build-fix.patch
Patch6: systemd-239-revert-mtu.patch
Patch7: systemd-239-CVE-2018-15688.patch
Patch8: systemd-239-CVE-2018-15686.patch
Patch9: systemd-239-CVE-2018-15687.patch
Patch10: systemd-239-CVE-2018-16864.patch
Patch11: systemd-239-CVE-2018-16865.patch
Patch12: systemd-239-CVE-2018-16866.patch
Patch13: Backport-FOREACH_STRING-fix-for-gcc9.patch
Patch14: Disable-argument-to-mount_cgroup_controllers.patch
# This commit from upstream fixes an issue caused by using a later version of meson.
Patch15: https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
Patch15: https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
Patch16: CVE-2019-3842.patch
Patch17: CVE-2019-3843.patch
Patch18: CVE-2019-3844.patch
Patch19: CVE-2019-6454.patch
Patch20: CVE-2019-20386.patch
Patch21: CVE-2020-1712.patch
Patch22: CVE-2020-13776.patch
# This vulnerability is in the strict DNS-over-TLS (DoT) mechanism of systemd-resolve.
# DoT is only enabled when systemd is build against gnutls.
# Furthermore, strict mode DoT is not supported before v243.
Patch16: CVE-2018-21029.nopatch
Requires: pam
Requires: libcap
Requires: xz
Requires: kmod
Requires: glib
Requires: libgcrypt
Requires: filesystem >= 1.1
BuildRequires: intltool
BuildRequires: gperf
BuildRequires: libcap-devel
BuildRequires: xz-devel
BuildRequires: pam-devel
BuildRequires: perl-XML-Parser
BuildRequires: kbd
BuildRequires: kmod-devel
BuildRequires: util-linux-devel >= 2.30
BuildRequires: libxslt
BuildRequires: docbook-style-xsl
BuildRequires: docbook-dtd-xml
BuildRequires: glib-devel
BuildRequires: meson
BuildRequires: gettext
BuildRequires: shadow-utils
BuildRequires: libgcrypt-devel
Patch23: CVE-2018-21029.nopatch
BuildRequires: docbook-dtd-xml
BuildRequires: docbook-style-xsl
BuildRequires: gettext
BuildRequires: glib-devel
BuildRequires: gperf
BuildRequires: intltool
BuildRequires: kbd
BuildRequires: kmod-devel
BuildRequires: libcap-devel
BuildRequires: libgcrypt-devel
BuildRequires: libxslt
BuildRequires: meson
BuildRequires: pam-devel
BuildRequires: perl-XML-Parser
BuildRequires: shadow-utils
BuildRequires: util-linux-devel >= 2.30
BuildRequires: xz-devel
Requires: filesystem >= 1.1
Requires: glib
Requires: kmod
Requires: libcap
Requires: libgcrypt
Requires: pam
Requires: xz
%description
Systemd is an init replacement with better process control and security
@ -73,7 +78,7 @@ Requires: glib-devel
Development headers for developing applications linking to libsystemd
%prep
%setup -q -n systemd-%{version}
%autosetup -p1 -n systemd-%{version}
cat > config.cache << "EOF"
KILL=/bin/kill
HAVE_BLKID=1
@ -82,23 +87,6 @@ BLKID_CFLAGS="-I/usr/include/blkid"
cc_cv_CFLAGS__flto=no
EOF
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
sed -i "s#\#DefaultTasksMax=512#DefaultTasksMax=infinity#g" src/core/system.conf.in
%build
@ -106,8 +94,8 @@ export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
CFLAGS="%{build_cflags} -Wno-error=format-overflow=" \
meson --prefix %{_prefix} \
--sysconfdir /etc \
--localstatedir /var \
--sysconfdir %{_sysconfdir} \
--localstatedir %{_var} \
-Dblkid=true \
-Dbuildtype=release \
-Ddefault-dnssec=no \
@ -121,11 +109,11 @@ meson --prefix %{_prefix} \
-Dpam=true \
-Dlibcurl=false \
-Dpolkit=true \
-Ddbuspolicydir=/etc/dbus-1/system.d \
-Ddbussessionservicedir=%{_prefix}/share/dbus-1/services \
-Ddbussystemservicedir=%{_prefix}/share/dbus-1/system-services \
-Dsysvinit-path=/etc/rc.d/init.d \
-Drc-local=/etc/rc.d/rc.local \
-Ddbuspolicydir=%{_sysconfdir}/dbus-1/system.d \
-Ddbussessionservicedir=%{_datadir}/dbus-1/services \
-Ddbussystemservicedir=%{_datadir}/dbus-1/system-services \
-Dsysvinit-path=%{_sysconfdir}/rc.d/init.d \
-Drc-local=%{_sysconfdir}/rc.d/rc.local \
$PWD build &&
cd build &&
%ninja_build
@ -138,16 +126,16 @@ for tool in runlevel reboot shutdown poweroff halt telinit; do
ln -sfv ../bin/systemctl %{buildroot}/sbin/${tool}
done
ln -sfv ../lib/systemd/systemd %{buildroot}/sbin/init
sed -i '/srv/d' %{buildroot}/usr/lib/tmpfiles.d/home.conf
sed -i "s:0775 root lock:0755 root root:g" %{buildroot}/usr/lib/tmpfiles.d/legacy.conf
sed -i '/srv/d' %{buildroot}%{_lib}/tmpfiles.d/home.conf
sed -i "s:0775 root lock:0755 root root:g" %{buildroot}%{_lib}/tmpfiles.d/legacy.conf
sed -i "s:NamePolicy=kernel database onboard slot path:NamePolicy=kernel database:g" %{buildroot}/lib/systemd/network/99-default.link
sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}/etc/systemd/resolved.conf
sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}%{_sysconfdir}/systemd/resolved.conf
rm -f %{buildroot}%{_var}/log/README
mkdir -p %{buildroot}%{_localstatedir}/opt/journal/log
mkdir -p %{buildroot}%{_localstatedir}/log
