Skip to content
Snippets Groups Projects
Commit 76e351d7 authored by Michael Biebl's avatar Michael Biebl
Browse files

Import Debian changes 241-7~deb10u1 

systemd (241-7~deb10u1) buster; urgency=medium

  * Rebuild for buster

systemd (241-7) unstable; urgency=medium

  [ Michael Biebl ]
  * network: Fix failure to bring up interface with Linux kernel 5.2.
    Backport two patches from systemd master in order to fix a bug with 5.2
    kernels where the network interface fails to come up with the following
    error: "enp3s0: Could not bring up interface: Invalid argument"
    (Closes: #931636)
  * Use /usr/sbin/nologin as nologin shell.
    In Debian the nologin shell is installed in /usr/sbin, not /sbin.
    (Closes: #931850)

  [ Mert Dirik ]
  * 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset
    (Closes: #931719)

systemd (241-6) unstable; urgency=medium

  * ask-password: Prevent buffer overflow when reading from keyring.
    Fixes a possible memory corruption that causes systemd-cryptsetup to
    crash either when a single large password is used or when multiple
    passwords have already been pushed to the keyring. (Closes: #929726)
  * Clarify documentation regarding %h/%u/%U specifiers.
    Make it clear, that setting "User=" has no effect on those specifiers.
    Also ensure that "%h" is actually resolved to "/root" for the system
    manager instance as documented in the systemd.unit man page.
    (Closes: #927911)
  * network: Behave more gracefully when IPv6 has been disabled.
    Ignore any configured IPv6 settings when IPv6 has been disabled in the
    kernel via sysctl. Instead of failing completely, continue and log a
    warning instead. (Closes: #929469)
parent bed3d886
No related branches found
Tags debian/241-7_deb10u1
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 1259 additions and 7 deletions
debian/changelog
+ 42
0
View file @ 76e351d7
systemd (241-7~deb10u1) buster; urgency=medium
* Rebuild for buster
-- Michael Biebl <biebl@debian.org> Tue, 20 Aug 2019 13:50:42 +0200
systemd (241-7) unstable; urgency=medium
[ Michael Biebl ]
* network: Fix failure to bring up interface with Linux kernel 5.2.
Backport two patches from systemd master in order to fix a bug with 5.2
kernels where the network interface fails to come up with the following
error: "enp3s0: Could not bring up interface: Invalid argument"
(Closes: #931636)
* Use /usr/sbin/nologin as nologin shell.
In Debian the nologin shell is installed in /usr/sbin, not /sbin.
(Closes: #931850)
[ Mert Dirik ]
* 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset
(Closes: #931719)
-- Michael Biebl <biebl@debian.org> Thu, 18 Jul 2019 19:38:23 +0200
systemd (241-6) unstable; urgency=medium
* ask-password: Prevent buffer overflow when reading from keyring.
Fixes a possible memory corruption that causes systemd-cryptsetup to
crash either when a single large password is used or when multiple
passwords have already been pushed to the keyring. (Closes: #929726)
* Clarify documentation regarding %h/%u/%U specifiers.
Make it clear, that setting "User=" has no effect on those specifiers.
Also ensure that "%h" is actually resolved to "/root" for the system
manager instance as documented in the systemd.unit man page.
(Closes: #927911)
* network: Behave more gracefully when IPv6 has been disabled.
Ignore any configured IPv6 settings when IPv6 has been disabled in the
kernel via sysctl. Instead of failing completely, continue and log a
warning instead. (Closes: #929469)
-- Michael Biebl <biebl@debian.org> Mon, 08 Jul 2019 11:27:51 +0200
systemd (241-5) unstable; urgency=medium
* Revert "Add check to switch VTs only between K_XLATE or K_UNICODE"
......
