diff options
Diffstat (limited to 'poky/meta/recipes-core/systemd')
6 files changed, 42 insertions, 103 deletions
diff --git a/poky/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf b/poky/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf new file mode 100644 index 000000000..6b224ba9b --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/00-hostnamed-network-user.conf @@ -0,0 +1,6 @@ +[Service] +# By running with these options instead of root, networkd is allowed to request +# a hostname change via DBUS when policykit is not present +User=systemd-network +Group=systemd-hostname +AmbientCapabilities=CAP_SYS_ADMIN diff --git a/poky/meta/recipes-core/systemd/systemd/0023-Include-sys-wait.h.patch b/poky/meta/recipes-core/systemd/systemd/0023-Include-sys-wait.h.patch deleted file mode 100644 index ea4a024b8..000000000 --- a/poky/meta/recipes-core/systemd/systemd/0023-Include-sys-wait.h.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 359e7a38824a906b0a24f5775f41a2ae3358bf06 Mon Sep 17 00:00:00 2001 -From: Scott Murray <scott.murray@konsulko.com> -Date: Fri, 13 Sep 2019 19:26:27 -0400 -Subject: [PATCH 23/26] Include sys/wait.h - -Fixes: -src/login/logind-brightness.c:158:85: error: 'WEXITED' undeclared (first use in this function); did you mean 'WIFEXITED'? - 158 | r = sd_event_add_child(w->manager->event, &w->child_event_source, w->child, WEXITED, on_brightness_writer_exit, w); - | ^~~~~~~ - -Upstream-Status: Pending - -Signed-off-by: Scott Murray <scott.murray@konsulko.com> ---- - src/login/logind-brightness.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/login/logind-brightness.c b/src/login/logind-brightness.c -index a6a1603396..54848ce209 100644 ---- a/src/login/logind-brightness.c -+++ b/src/login/logind-brightness.c -@@ -1,5 +1,6 @@ - /* SPDX-License-Identifier: LGPL-2.1-or-later */ - -+#include <sys/wait.h> - #include "bus-util.h" - #include "device-util.h" - #include "hash-funcs.h" --- -2.27.0 - diff --git a/poky/meta/recipes-core/systemd/systemd/0024-Include-signal.h.patch b/poky/meta/recipes-core/systemd/systemd/0024-Include-signal.h.patch deleted file mode 100644 index 2820d7b32..000000000 --- a/poky/meta/recipes-core/systemd/systemd/0024-Include-signal.h.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 0592da08e16a17ceef0949ec9901397d8ec5af92 Mon Sep 17 00:00:00 2001 -From: Scott Murray <scott.murray@konsulko.com> -Date: Fri, 13 Sep 2019 19:26:27 -0400 -Subject: [PATCH 24/26] Include signal.h - -Fixes several signal set related errors: -src/basic/copy.c:92:19: error: implicit declaration of function 'sigemptyset' [-Werror=implicit-function-declaration] -src/basic/copy.c:93:19: error: implicit declaration of function 'sigaddset' [-Werror=implicit-function-declaration] -src/basic/copy.c:93:34: error: 'SIGINT' undeclared (first use in this function) -src/basic/copy.c:95:13: error: implicit declaration of function 'sigtimedwait' [-Werror=implicit-function-declaration] - -Upstream-Status: Pending - -Signed-off-by: Scott Murray <scott.murray@konsulko.com> ---- - src/basic/copy.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/basic/copy.c b/src/basic/copy.c -index 6a9c3a396f..8948bb4013 100644 ---- a/src/basic/copy.c -+++ b/src/basic/copy.c -@@ -8,6 +8,7 @@ - #include <sys/sendfile.h> - #include <sys/xattr.h> - #include <unistd.h> -+#include <signal.h> - - #include "alloc-util.h" - #include "btrfs-util.h" --- -2.27.0 - diff --git a/poky/meta/recipes-core/systemd/systemd/0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch b/poky/meta/recipes-core/systemd/systemd/0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch index b1d3d6963..94a4c307b 100644 --- a/poky/meta/recipes-core/systemd/systemd/0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch +++ b/poky/meta/recipes-core/systemd/systemd/0027-proc-dont-trigger-mount-error-with-invalid-options-o.patch @@ -36,10 +36,10 @@ systemd 247 and above plus kernel v5.7 or older will need this. Upstream-Status: Denied [https://github.com/systemd/systemd/issues/16896] Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> -diff --git a/src/core/namespace.c b/src/core/namespace.c -index cdf427a6ea93..f8fc33a89fc2 100644 ---- a/src/core/namespace.c -+++ b/src/core/namespace.c +Index: git/src/core/namespace.c +=================================================================== +--- git.orig/src/core/namespace.c ++++ git/src/core/namespace.c @@ -4,7 +4,9 @@ #include <linux/loop.h> #include <sched.h> @@ -50,11 +50,9 @@ index cdf427a6ea93..f8fc33a89fc2 100644 #include <unistd.h> #include <linux/fs.h> -@@ -859,14 +861,34 @@ static int mount_sysfs(const MountEntry *m) { - } +@@ -860,13 +862,32 @@ static int mount_sysfs(const MountEntry static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) { -+ _cleanup_free_ char *opts = NULL; const char *entry_path; - int r; + int r, major, minor; @@ -86,41 +84,14 @@ index cdf427a6ea93..f8fc33a89fc2 100644 /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in * one. i.e we don't reuse existing mounts here under any condition, we want a new instance owned by * our user namespace and with our hidepid= settings applied. Hence, let's get rid of everything -@@ -875,9 +897,8 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) { +@@ -875,8 +896,8 @@ static int mount_procfs(const MountEntry (void) mkdir_p_label(entry_path, 0755); (void) umount_recursive(entry_path, 0); - if (ns_info->protect_proc != PROTECT_PROC_DEFAULT || - ns_info->proc_subset != PROC_SUBSET_ALL) { -- _cleanup_free_ char *opts = NULL; + if (!old && (ns_info->protect_proc != PROTECT_PROC_DEFAULT || + ns_info->proc_subset != PROC_SUBSET_ALL)) { + _cleanup_free_ char *opts = NULL; /* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it - * pretended to be per-instance but actually was per-namespace), hence let's make use of it -@@ -891,21 +912,9 @@ static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) { - ns_info->proc_subset == PROC_SUBSET_PID ? ",subset=pid" : ""); - if (!opts) - return -ENOMEM; -- -- r = mount_nofollow_verbose(LOG_DEBUG, "proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, opts); -- if (r < 0) { -- if (r != -EINVAL) -- return r; -- -- /* If this failed with EINVAL then this likely means the textual hidepid= stuff is -- * not supported by the kernel, and thus the per-instance hidepid= neither, which -- * means we really don't want to use it, since it would affect our host's /proc -- * mount. Hence let's gracefully fallback to a classic, unrestricted version. */ -- } else -- return 1; - } - -- r = mount_nofollow_verbose(LOG_DEBUG, "proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL); -+ r = mount_nofollow_verbose(LOG_DEBUG, "proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, opts); - if (r < 0) - return r; - --- -2.29.2 - diff --git a/poky/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf b/poky/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf new file mode 100644 index 000000000..f4d0271cd --- /dev/null +++ b/poky/meta/recipes-core/systemd/systemd/org.freedesktop.hostname1_no_polkit.conf @@ -0,0 +1,11 @@ +<?xml version="1.0"?> <!