ln -sfv %{_localstatedir}/opt/journal/log %{buildroot}%{_localstatedir}/log/journal
find %{buildroot} -name '*.la' -delete
find %{buildroot} -type f -name "*.la" -delete -print
install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysctl.d
install -dm 0755 %{buildroot}/boot/
install -m 0644 %{SOURCE2} %{buildroot}/boot/
@ -156,12 +144,12 @@ ln -sfv multi-user.target %{buildroot}/lib/systemd/system/default.target
install -dm 0755 %{buildroot}/%{_sysconfdir}/systemd/network
install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/systemd/network
%post
/sbin/ldconfig
%postun
/sbin/ldconfig
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%clean
rm -rf %{buildroot}/*
%files
%defattr(-,root,root)
%license LICENSE.GPL2
@ -235,7 +223,7 @@ rm -rf %{buildroot}/*
%{_datadir}/bash-completion/*
%{_datadir}/factory/*
%{_datadir}/dbus-1
%{_datadir}/doc/*
%{_docdir}/*
%{_mandir}/man[1578]/*
%{_datadir}/polkit-1
%{_datadir}/systemd
@ -256,191 +244,293 @@ rm -rf %{buildroot}/*
%{_mandir}/man3/*
%changelog
* Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> - 239-30
- Use autosetup
- Fix CVE-2019-3842
- Fix CVE-2019-3843
- Fix CVE-2019-3844
- Fix CVE-2019-6454
- Fix CVE-2019-20386
- Fix CVE-2020-1712
- Fix CVE-2020-13776
* Tue Aug 11 2020 Mateusz Malisz <mamalisz@microsoft.com> 239-29
- Reduce kptr_restrict to 1
* Tue Jun 09 2020 Nicolas Ontiveros <niontive@microsoft.com> 239-28
- Change summary to address circular dependency.
* Fri May 29 2020 Nicolas Ontiveros <niontive@microsoft.com> 239-27
- Fork from systemd.spec.
- Do not include cryptsetup in BR. This breaks a circular dependency.
* Wed May 20 2020 Joe Schmitt <joschmit@microsoft.com> 239-26
- Remove 99-vmware-hotplug.rules.
* Sat May 09 00:20:49 PST 2020 Nick Samson <nisamson@microsoft.com> - 239-25
- Added %%license line automatically
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-24
- Renaming docbook-xsl to docbook-style-xsl
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-23
- Renaming docbook-xml to docbook-dtd-xml
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-22
- Renaming Linux-PAM to pam
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-21
- Renaming XML-Parser to perl-XML-Parser
* Tue May 05 2020 Joe Schmitt <joschmit@microsoft.com> 239-20
- Remove unused rdrand-rng after kernel update.
* Thu Apr 23 2020 Emre Girgin <mrgirgin@microsoft.com> 239-19
- Ignore CVE-2018-21029.
* Fri Apr 17 2020 Emre Girgin <mrgirgin@microsoft.com> 239-18
- Rename shadow to shadow-utils.
* Thu Apr 16 2020 Emre Girgin <mrgirgin@microsoft.com> 239-17
- Resolve build issues arising from upgrading meson to 0.49.2.
* Thu Apr 09 2020 Henry Beberman <henry.beberman@microsoft.com> 239-16
- Add patch to disable arguments to mount_cgroup_controllers as in upstream latest.
* Tue Apr 07 2020 Paul Monson <paulmon@microsoft.com> 239-15
- Update Source0 link. License verified.
* Tue Mar 31 2020 Henry Beberman <henry.beberman@microsoft.com> 239-14
- Backport upstream fix for FOREACH_STRING macro.
* Tue Mar 24 2020 Henry Beberman <henry.beberman@microsoft.com> 239-13
- Add -Wno-error=format-overflow= to fix gcc9 build.
* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 239-12
- Disable libcurl auto-configure
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 239-11
- Initial CBL-Mariner import from Photon (license: Apache2).
* Thu Jan 10 2019 Anish Swaminathan <anishs@vmware.com> 239-10
- Fix CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
* Wed Jan 09 2019 Keerthana K <keerthanak@vmware.com> 239-9
- Seting default values for tcp_timestamps, tcp_challenge_ack_limit and ip_forward.
* Wed Jan 02 2019 Anish Swaminathan <anishs@vmware.com> 239-8
- Fix CVE-2018-15686, CVE-2018-15687
* Sun Nov 11 2018 Tapas Kundu <tkundu@vmware.com> 239-7
- Fix CVE-2018-15688
* Fri Oct 26 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 239-6
- Auto-load rdrand-rng kernel module only on x86.
* Fri Oct 26 2018 Anish Swaminathan <anishs@vmware.com> 239-5
- Revert the commit that causes GCE networkd timeout
- https://github.com/systemd/systemd/commit/44b598a1c9d11c23420a5ef45ff11bcb0ed195eb
* Mon Oct 08 2018 Srinidhi Rao <srinidhir@vmware.com> 239-4
- Add glib-devel as a Requirement to systemd-devel
* Fri Sep 21 2018 Alexey Makhalov <amakhalov@vmware.com> 239-3
- Fix compilation issue against glibc-2.28
* Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 239-2
- Automatically load rdrand-rng kernel module on every boot.
* Tue Aug 28 2018 Anish Swaminathan <anishs@vmware.com> 239-1
- Update systemd to 239
* Wed Apr 11 2018 Xiaolin Li <xiaolinl@vmware.com> 236-3
- Build systemd with util-linux 2.32.