debian/extra/init-functions.d/40-systemd
+ 2
2
View file @ 76e351d7
......@@ -8,12 +8,12 @@ if [ -d /run/systemd/system ]; then
executable="$__init_d_script_name"
argument="$1"
elif [ "${0##*/}" = "init-d-script" ] ||
[ "${0##*/}" = "${1##*/}" ]; then # scripts run with old init-d-script
[ "${0##*/}" = "${1:-}" ]; then # scripts run with old init-d-script
executable="$1"
argument="$2"
else # plain old scripts
executable="$0"
argument="$1"
argument="${1:-}"
fi
prog=${executable##*/}
......
debian/gbp.conf
+ 1
1
View file @ 76e351d7
[DEFAULT]
pristine-tar = True
patch-numbers = False
debian-branch = master
debian-branch = buster
[dch]
full = True
......
debian/patches/ask-password-prevent-buffer-overflow-when-reading-from-ke.patch 0 → 100644
+ 32
0
View file @ 76e351d7
From: Michael Biebl <biebl@debian.org>
Date: Thu, 27 Jun 2019 15:02:40 +0200
Subject: ask-password: prevent buffer overflow when reading from keyring
When we read from keyring, a temporary buffer is allocated in order to
determine the size needed for the entire data. However, when zeroing that area,
we use the data size returned by the read instead of the lesser size allocate
for the buffer.
That will cause memory corruption that causes systemd-cryptsetup to crash
either when a single large password is used or when multiple passwords have
already been pushed to the keyring.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
(cherry picked from commit 59c55e73eaee345e1ee67c23eace8895ed499693)
---
src/shared/ask-password-api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index 072bf72..97a800f 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -81,7 +81,7 @@ static int retrieve_key(key_serial_t serial, char ***ret) {
if (n < m)
break;
- explicit_bzero_safe(p, n);
+ explicit_bzero_safe(p, m);
free(p);
m *= 2;
}
debian/patches/core-unset-HOME-that-the-kernel-gives-us.patch 0 → 100644
+ 30
0
View file @ 76e351d7
From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 21 May 2019 19:26:12 +0200
Subject: core: unset HOME=/ that the kernel gives us
Partially fixes #12389.
%h would return "/" in a machine, but "/root" in a container. Let's fix
this by resetting $HOME to the expected value.
(cherry picked from commit 9d48671c62de133a2b9fe7c31e70c0ff8e68f2db)
---
src/core/main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/core/main.c b/src/core/main.c
index 561f956..bc7fcc6 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1503,6 +1503,11 @@ static int fixup_environment(void) {
if (setenv("TERM", t, 1) < 0)
return -errno;
+ /* The kernels sets HOME=/ for init. Let's undo this. */
+ if (path_equal_ptr(getenv("HOME"), "/") &&
+ unsetenv("HOME") < 0)
+ log_warning_errno(errno, "Failed to unset $HOME: %m");
+
return 0;
}
debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
+ 2
2
View file @ 76e351d7
......@@ -19,10 +19,10 @@ Bug-Debian: https://bugs.debian.org/815020
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/core/main.c b/src/core/main.c
index 561f956..9ab9024 100644
index bc7fcc6..87bee9f 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -2454,8 +2454,6 @@ int main(int argc, char *argv[]) {
@@ -2459,8 +2459,6 @@ int main(int argc, char *argv[]) {
kernel_timestamp = DUAL_TIMESTAMP_NULL;
}
......
debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
+ 2
2
View file @ 76e351d7
......@@ -239,10 +239,10 @@ index 0000000..b7ad58d
+
+</refentry>
diff --git a/meson.build b/meson.build
index d340736..d4887d5 100644
index 3afe168..b340139 100644
--- a/meson.build
+++ b/meson.build
@@ -2395,6 +2395,14 @@ executable('systemd-makefs',
@@ -2396,6 +2396,14 @@ executable('systemd-makefs',
install : true,
install_dir : rootlibexecdir)
......
debian/patches/man-add-note-that-h-u-U-are-mostly-useless.patch 0 → 100644
+ 45
0
View file @ 76e351d7
From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 21 May 2019 19:31:49 +0200
Subject: man: add note that %h/%u/%U are mostly useless
Fixes #12389.