--*-nxml-*--> +<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN" + "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd"> + +<busconfig> + <policy group="systemd-hostname"> + <allow own="org.freedesktop.hostname1"/> + <allow send_destination="org.freedesktop.hostname1"/> + <allow receive_sender="org.freedesktop.hostname1"/> + </policy> +</busconfig> diff --git a/poky/meta/recipes-core/systemd/systemd_247.3.bb b/poky/meta/recipes-core/systemd/systemd_247.3.bb index b1a38ba9b..59e000f1d 100644 --- a/poky/meta/recipes-core/systemd/systemd_247.3.bb +++ b/poky/meta/recipes-core/systemd/systemd_247.3.bb @@ -16,6 +16,8 @@ REQUIRED_DISTRO_FEATURES = "systemd" SRC_URI += "file://touchscreen.rules \ file://00-create-volatile.conf \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://org.freedesktop.hostname1_no_polkit.conf', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'file://00-hostnamed-network-user.conf', '', d)} \ file://init \ file://99-default.preset \ file://systemd-pager.sh \ @@ -51,8 +53,6 @@ SRC_URI_MUSL = "\ file://0020-Fix-incompatible-pointer-type-struct-sockaddr_un.patch \ file://0021-test-json.c-define-M_PIl.patch \ file://0022-do-not-disable-buffer-in-writing-files.patch \ - file://0023-Include-sys-wait.h.patch \ - file://0024-Include-signal.h.patch \ file://0025-Handle-__cpu_mask-usage.patch \ file://0026-Handle-missing-gshadow.patch \ " @@ -166,6 +166,10 @@ PACKAGECONFIG[openssl] = "-Dopenssl=true,-Dopenssl=false,openssl" PACKAGECONFIG[pam] = "-Dpam=true,-Dpam=false,libpam,${PAM_PLUGINS}" PACKAGECONFIG[pcre2] = "-Dpcre2=true,-Dpcre2=false,libpcre2" PACKAGECONFIG[polkit] = "-Dpolkit=true,-Dpolkit=false" +# If polkit is disabled and networkd+hostnamed are in use, enabling this option and +# using dbus-broker will allow networkd to be authorized to change the +# hostname without acquiring additional privileges +PACKAGECONFIG[polkit_hostnamed_fallback] = ",,,,dbus-broker,polkit" PACKAGECONFIG[portabled] = "-Dportabled=true,-Dportabled=false" PACKAGECONFIG[qrencode] = "-Dqrencode=true,-Dqrencode=false,qrencode,,qrencode" PACKAGECONFIG[quotacheck] = "-Dquotacheck=true,-Dquotacheck=false" @@ -308,6 +312,15 @@ do_install() { fi fi + # If polkit is not available and a fallback was requested, install a drop-in that allows networkd to + # request hostname changes via DBUS without elevating its privileges + if ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', 'true', 'false', d)}; then + install -d ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ + install -m 0644 ${WORKDIR}/00-hostnamed-network-user.conf ${D}${systemd_unitdir}/system/systemd-hostnamed.service.d/ + install -d ${D}${datadir}/dbus-1/system.d/ + install -m 0644 ${WORKDIR}/org.freedesktop.hostname1_no_polkit.conf ${D}${datadir}/dbus-1/system.d/ + fi + # create link for existing udev rules ln -s ${base_bindir}/udevadm ${D}${base_sbindir}/udevadm @@ -372,7 +385,8 @@ USERADD_PACKAGES = "${PN} ${PN}-extra-utils \ ${@bb.utils.contains('PACKAGECONFIG', 'microhttpd', '${PN}-journal-remote', '', d)} \ ${@bb.utils.contains('PACKAGECONFIG', 'journal-upload', '${PN}-journal-upload', '', d)} \ " -GROUPADD_PARAM_${PN} = "-r systemd-journal" +GROUPADD_PARAM_${PN} = "-r systemd-journal;" +GROUPADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '-r systemd-hostname;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'coredump', '--system -d / -M --shell /sbin/nologin systemd-coredump;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'networkd', '--system -d / -M --shell /sbin/nologin systemd-network;', '', d)}" USERADD_PARAM_${PN} += "${@bb.utils.contains('PACKAGECONFIG', 'polkit', '--system --no-create-home --user-group --home-dir ${sysconfdir}/polkit-1 polkitd;', '', d)}" @@ -591,6 +605,7 @@ FILES_${PN} = " ${base_bindir}/* \ ${datadir}/dbus-1/system.d/org.freedesktop.network1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.resolve1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.systemd1.conf \ + ${@bb.utils.contains('PACKAGECONFIG', 'polkit_hostnamed_fallback', '${datadir}/dbus-1/system.d/org.freedesktop.hostname1_no_polkit.conf', '', d)} \ ${datadir}/dbus-1/system.d/org.freedesktop.hostname1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.login1.conf \ ${datadir}/dbus-1/system.d/org.freedesktop.timesync1.conf \ |