* Wed Jan 17 2018 Divya Thaluru <dthaluru@vmware.com> 236-2
- Fixed the log file directory structure
* Fri Dec 29 2017 Anish Swaminathan <anishs@vmware.com> 236-1
- Update systemd to 236
* Thu Nov 09 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-11
- Fix CVE-2017-15908 dns packet loop fix.
* Tue Nov 07 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-10
- Fix nullptr access during link disable.
* Mon Sep 18 2017 Anish Swaminathan <anishs@vmware.com> 233-9
- Backport router solicitation backoff from systemd 234
* Fri Sep 15 2017 Anish Swaminathan <anishs@vmware.com> 233-8
- Move network file to systemd package
* Tue Aug 15 2017 Alexey Makhalov <amakhalov@vmware.com> 233-7
- Fix compilation issue for glibc-2.26
* Fri Jul 21 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-6
- Fix for CVE-2017-1000082.
* Fri Jul 07 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-5
- Fix default-dns-from-env patch.
* Wed Jul 05 2017 Xiaolin Li <xiaolinl@vmware.com> 233-4
- Add kmod-devel to BuildRequires
* Thu Jun 29 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-3
- Fix for CVE-2017-9445.
* Tue Jun 20 2017 Anish Swaminathan <anishs@vmware.com> 233-2
- Fix for CVE-2017-9217
* Mon Mar 06 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-1
- Update systemd to 233
* Tue Jan 3 2017 Alexey Makhalov <amakhalov@vmware.com> 232-5
- Added /boot/systemd.cfg
* Tue Dec 20 2016 Alexey Makhalov <amakhalov@vmware.com> 232-4
- Fix initrd-switch-root issue
* Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 232-3
- BuildRequires Linux-PAM-devel
* Thu Dec 01 2016 Xiaolin Li <xiaolinl@vmware.com> 232-2
- disable-elfutils.
* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com> 232-1
- Update systemd to 232
* Thu Nov 3 2016 Divya Thaluru <dthaluru@vmware.com> 228-32
- Added logic to reload services incase of rpm upgrade
* Thu Sep 29 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-31
- Fix a CVE in systemd-notify socket.
* Mon Aug 29 2016 Alexey Makhalov <amakhalov@vmware.com> 228-30
- 02-install-general-aliases.patch to create absolute symlinks
* Fri Aug 26 2016 Anish Swaminathan <anishs@vmware.com> 228-29
- Change config file properties for 99-default.link
* Tue Aug 16 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-28
- systemd-resolved: Fix DNS_TRANSACTION_PENDING assert.
* Mon Aug 1 2016 Divya Thaluru <dthaluru@vmware.com> 228-27
- Removed packaging of symlinks and will be created during installation
* Tue Jul 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-26
- systemd-resolved: Fix DNS domains resolv.conf search issue for static DNS.
* Mon Jul 11 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-25
- systemd-networkd: Update DUID/IAID config interface to systemd v230 spec.
* Tue Jun 21 2016 Anish Swaminathan <anishs@vmware.com> 228-24
- Change config file properties
* Fri Jun 17 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-23
- systemd-resolved: Configure initial DNS servers from environment var.
* Mon Jun 06 2016 Alexey Makhalov <amakhalov@vmware.com> 228-22
- systemd-resolved: disable LLMNR
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 228-21
- GA - Bump release of all rpms
* Tue May 17 2016 Anish Swaminathan <anishs@vmware.com> 228-20
- Added patch for letting kernel handle ndisc
* Tue May 17 2016 Divya Thaluru <dthaluru@vmware.com> 228-19
- Updated systemd-user PAM configuration
* Mon May 16 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 228-18
- Updated the MaxTasks to infinity in system.conf file
* Thu Apr 21 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> 228-17
- Set the default.target to the multi-user.target
* Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-16
- Disable network interface renaming.
* Thu Mar 31 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-15
- Patch to query DHCP DUID, IAID.f
* Wed Mar 30 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-14
- Update DHCP DUID, IAID configuration patch.
* Wed Mar 30 2016 Kumar Kaushik <kaushikk@vmware.com> 228-13
- Install the security hardening script as part of systemd.
* Tue Mar 29 2016 Kumar Kaushik <kaushikk@vmware.com> 228-12
- Added patch for timedatectl /etc/adjtime PR2749.
* Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com> 228-11
- Added patch for dhcp preservation via duid iaid configurability
* Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com> 228-10
- Added patch for swap disconnect order
* Thu Mar 10 2016 XIaolin Li <xiaolinl@vmware.com> 228-9
- Enable manpages.
* Fri Feb 19 2016 Anish Swaminathan <anishs@vmware.com> 228-8
- Added patch to get around systemd-networkd wait online timeout
* Sat Feb 06 2016 Alexey Makhalov <amakhalov@vmware.com> 228-7
- Added patch: fix-reading-routes.
* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> 228-6
- Add hotplug udev rules.
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> 228-5
- Change config file attributes.
* Wed Jan 06 2016 Anish Swaminathan <anishs@vmware.com> 228-4
- Patches for minor network fixes.
* Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-3
- Patch for ostree.
* Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-2
- Patch for loopback address.
* Fri Dec 11 2015 Anish Swaminathan <anishs@vmware.com> 228-1
- Upgrade systemd version.
* Mon Nov 30 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 216-13
- Removing the reference of lock user
* Fri Oct 9 2015 Xiaolin Li <xiaolinl@vmware.com> 216-12
- Removing la files from packages.
* Fri Sep 18 2015 Divya Thaluru <dthaluru@vmware.com> 216-11
- Packaging journal log directory
* Thu Sep 10 2015 Alexey Makhalov <amakhalov@vmware.com> 216-10
- Improve enoX renaming in VMware HV case. Patch is added.