(cherry picked from commit b4e2407716731d1ce099bad1c2778f7a4424ed2e)
---
man/systemd.unit.xml | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index f21f9ea..be6355d 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -1580,7 +1580,9 @@
<row>
<entry><literal>%h</literal></entry>
<entry>User home directory</entry>
- <entry>This is the home directory of the user running the service manager instance. In case of the system manager this resolves to <literal>/root</literal>.</entry>
+ <entry>This is the home directory of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>/root</literal>.
+
+Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
</row>
<row>
<entry><literal>%H</literal></entry>
@@ -1670,12 +1672,16 @@
<row>
<entry><literal>%u</literal></entry>
<entry>User name</entry>
- <entry>This is the name of the user running the service manager instance. In case of the system manager this resolves to <literal>root</literal>.</entry>
+ <entry>This is the name of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>root</literal>.
+
+Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
</row>
<row>
<entry><literal>%U</literal></entry>
<entry>User UID</entry>
- <entry>This is the numeric UID of the user running the service manager instance. In case of the system manager this resolves to <literal>0</literal>.</entry>
+ <entry>This is the numeric UID of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>0</literal>.
+
+Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
</row>
<row>
<entry><literal>%v</literal></entry>
debian/patches/meson-make-nologin-path-build-time-configurable.patch 0 → 100644
+ 354
0
View file @ 76e351d7
From: Michael Biebl <biebl@debian.org>
Date: Thu, 18 Jul 2019 01:24:00 +0200
Subject: meson: make nologin path build time configurable
Some distros install nologin as /usr/sbin/nologin, others as
/sbin/nologin.
Since we can't really on merged-usr everywhere (where the path wouldn't
matter), make the path build time configurable via -Dnologin-path=.
Closes #13028
(cherry picked from commit 6db904625d413739c480ddbe7667d3f40acc4ae0)
---
man/nss-mymachines.xml | 4 ++--
man/sysusers.d.xml | 4 ++--
meson.build | 1 +
meson_options.txt | 1 +
src/basic/user-util.c | 4 ++--
src/nss-mymachines/nss-mymachines.c | 4 ++--
src/nss-systemd/nss-systemd.c | 4 ++--
src/sysusers/sysusers.c | 2 +-
src/test/test-user-util.c | 4 ++--
test/TEST-21-SYSUSERS/test-1.expected-passwd | 2 +-
test/TEST-21-SYSUSERS/test-10.expected-passwd | 4 ++--
test/TEST-21-SYSUSERS/test-11.expected-passwd | 2 +-
test/TEST-21-SYSUSERS/test-12.expected-passwd | 2 +-
test/TEST-21-SYSUSERS/test-2.expected-passwd | 2 +-
test/TEST-21-SYSUSERS/test-3.expected-passwd | 8 +++----
test/TEST-21-SYSUSERS/test-4.expected-passwd | 4 ++--
test/TEST-21-SYSUSERS/test-5.expected-passwd | 34 +++++++++++++--------------
test/TEST-21-SYSUSERS/test-6.expected-passwd | 2 +-
test/TEST-21-SYSUSERS/test-7.expected-passwd | 10 ++++----
test/TEST-21-SYSUSERS/test-8.expected-passwd | 2 +-
test/TEST-21-SYSUSERS/test-9.expected-passwd | 4 ++--
test/TEST-21-SYSUSERS/test.sh | 9 ++++++-
22 files changed, 61 insertions(+), 52 deletions(-)
diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml
index 5742d89..5100cd0 100644
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@@ -101,8 +101,8 @@ MACHINE CLASS SERVICE OS VERSION ADDRESSES
rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
$ getent passwd vu-rawhide-0 vu-rawhide-81
-vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/sbin/nologin
-vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/sbin/nologin
+vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
+vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
$ getent group vg-rawhide-0 vg-rawhide-81
vg-rawhide-0:*:20119552:
diff --git a/man/sysusers.d.xml b/man/sysusers.d.xml
index e47d36c..b470532 100644
--- a/man/sysusers.d.xml
+++ b/man/sysusers.d.xml
@@ -207,12 +207,12 @@ u root 0 "Superuser" /root /bin/zsh</pro
<title>Shell</title>
<para>The login shell of the user. If not specified, this will be set to
- <filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
+ <filename>/usr/sbin/nologin</filename>, except if the UID of the user is 0, in
which case <filename>/bin/sh</filename> will be used.</para>
<para>Only applies to lines of type <varname>u</varname> and should otherwise
be left unset (or <literal>-</literal>). It is recommended to omit this, unless
- a shell different <filename>/sbin/nologin</filename> must be used.</para>
+ a shell different <filename>/usr/sbin/nologin</filename> must be used.</para>
</refsect2>
</refsect1>
diff --git a/meson.build b/meson.build
index d340736..3afe168 100644
--- a/meson.build
+++ b/meson.build
@@ -611,6 +611,7 @@ progs = [['quotaon', '/usr/sbin/quotaon' ],
['umount', '/usr/bin/umount', 'UMOUNT_PATH'],
['loadkeys', '/usr/bin/loadkeys', 'KBD_LOADKEYS'],
['setfont', '/usr/bin/setfont', 'KBD_SETFONT'],
+ ['nologin', '/usr/sbin/nologin', ],
]
foreach prog : progs
path = get_option(prog[0] + '-path')
diff --git a/meson_options.txt b/meson_options.txt
index 044bb79..6304511 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -43,6 +43,7 @@ option('mount-path', type : 'string', description : 'path to mount')
option('umount-path', type : 'string', description : 'path to umount')
option('loadkeys-path', type : 'string', description : 'path to loadkeys')
option('setfont-path', type : 'string', description : 'path to setfont')
+option('nologin-path', type : 'string', description : 'path to nologin')
option('debug-shell', type : 'string', value : '/bin/sh',
description : 'path to debug shell binary')
diff --git a/src/basic/user-util.c b/src/basic/user-util.c
index 260f3d2..78656d9 100644
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@@ -146,7 +146,7 @@ static int synthesize_user_creds(
*home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
if (shell)
- *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/sbin/nologin";
+ *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
return 0;
}
@@ -522,7 +522,7 @@ int get_shell(char **_s) {
}
if (synthesize_nobody() &&
u == UID_NOBODY) {
- s = strdup("/sbin/nologin");
+ s = strdup(NOLOGIN);
if (!s)
return -ENOMEM;
diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c
index 486a658..d576e69 100644
--- a/src/nss-mymachines/nss-mymachines.c
+++ b/src/nss-mymachines/nss-mymachines.c
@@ -501,7 +501,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
pwd->pw_gecos = buffer;
pwd->pw_passwd = (char*) "*"; /* locked */
pwd->pw_dir = (char*) "/";
- pwd->pw_shell = (char*) "/sbin/nologin";
+ pwd->pw_shell = (char*) NOLOGIN;
return NSS_STATUS_SUCCESS;
@@ -581,7 +581,7 @@ enum nss_status _nss_mymachines_getpwuid_r(
pwd->pw_gecos = buffer;
pwd->pw_passwd = (char*) "*"; /* locked */
pwd->pw_dir = (char*) "/";
- pwd->pw_shell = (char*) "/sbin/nologin";
+ pwd->pw_shell = (char*) NOLOGIN;
return NSS_STATUS_SUCCESS;
diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c
index f8db27a..0ca0e8d 100644
--- a/src/nss-systemd/nss-systemd.c
+++ b/src/nss-systemd/nss-systemd.c
@@ -23,7 +23,7 @@
#define DYNAMIC_USER_GECOS "Dynamic User"
#define DYNAMIC_USER_PASSWD "*" /* locked */