* Tue Aug 25 2015 Alexey Makhalov <amakhalov@vmware.com> 216-9
- Reduce systemd-networkd boot time (exclude if-rename patch).
* Mon Jul 20 2015 Divya Thaluru <dthaluru@vmware.com> 216-8
- Adding sysvinit support
* Mon Jul 06 2015 Kumar Kaushik <kaushikk@vmware.com> 216-7
- Fixing networkd/udev race condition for renaming interface.
* Thu Jun 25 2015 Sharath George <sharathg@vmware.com> 216-6
- Remove debug files.
* Tue Jun 23 2015 Divya Thaluru <dthaluru@vmware.com> 216-5
- Building compat libs
* Mon Jun 1 2015 Alexey Makhalov <amakhalov@vmware.com> 216-4
- gudev support
* Wed May 27 2015 Divya Thaluru <dthaluru@vmware.com> 216-3
- Removing packing of PAM configuration files
* Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> 216-2
- Update according to UsrMove.
* Mon Oct 27 2014 Sharath George <sharathg@vmware.com> 216-1
- Initial build. First version

307
SPECS/systemd/systemd.spec
View File

@ -1,76 +1,80 @@
Summary: Systemd-239
Name: systemd
Version: 239
Release: 32%{?dist}
License: LGPLv2+ and GPLv2+ and MIT
URL: https://www.freedesktop.org/wiki/Software/systemd/
Group: System Environment/Security
Vendor: Microsoft Corporation
Distribution: Mariner
#Source0: https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
Source1: 50-security-hardening.conf
Source2: systemd.cfg
Source3: 99-dhcp-en.network
Patch0: 01-enoX-uses-instance-number-for-vmware-hv.patch
Patch1: 02-install-general-aliases.patch
Patch2: systemd-239-default-dns-from-env.patch
Patch3: systemd-macros.patch
Patch4: systemd-239-query-duid.patch
Summary: Systemd-239
Name: systemd
Version: 239
Release: 33%{?dist}
License: LGPLv2+ AND GPLv2+ AND MIT
Vendor: Microsoft Corporation
Distribution: Mariner
Group: System Environment/Security
URL: https://www.freedesktop.org/wiki/Software/systemd/
#Source0: https://github.com/systemd/systemd-stable/archive/v%{version}.tar.gz
Source0: %{name}-%{version}.tar.gz
Source1: 50-security-hardening.conf
Source2: systemd.cfg
Source3: 99-dhcp-en.network
Patch0: 01-enoX-uses-instance-number-for-vmware-hv.patch
Patch1: 02-install-general-aliases.patch
Patch2: systemd-239-default-dns-from-env.patch
Patch3: systemd-macros.patch
Patch4: systemd-239-query-duid.patch
# Fix glibc-2.28 build issue. Checked in upstream after v239
Patch5: systemd-239-glibc-build-fix.patch
Patch6: systemd-239-revert-mtu.patch
Patch7: systemd-239-CVE-2018-15688.patch
Patch8: systemd-239-CVE-2018-15686.patch
Patch9: systemd-239-CVE-2018-15687.patch
Patch10: systemd-239-CVE-2018-16864.patch
Patch11: systemd-239-CVE-2018-16865.patch
Patch12: systemd-239-CVE-2018-16866.patch
Patch13: Backport-FOREACH_STRING-fix-for-gcc9.patch
Patch14: Disable-argument-to-mount_cgroup_controllers.patch
Patch5: systemd-239-glibc-build-fix.patch
Patch6: systemd-239-revert-mtu.patch
Patch7: systemd-239-CVE-2018-15688.patch
Patch8: systemd-239-CVE-2018-15686.patch
Patch9: systemd-239-CVE-2018-15687.patch
Patch10: systemd-239-CVE-2018-16864.patch
Patch11: systemd-239-CVE-2018-16865.patch
Patch12: systemd-239-CVE-2018-16866.patch
Patch13: Backport-FOREACH_STRING-fix-for-gcc9.patch
Patch14: Disable-argument-to-mount_cgroup_controllers.patch
# This commit from upstream fixes an issue caused by using a later version of meson.
Patch15: https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
Patch15: https://github.com/systemd/systemd/commit/8f6b442a78d0b485f044742ad90b2e8271b4e68e.patch
Patch16: CVE-2019-3842.patch
Patch17: CVE-2019-3843.patch
Patch18: CVE-2019-3844.patch
Patch19: CVE-2019-6454.patch
Patch20: CVE-2019-20386.patch
Patch21: CVE-2020-1712.patch
Patch22: CVE-2020-13776.patch
# This vulnerability is in the strict DNS-over-TLS (DoT) mechanism of systemd-resolve.
# DoT is only enabled when systemd is build against gnutls.
# Furthermore, strict mode DoT is not supported before v243.
Patch16: CVE-2018-21029.nopatch
Patch23: CVE-2018-21029.nopatch
#Portablectl patches for --now --enable and --no-block flags support
Patch100: 100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch
Patch101: 101-Portabled-fix-inspect-on-image-attached-as-directory.patch
Patch102: 102-portablectl-add-now-and-enable-to-attach-detach.patch
Patch103: 103-core-allow-portablectl-to-load-new-services-without-.patch
Patch104: 104-portablectl-block-when-stopping-a-unit-on-detach-now.patch
Patch105: 105-portablectl-use-replace-unload-when-stopping-a-servi.patch
Patch106: 106-portabled-implement-container-host-os-release-interf.patch
Obsoletes: systemd-bootstrap
Requires: pam
Requires: libcap
Requires: xz
Requires: kmod
Requires: glib
Requires: libgcrypt
Requires: filesystem >= 1.1
BuildRequires: intltool
BuildRequires: gperf
BuildRequires: libcap-devel
BuildRequires: xz-devel
BuildRequires: pam-devel
BuildRequires: perl-XML-Parser
BuildRequires: kbd
BuildRequires: kmod-devel
BuildRequires: util-linux-devel >= 2.30
BuildRequires: libxslt
BuildRequires: docbook-style-xsl
BuildRequires: docbook-dtd-xml
BuildRequires: glib-devel
BuildRequires: meson
BuildRequires: gettext
BuildRequires: shadow-utils
BuildRequires: libgcrypt-devel
BuildRequires: cryptsetup-devel
Patch100: 100-portabled-allow-to-detach-an-image-with-a-unit-in-li.patch
Patch101: 101-Portabled-fix-inspect-on-image-attached-as-directory.patch
Patch102: 102-portablectl-add-now-and-enable-to-attach-detach.patch
Patch103: 103-core-allow-portablectl-to-load-new-services-without-.patch
Patch104: 104-portablectl-block-when-stopping-a-unit-on-detach-now.patch
Patch105: 105-portablectl-use-replace-unload-when-stopping-a-servi.patch
Patch106: 106-portabled-implement-container-host-os-release-interf.patch
BuildRequires: cryptsetup-devel
BuildRequires: docbook-dtd-xml
BuildRequires: docbook-style-xsl
BuildRequires: gettext
BuildRequires: glib-devel
BuildRequires: gperf
BuildRequires: intltool
BuildRequires: kbd
BuildRequires: kmod-devel
BuildRequires: libcap-devel
BuildRequires: libgcrypt-devel
BuildRequires: libxslt
BuildRequires: meson
BuildRequires: pam-devel
BuildRequires: perl-XML-Parser
BuildRequires: shadow-utils
BuildRequires: util-linux-devel >= 2.30
BuildRequires: xz-devel
Requires: filesystem >= 1.1
Requires: glib
Requires: kmod
Requires: libcap
Requires: libgcrypt
Requires: pam
Requires: xz
Obsoletes: systemd-bootstrap
%description
Systemd is an init replacement with better process control and security
@ -78,7 +82,7 @@ Systemd is an init replacement with better process control and security
%package devel
Summary: Development headers for systemd
Requires: %{name} = %{version}-%{release}
Requires: glib-devel
Requires: glib-devel
%description devel
Development headers for developing applications linking to libsystemd
@ -91,7 +95,7 @@ Requires: %{name} = %{version}-%{release}
Language pack for systemd
%prep
%setup -q
%autosetup -p1
cat > config.cache << "EOF"
KILL=/bin/kill
HAVE_BLKID=1
@ -100,32 +104,6 @@ BLKID_CFLAGS="-I/usr/include/blkid"
cc_cv_CFLAGS__flto=no
EOF
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
# Portablectl patches
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
%patch105 -p1
%patch106 -p1
sed -i "s#\#DefaultTasksMax=512#DefaultTasksMax=infinity#g" src/core/system.conf.in
%build
@ -133,8 +111,8 @@ export LANG=en_US.UTF-8
export LC_ALL=en_US.UTF-8
CFLAGS="%{build_cflags} -Wno-error=format-overflow=" \
meson --prefix %{_prefix} \
--sysconfdir /etc \
--localstatedir /var \
--sysconfdir %{_sysconfdir} \
--localstatedir %{_var} \
-Dblkid=true \
-Dbuildtype=release \
-Ddefault-dnssec=no \
@ -150,11 +128,11 @@ meson --prefix %{_prefix} \
-Dpolkit=true \
-Dlibcryptsetup=true \
-Dgcrypt=true \
-Ddbuspolicydir=/etc/dbus-1/system.d \
-Ddbussessionservicedir=%{_prefix}/share/dbus-1/services \
-Ddbussystemservicedir=%{_prefix}/share/dbus-1/system-services \
-Dsysvinit-path=/etc/rc.d/init.d \
-Drc-local=/etc/rc.d/rc.local \
-Ddbuspolicydir=%{_sysconfdir}/dbus-1/system.d \
-Ddbussessionservicedir=%{_datadir}/dbus-1/services \
-Ddbussystemservicedir=%{_datadir}/dbus-1/system-services \
-Dsysvinit-path=%{_sysconfdir}/rc.d/init.d \
-Drc-local=%{_sysconfdir}/rc.d/rc.local \
$PWD build &&
cd build &&
%ninja_build
@ -167,17 +145,17 @@ for tool in runlevel reboot shutdown poweroff halt telinit; do
ln -sfv ../bin/systemctl %{buildroot}/sbin/${tool}
done
ln -sfv ../lib/systemd/systemd %{buildroot}/sbin/init
sed -i '/srv/d' %{buildroot}/usr/lib/tmpfiles.d/home.conf
sed -i "s:0775 root lock:0755 root root:g" %{buildroot}/usr/lib/tmpfiles.d/legacy.conf