#define DYNAMIC_USER_DIR "/"
-#define DYNAMIC_USER_SHELL "/sbin/nologin"
+#define DYNAMIC_USER_SHELL NOLOGIN
static const struct passwd root_passwd = {
.pw_name = (char*) "root",
@@ -42,7 +42,7 @@ static const struct passwd nobody_passwd = {
.pw_gid = GID_NOBODY,
.pw_gecos = (char*) "User Nobody",
.pw_dir = (char*) "/",
- .pw_shell = (char*) "/sbin/nologin",
+ .pw_shell = (char*) NOLOGIN,
};
static const struct group root_group = {
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index df28bcf..91d46a7 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -361,7 +361,7 @@ static int rename_and_apply_smack(const char *temp_path, const char *dest_path)
}
static const char* default_shell(uid_t uid) {
- return uid == 0 ? "/bin/sh" : "/sbin/nologin";
+ return uid == 0 ? "/bin/sh" : NOLOGIN;
}
static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char **tmpfile_path) {
diff --git a/src/test/test-user-util.c b/src/test/test-user-util.c
index 801824a..2e303ad 100644
--- a/src/test/test-user-util.c
+++ b/src/test/test-user-util.c
@@ -205,8 +205,8 @@ int main(int argc, char *argv[]) {
test_get_user_creds_one("root", "root", 0, 0, "/root", "/bin/sh");
test_get_user_creds_one("0", "root", 0, 0, "/root", "/bin/sh");
- test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
- test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
+ test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
+ test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
test_get_group_creds_one("root", "root", 0);
test_get_group_creds_one("0", "root", 0);
diff --git a/test/TEST-21-SYSUSERS/test-1.expected-passwd b/test/TEST-21-SYSUSERS/test-1.expected-passwd
index 8d0bfff..f59303b 100644
--- a/test/TEST-21-SYSUSERS/test-1.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-1.expected-passwd
@@ -1 +1 @@
-u1:x:222:222::/:/sbin/nologin
+u1:x:222:222::/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-10.expected-passwd b/test/TEST-21-SYSUSERS/test-10.expected-passwd
index 222334b..ca2d764 100644
--- a/test/TEST-21-SYSUSERS/test-10.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-10.expected-passwd
@@ -1,2 +1,2 @@
-u1:x:300:300::/:/sbin/nologin
-u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
+u1:x:300:300::/:NOLOGIN
+u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-11.expected-passwd b/test/TEST-21-SYSUSERS/test-11.expected-passwd
index 3f9ab39..737e43b 100644
--- a/test/TEST-21-SYSUSERS/test-11.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-11.expected-passwd
@@ -2,5 +2,5 @@ root:x:0:0:root:/root:/bin/bash
systemd-network:x:492:492:Systemd Network Management:/:/usr/sbin/nologin
systemd-resolve:x:491:491:Systemd Resolver:/:/usr/sbin/nologin
systemd-timesync:x:493:493:Systemd Time Synchronization:/:/usr/sbin/nologin
-u1:x:222:222::/:/sbin/nologin
+u1:x:222:222::/:NOLOGIN
+::::::
diff --git a/test/TEST-21-SYSUSERS/test-12.expected-passwd b/test/TEST-21-SYSUSERS/test-12.expected-passwd
index 75fe9b4..f076f3d 100644
--- a/test/TEST-21-SYSUSERS/test-12.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-12.expected-passwd
@@ -1,2 +1,2 @@
root:x:0:0:root:/root:/bin/bash
-systemd-coredump:x:1:1:systemd Core Dumper:/:/sbin/nologin
+systemd-coredump:x:1:1:systemd Core Dumper:/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-2.expected-passwd b/test/TEST-21-SYSUSERS/test-2.expected-passwd
index 9eeee5d..af80688 100644
--- a/test/TEST-21-SYSUSERS/test-2.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-2.expected-passwd
@@ -1,4 +1,4 @@
-u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:/sbin/nologin