sed -i '/srv/d' %{buildroot}%{_lib}/tmpfiles.d/home.conf
sed -i "s:0775 root lock:0755 root root:g" %{buildroot}%{_lib}/tmpfiles.d/legacy.conf
sed -i "s:NamePolicy=kernel database onboard slot path:NamePolicy=kernel database:g" %{buildroot}/lib/systemd/network/99-default.link
sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}/etc/systemd/resolved.conf
sed -i "s:#NTP=:NTP=time.windows.com:g" %{buildroot}/etc/systemd/timesyncd.conf
sed -i "s:#LLMNR=yes:LLMNR=false:g" %{buildroot}%{_sysconfdir}/systemd/resolved.conf
sed -i "s:#NTP=:NTP=time.windows.com:g" %{buildroot}%{_sysconfdir}/systemd/timesyncd.conf
rm -f %{buildroot}%{_var}/log/README
mkdir -p %{buildroot}%{_localstatedir}/opt/journal/log
mkdir -p %{buildroot}%{_localstatedir}/log
ln -sfv %{_localstatedir}/opt/journal/log %{buildroot}%{_localstatedir}/log/journal
find %{buildroot} -name '*.la' -delete
find %{buildroot} -type f -name "*.la" -delete -print
install -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysctl.d
install -dm 0700 %{buildroot}/boot/
install -m 0600 %{SOURCE2} %{buildroot}/boot/
@ -187,12 +165,12 @@ install -dm 0755 %{buildroot}/%{_sysconfdir}/systemd/network
install -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/systemd/network
%find_lang %{name} ../%{name}.lang
%post
/sbin/ldconfig
%postun
/sbin/ldconfig
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%clean
rm -rf %{buildroot}/*
%files
%defattr(-,root,root)
%license LICENSE.GPL2
@ -266,7 +244,7 @@ rm -rf %{buildroot}/*
%{_datadir}/bash-completion/*
%{_datadir}/factory/*
%{_datadir}/dbus-1
%{_datadir}/doc/*
%{_docdir}/*
%{_mandir}/man[1578]/*
%{_datadir}/polkit-1
%{_datadir}/systemd
@ -289,196 +267,301 @@ rm -rf %{buildroot}/*
%files lang -f %{name}.lang
%changelog
* Thu Oct 22 2020 Nicolas Ontiveros <niontive@microsoft.com> - 239-33
- Use autosetup
- Fix CVE-2019-3842
- Fix CVE-2019-3843
- Fix CVE-2019-3844
- Fix CVE-2019-6454
- Fix CVE-2019-20386
- Fix CVE-2020-1712
- Fix CVE-2020-13776
* Wed Sep 23 2020 Suresh Babu Chalamalasetty <schalam@microsoft.com> 239-32
- Portablectl patches for --now --enable and --no-block flags support
* Mon Aug 24 2020 Leandro Pereira <leperei@microsoft.com> 239-31
- Use time.windows.com as the default NTP server in timesyncd.
* Tue Aug 11 2020 Mateusz Malisz <mamalisz@microsoft.com> 239-30
- Reduce kptr_restrict to 1
* Fri May 29 2020 Nicolas Ontiveros <niontive@microsoft.com> 239-29
- Include cryptsetup to build cryptsetup generator.
* Wed May 27 2020 Chris Co <chrco@microsoft.com> 239-28
- Disable IPv6 router advertisements by default
* Wed May 20 2020 Emre Girgin <mrgirgin@microsoft.com> 239-27
- Change /boot directory permissions to 600.
* Wed May 20 2020 Joe Schmitt <joschmit@microsoft.com> 239-26
- Remove 99-vmware-hotplug.rules.
* Sat May 09 00:20:49 PST 2020 Nick Samson <nisamson@microsoft.com> - 239-25
- Added %%license line automatically
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-24
- Renaming docbook-xsl to docbook-style-xsl
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-23
- Renaming docbook-xml to docbook-dtd-xml
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-22
- Renaming Linux-PAM to pam
* Wed May 06 2020 Emre Girgin <mrgirgin@microsoft.com> 239-21
- Renaming XML-Parser to perl-XML-Parser
* Tue May 05 2020 Joe Schmitt <joschmit@microsoft.com> 239-20
- Remove unused rdrand-rng after kernel update.
* Thu Apr 23 2020 Emre Girgin <mrgirgin@microsoft.com> 239-19
- Ignore CVE-2018-21029.
* Fri Apr 17 2020 Emre Girgin <mrgirgin@microsoft.com> 239-18
- Rename shadow to shadow-utils.
* Thu Apr 16 2020 Emre Girgin <mrgirgin@microsoft.com> 239-17
- Resolve build issues arising from upgrading meson to 0.49.2.
* Thu Apr 09 2020 Henry Beberman <henry.beberman@microsoft.com> 239-16
- Add patch to disable arguments to mount_cgroup_controllers as in upstream latest.
* Tue Apr 07 2020 Paul Monson <paulmon@microsoft.com> 239-15
- Update Source0 link. License verified.
* Tue Mar 31 2020 Henry Beberman <henry.beberman@microsoft.com> 239-14
- Backport upstream fix for FOREACH_STRING macro.
* Tue Mar 24 2020 Henry Beberman <henry.beberman@microsoft.com> 239-13
- Add -Wno-error=format-overflow= to fix gcc9 build.
* Thu Feb 27 2020 Henry Beberman <hebeberm@microsoft.com> 239-12
- Disable libcurl auto-configure
* Tue Sep 03 2019 Mateusz Malisz <mamalisz@microsoft.com> 239-11
- Initial CBL-Mariner import from Photon (license: Apache2).
* Thu Jan 10 2019 Anish Swaminathan <anishs@vmware.com> 239-10
- Fix CVE-2018-16864, CVE-2018-16865, CVE-2018-16866
* Wed Jan 09 2019 Keerthana K <keerthanak@vmware.com> 239-9
- Seting default values for tcp_timestamps, tcp_challenge_ack_limit and ip_forward.
* Wed Jan 02 2019 Anish Swaminathan <anishs@vmware.com> 239-8
- Fix CVE-2018-15686, CVE-2018-15687
* Sun Nov 11 2018 Tapas Kundu <tkundu@vmware.com> 239-7
- Fix CVE-2018-15688
* Fri Oct 26 2018 Srivatsa S. Bhat (VMware) <srivatsa@csail.mit.edu> 239-6
- Auto-load rdrand-rng kernel module only on x86.
* Fri Oct 26 2018 Anish Swaminathan <anishs@vmware.com> 239-5
- Revert the commit that causes GCE networkd timeout
- https://github.com/systemd/systemd/commit/44b598a1c9d11c23420a5ef45ff11bcb0ed195eb
* Mon Oct 08 2018 Srinidhi Rao <srinidhir@vmware.com> 239-4
- Add glib-devel as a Requirement to systemd-devel
* Fri Sep 21 2018 Alexey Makhalov <amakhalov@vmware.com> 239-3
- Fix compilation issue against glibc-2.28
* Tue Sep 18 2018 Srivatsa S. Bhat <srivatsa@csail.mit.edu> 239-2
- Automatically load rdrand-rng kernel module on every boot.
* Tue Aug 28 2018 Anish Swaminathan <anishs@vmware.com> 239-1
- Update systemd to 239
* Wed Apr 11 2018 Xiaolin Li <xiaolinl@vmware.com> 236-3
- Build systemd with util-linux 2.32.
* Wed Jan 17 2018 Divya Thaluru <dthaluru@vmware.com> 236-2
- Fixed the log file directory structure
* Fri Dec 29 2017 Anish Swaminathan <anishs@vmware.com> 236-1
- Update systemd to 236
* Thu Nov 09 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-11
- Fix CVE-2017-15908 dns packet loop fix.
* Tue Nov 07 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-10
- Fix nullptr access during link disable.
* Mon Sep 18 2017 Anish Swaminathan <anishs@vmware.com> 233-9
- Backport router solicitation backoff from systemd 234
* Fri Sep 15 2017 Anish Swaminathan <anishs@vmware.com> 233-8
- Move network file to systemd package
* Tue Aug 15 2017 Alexey Makhalov <amakhalov@vmware.com> 233-7
- Fix compilation issue for glibc-2.26
* Fri Jul 21 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-6
- Fix for CVE-2017-1000082.
* Fri Jul 07 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-5
- Fix default-dns-from-env patch.
* Wed Jul 05 2017 Xiaolin Li <xiaolinl@vmware.com> 233-4
- Add kmod-devel to BuildRequires
* Thu Jun 29 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-3
- Fix for CVE-2017-9445.
* Tue Jun 20 2017 Anish Swaminathan <anishs@vmware.com> 233-2
- Fix for CVE-2017-9217
* Mon Mar 06 2017 Vinay Kulkarni <kulkarniv@vmware.com> 233-1
- Update systemd to 233
* Tue Jan 3 2017 Alexey Makhalov <amakhalov@vmware.com> 232-5
- Added /boot/systemd.cfg
* Tue Dec 20 2016 Alexey Makhalov <amakhalov@vmware.com> 232-4
- Fix initrd-switch-root issue
* Wed Dec 07 2016 Xiaolin Li <xiaolinl@vmware.com> 232-3
- BuildRequires Linux-PAM-devel
* Thu Dec 01 2016 Xiaolin Li <xiaolinl@vmware.com> 232-2
- disable-elfutils.
* Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com> 232-1
- Update systemd to 232
* Thu Nov 3 2016 Divya Thaluru <dthaluru@vmware.com> 228-32
- Added logic to reload services incase of rpm upgrade
* Thu Sep 29 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-31
- Fix a CVE in systemd-notify socket.
* Mon Aug 29 2016 Alexey Makhalov <amakhalov@vmware.com> 228-30
- 02-install-general-aliases.patch to create absolute symlinks
* Fri Aug 26 2016 Anish Swaminathan <anishs@vmware.com> 228-29
- Change config file properties for 99-default.link
* Tue Aug 16 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-28
- systemd-resolved: Fix DNS_TRANSACTION_PENDING assert.
* Mon Aug 1 2016 Divya Thaluru <dthaluru@vmware.com> 228-27
- Removed packaging of symlinks and will be created during installation
* Tue Jul 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-26
- systemd-resolved: Fix DNS domains resolv.conf search issue for static DNS.
* Mon Jul 11 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-25
- systemd-networkd: Update DUID/IAID config interface to systemd v230 spec.
* Tue Jun 21 2016 Anish Swaminathan <anishs@vmware.com> 228-24
- Change config file properties
* Fri Jun 17 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-23
- systemd-resolved: Configure initial DNS servers from environment var.
* Mon Jun 06 2016 Alexey Makhalov <amakhalov@vmware.com> 228-22
- systemd-resolved: disable LLMNR
* Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 228-21
- GA - Bump release of all rpms
* Tue May 17 2016 Anish Swaminathan <anishs@vmware.com> 228-20
- Added patch for letting kernel handle ndisc
* Tue May 17 2016 Divya Thaluru <dthaluru@vmware.com> 228-19
- Updated systemd-user PAM configuration
* Mon May 16 2016 Harish Udaiya Kumar <hudaiyakumar@vmware.com> 228-18
- Updated the MaxTasks to infinity in system.conf file
* Thu Apr 21 2016 Mahmoud Bassiouny <mbassiouny@vmware.com> 228-17
- Set the default.target to the multi-user.target
* Tue Apr 12 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-16
- Disable network interface renaming.
* Thu Mar 31 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-15
- Patch to query DHCP DUID, IAID.f
* Wed Mar 30 2016 Vinay Kulkarni <kulkarniv@vmware.com> 228-14
- Update DHCP DUID, IAID configuration patch.
* Wed Mar 30 2016 Kumar Kaushik <kaushikk@vmware.com> 228-13
- Install the security hardening script as part of systemd.
* Tue Mar 29 2016 Kumar Kaushik <kaushikk@vmware.com> 228-12
- Added patch for timedatectl /etc/adjtime PR2749.
* Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com> 228-11
- Added patch for dhcp preservation via duid iaid configurability
* Fri Mar 11 2016 Anish Swaminathan <anishs@vmware.com> 228-10
- Added patch for swap disconnect order
* Thu Mar 10 2016 XIaolin Li <xiaolinl@vmware.com> 228-9
- Enable manpages.