+u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:NOLOGIN
u2:x:777:777:some gecos:/random/dir:/bin/zsh
u3:x:778:778::/random/dir2:/bin/bash
u4:x:779:779::/:/bin/csh
diff --git a/test/TEST-21-SYSUSERS/test-3.expected-passwd b/test/TEST-21-SYSUSERS/test-3.expected-passwd
index a86954f..946303f 100644
--- a/test/TEST-21-SYSUSERS/test-3.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-3.expected-passwd
@@ -1,4 +1,4 @@
-foo:x:301:301::/:/sbin/nologin
-aaa:x:303:302::/:/sbin/nologin
-bbb:x:304:302::/:/sbin/nologin
-ccc:x:305:305::/:/sbin/nologin
+foo:x:301:301::/:NOLOGIN
+aaa:x:303:302::/:NOLOGIN
+bbb:x:304:302::/:NOLOGIN
+ccc:x:305:305::/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-4.expected-passwd b/test/TEST-21-SYSUSERS/test-4.expected-passwd
index e0370a4..99d1048 100644
--- a/test/TEST-21-SYSUSERS/test-4.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-4.expected-passwd
@@ -1,2 +1,2 @@
-yyy:x:311:310::/:/sbin/nologin
-xxx:x:312:310::/:/sbin/nologin
+yyy:x:311:310::/:NOLOGIN
+xxx:x:312:310::/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-5.expected-passwd b/test/TEST-21-SYSUSERS/test-5.expected-passwd
index 116b126..a83d566 100644
--- a/test/TEST-21-SYSUSERS/test-5.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-5.expected-passwd
@@ -1,18 +1,18 @@
root:x:0:0::/root:/bin/sh
-daemon:x:1:1::/usr/sbin:/sbin/nologin
-bin:x:2:2::/bin:/sbin/nologin
-sys:x:3:3::/dev:/sbin/nologin
-sync:x:4:65534::/bin:/sbin/nologin
-games:x:5:60::/usr/games:/sbin/nologin
-man:x:6:12::/var/cache/man:/sbin/nologin
-lp:x:7:7::/var/spool/lpd:/sbin/nologin
-mail:x:8:8::/var/mail:/sbin/nologin
-news:x:9:9::/var/spool/news:/sbin/nologin
-uucp:x:10:10::/var/spool/uucp:/sbin/nologin
-proxy:x:13:13::/bin:/sbin/nologin
-www-data:x:33:33::/var/www:/sbin/nologin
-backup:x:34:34::/var/backups:/sbin/nologin
-list:x:38:38::/var/list:/sbin/nologin
-irc:x:39:39::/var/run/ircd:/sbin/nologin
-gnats:x:41:41::/var/lib/gnats:/sbin/nologin
-nobody:x:65534:65534::/nonexistent:/sbin/nologin
+daemon:x:1:1::/usr/sbin:NOLOGIN
+bin:x:2:2::/bin:NOLOGIN
+sys:x:3:3::/dev:NOLOGIN
+sync:x:4:65534::/bin:NOLOGIN
+games:x:5:60::/usr/games:NOLOGIN
+man:x:6:12::/var/cache/man:NOLOGIN
+lp:x:7:7::/var/spool/lpd:NOLOGIN
+mail:x:8:8::/var/mail:NOLOGIN
+news:x:9:9::/var/spool/news:NOLOGIN
+uucp:x:10:10::/var/spool/uucp:NOLOGIN
+proxy:x:13:13::/bin:NOLOGIN
+www-data:x:33:33::/var/www:NOLOGIN
+backup:x:34:34::/var/backups:NOLOGIN
+list:x:38:38::/var/list:NOLOGIN
+irc:x:39:39::/var/run/ircd:NOLOGIN
+gnats:x:41:41::/var/lib/gnats:NOLOGIN
+nobody:x:65534:65534::/nonexistent:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-6.expected-passwd b/test/TEST-21-SYSUSERS/test-6.expected-passwd
index 5af9d11..ba55a13 100644
--- a/test/TEST-21-SYSUSERS/test-6.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-6.expected-passwd
@@ -1 +1 @@
-u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
+u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-7.expected-passwd b/test/TEST-21-SYSUSERS/test-7.expected-passwd
index 79668c0..0c5d370 100644
--- a/test/TEST-21-SYSUSERS/test-7.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-7.expected-passwd
@@ -1,5 +1,5 @@
-bin:x:1:1::/:/sbin/nologin
-daemon:x:2:2::/:/sbin/nologin
-mail:x:8:12::/var/spool/mail:/sbin/nologin
-ftp:x:14:11::/srv/ftp:/sbin/nologin
-http:x:33:33::/srv/http:/sbin/nologin
+bin:x:1:1::/:NOLOGIN
+daemon:x:2:2::/:NOLOGIN
+mail:x:8:12::/var/spool/mail:NOLOGIN
+ftp:x:14:11::/srv/ftp:NOLOGIN
+http:x:33:33::/srv/http:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-8.expected-passwd b/test/TEST-21-SYSUSERS/test-8.expected-passwd
index 727b819..23e99f0 100644
--- a/test/TEST-21-SYSUSERS/test-8.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-8.expected-passwd
@@ -1 +1 @@
-username:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
+username:x:SYSTEM_UID_MAX:300::/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test-9.expected-passwd b/test/TEST-21-SYSUSERS/test-9.expected-passwd
index a23260f..0bffbcd 100644
--- a/test/TEST-21-SYSUSERS/test-9.expected-passwd
+++ b/test/TEST-21-SYSUSERS/test-9.expected-passwd
@@ -1,2 +1,2 @@
-user1:x:300:300::/:/sbin/nologin
-user2:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
+user1:x:300:300::/:NOLOGIN
+user2:x:SYSTEM_UID_MAX:300::/:NOLOGIN
diff --git a/test/TEST-21-SYSUSERS/test.sh b/test/TEST-21-SYSUSERS/test.sh
index b1049e7..809653c 100755
--- a/test/TEST-21-SYSUSERS/test.sh
+++ b/test/TEST-21-SYSUSERS/test.sh
@@ -25,7 +25,14 @@ preprocess() {
# get this value from config.h, however the autopkgtest fails with
# it
SYSTEM_UID_MAX=$(awk 'BEGIN { uid=999 } /^\s*SYS_UID_MAX\s+/ { uid=$2 } END { print uid }' /etc/login.defs)
- sed "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" "$in"
+
+ # we can't rely on config.h to get the nologin path, as autopkgtest
+ # uses pre-compiled binaries, so extract it from the systemd-sysusers
+ # binary which we are about to execute
+ NOLOGIN=$(strings $(type -p systemd-sysusers) | grep nologin)
+
+ sed -e "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" \
+ -e "s#NOLOGIN#${NOLOGIN}#g" "$in"
}
compare() {
debian/patches/network-check-whether-ipv6-is-enabled-in-sysctl.patch 0 → 100644
+ 119
0
View file @ 76e351d7
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 18 Feb 2019 15:00:15 +0900
Subject: network: check whether ipv6 is enabled in sysctl
Currently, the value is read only once.
Fixes #11711.
(cherry picked from commit 4b600505dda8af6c43496f9e93e420a192d9a38b)
---
src/network/networkd-link.c | 12 ++++++++++++
src/network/networkd-manager.c | 18 ++++++++++++++++++
src/network/networkd-manager.h | 4 ++++
3 files changed, 34 insertions(+)
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 22392d7..322e701 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -51,6 +51,9 @@ static bool link_dhcp6_enabled(Link *link) {
if (!link->network)
return false;
+ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ return false;
+
return link->network->dhcp & ADDRESS_FAMILY_IPV6;
}
@@ -108,6 +111,9 @@ static bool link_ipv6ll_enabled(Link *link) {
if (streq_ptr(link->kind, "wireguard"))
return false;
+ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ return false;
+
return link->network->link_local & ADDRESS_FAMILY_IPV6;
}
@@ -120,6 +126,9 @@ static bool link_ipv6_enabled(Link *link) {
if (link->network->bridge)
return false;
+ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ return false;
+
/* DHCPv6 client will not be started if no IPv6 link-local address is configured. */
return link_ipv6ll_enabled(link) || network_has_static_ipv6_addresses(link->network);
}
@@ -199,6 +208,9 @@ static bool link_ipv6_forward_enabled(Link *link) {
if (link->network->ip_forward == _ADDRESS_FAMILY_BOOLEAN_INVALID)
return false;
+ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ return false;
+
return link->network->ip_forward & ADDRESS_FAMILY_IPV6;
}
diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index c8d369e..f32bc7f 100644
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -23,6 +23,7 @@
#include "path-util.h"
#include "set.h"
#include "strv.h"
+#include "sysctl-util.h"