* Fri Feb 19 2016 Anish Swaminathan <anishs@vmware.com> 228-8
- Added patch to get around systemd-networkd wait online timeout
* Sat Feb 06 2016 Alexey Makhalov <amakhalov@vmware.com> 228-7
- Added patch: fix-reading-routes.
* Wed Feb 03 2016 Anish Swaminathan <anishs@vmware.com> 228-6
- Add hotplug udev rules.
* Tue Jan 12 2016 Anish Swaminathan <anishs@vmware.com> 228-5
- Change config file attributes.
* Wed Jan 06 2016 Anish Swaminathan <anishs@vmware.com> 228-4
- Patches for minor network fixes.
* Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-3
- Patch for ostree.
* Wed Dec 16 2015 Anish Swaminathan <anishs@vmware.com> 228-2
- Patch for loopback address.
* Fri Dec 11 2015 Anish Swaminathan <anishs@vmware.com> 228-1
- Upgrade systemd version.
* Mon Nov 30 2015 Mahmoud Bassiouny <mbassiouny@vmware.com> 216-13
- Removing the reference of lock user
* Fri Oct 9 2015 Xiaolin Li <xiaolinl@vmware.com> 216-12
- Removing la files from packages.
* Fri Sep 18 2015 Divya Thaluru <dthaluru@vmware.com> 216-11
- Packaging journal log directory
* Thu Sep 10 2015 Alexey Makhalov <amakhalov@vmware.com> 216-10
- Improve enoX renaming in VMware HV case. Patch is added.
* Tue Aug 25 2015 Alexey Makhalov <amakhalov@vmware.com> 216-9
- Reduce systemd-networkd boot time (exclude if-rename patch).
* Mon Jul 20 2015 Divya Thaluru <dthaluru@vmware.com> 216-8
- Adding sysvinit support
* Mon Jul 06 2015 Kumar Kaushik <kaushikk@vmware.com> 216-7
- Fixing networkd/udev race condition for renaming interface.
* Thu Jun 25 2015 Sharath George <sharathg@vmware.com> 216-6
- Remove debug files.
* Tue Jun 23 2015 Divya Thaluru <dthaluru@vmware.com> 216-5
- Building compat libs
* Mon Jun 1 2015 Alexey Makhalov <amakhalov@vmware.com> 216-4
- gudev support
* Wed May 27 2015 Divya Thaluru <dthaluru@vmware.com> 216-3
- Removing packing of PAM configuration files
* Mon May 18 2015 Touseef Liaqat <tliaqat@vmware.com> 216-2
- Update according to UsrMove.
* Mon Oct 27 2014 Sharath George <sharathg@vmware.com> 216-1
- Initial build. First version

14
toolkit/resources/manifests/package/toolchain_aarch64.txt
View File

@ -353,13 +353,13 @@ sqlite-devel-3.32.3-2.cm1.aarch64.rpm
sqlite-libs-3.32.3-2.cm1.aarch64.rpm
swig-3.0.12-4.cm1.aarch64.rpm
swig-debuginfo-3.0.12-4.cm1.aarch64.rpm
systemd-239-32.cm1.aarch64.rpm
systemd-bootstrap-239-29.cm1.aarch64.rpm
systemd-bootstrap-debuginfo-239-29.cm1.aarch64.rpm
systemd-bootstrap-devel-239-29.cm1.aarch64.rpm
systemd-debuginfo-239-32.cm1.aarch64.rpm
systemd-devel-239-32.cm1.aarch64.rpm
systemd-lang-239-32.cm1.aarch64.rpm
systemd-239-33.cm1.aarch64.rpm
systemd-bootstrap-239-30.cm1.aarch64.rpm
systemd-bootstrap-debuginfo-239-30.cm1.aarch64.rpm
systemd-bootstrap-devel-239-30.cm1.aarch64.rpm
systemd-debuginfo-239-33.cm1.aarch64.rpm
systemd-devel-239-33.cm1.aarch64.rpm
systemd-lang-239-33.cm1.aarch64.rpm
tar-1.32-2.cm1.aarch64.rpm
tar-debuginfo-1.32-2.cm1.aarch64.rpm
tdnf-2.1.0-4.cm1.aarch64.rpm

14
toolkit/resources/manifests/package/toolchain_x86_64.txt
View File

@ -353,13 +353,13 @@ sqlite-devel-3.32.3-2.cm1.x86_64.rpm
sqlite-libs-3.32.3-2.cm1.x86_64.rpm
swig-3.0.12-4.cm1.x86_64.rpm
swig-debuginfo-3.0.12-4.cm1.x86_64.rpm
systemd-239-32.cm1.x86_64.rpm
systemd-bootstrap-239-29.cm1.x86_64.rpm
systemd-bootstrap-debuginfo-239-29.cm1.x86_64.rpm
systemd-bootstrap-devel-239-29.cm1.x86_64.rpm
systemd-debuginfo-239-32.cm1.x86_64.rpm
systemd-devel-239-32.cm1.x86_64.rpm
systemd-lang-239-32.cm1.x86_64.rpm
systemd-239-33.cm1.x86_64.rpm
systemd-bootstrap-239-30.cm1.x86_64.rpm
systemd-bootstrap-debuginfo-239-30.cm1.x86_64.rpm
systemd-bootstrap-devel-239-30.cm1.x86_64.rpm
systemd-debuginfo-239-33.cm1.x86_64.rpm
systemd-devel-239-33.cm1.x86_64.rpm
systemd-lang-239-33.cm1.x86_64.rpm
tar-1.32-2.cm1.x86_64.rpm
tar-debuginfo-1.32-2.cm1.x86_64.rpm
tdnf-2.1.0-4.cm1.x86_64.rpm