#include "tmpfile-util.h"
#include "virt.h"
@@ -1360,6 +1361,8 @@ int manager_new(Manager **ret) {
if (!m->state_file)
return -ENOMEM;
+ m->sysctl_ipv6_enabled = -1;
+
r = sd_event_default(&m->event);
if (r < 0)
return r;
@@ -1858,3 +1861,18 @@ int manager_request_product_uuid(Manager *m, Link *link) {
return 0;
}
+
+int manager_sysctl_ipv6_enabled(Manager *manager) {
+ _cleanup_free_ char *value = NULL;
+ int r;
+
+ if (manager->sysctl_ipv6_enabled >= 0)
+ return manager->sysctl_ipv6_enabled;
+
+ r = sysctl_read_ip_property(AF_INET6, "all", "disable_ipv6", &value);
+ if (r < 0)
+ return log_warning_errno(r, "Failed to read net.ipv6.conf.all.disable_ipv6 sysctl property: %m");
+
+ manager->sysctl_ipv6_enabled = value[0] == '0';
+ return manager->sysctl_ipv6_enabled;
+}
diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
index 289ca96..d292d76 100644
--- a/src/network/networkd-manager.h
+++ b/src/network/networkd-manager.h
@@ -58,6 +58,8 @@ struct Manager {
Set *rules;
Set *rules_foreign;
Set *rules_saved;
+
+ int sysctl_ipv6_enabled;
};
extern const sd_bus_vtable manager_vtable[];
@@ -95,4 +97,6 @@ Link *manager_dhcp6_prefix_get(Manager *m, struct in6_addr *addr);
int manager_dhcp6_prefix_add(Manager *m, struct in6_addr *addr, Link *link);
int manager_dhcp6_prefix_remove_all(Manager *m, Link *link);
+int manager_sysctl_ipv6_enabled(Manager *manager);
+
DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
debian/patches/network-do-not-send-ipv6-token-to-kernel.patch 0 → 100644
+ 92
0
View file @ 76e351d7
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Thu, 9 May 2019 14:39:46 +0900
Subject: network: do not send ipv6 token to kernel
We disabled kernel RA support. Then, we should not send
IFLA_INET6_TOKEN.
Thus, we do not need to send IFLA_INET6_ADDR_GEN_MODE twice.
Follow-up for 0e2fdb83bb5e22047e0c7cc058b415d0e93f02cf and
4eb086a38712ea98faf41e075b84555b11b54362.
(cherry picked from commit 9f6e82e6eb3b6e73d66d00d1d6eee60691fb702f)
---
src/network/networkd-link.c | 51 ++++++---------------------------------------
1 file changed, 6 insertions(+), 45 deletions(-)
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 6445b94..ac76c86 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -1816,6 +1816,9 @@ static int link_configure_addrgen_mode(Link *link) {
assert(link->manager);
assert(link->manager->rtnl);
+ if (!socket_ipv6_is_supported())
+ return 0;
+
log_link_debug(link, "Setting address genmode for link");
r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex);
@@ -1917,46 +1920,6 @@ static int link_up(Link *link) {
return log_link_error_errno(link, r, "Could not set MAC address: %m");
}
- if (link_ipv6_enabled(link)) {
- uint8_t ipv6ll_mode;
-
- r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
- if (r < 0)
- return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
-
- /* if the kernel lacks ipv6 support setting IFF_UP fails if any ipv6 options are passed */
- r = sd_netlink_message_open_container(req, AF_INET6);
- if (r < 0)
- return log_link_error_errno(link, r, "Could not open AF_INET6 container: %m");
-
- if (!in_addr_is_null(AF_INET6, &link->network->ipv6_token)) {
- r = sd_netlink_message_append_in6_addr(req, IFLA_INET6_TOKEN, &link->network->ipv6_token.in6);
- if (r < 0)
- return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
- }
-
- if (!link_ipv6ll_enabled(link))
- ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
- else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
- /* The file may not exist. And event if it exists, when stable_secret is unset,
- * reading the file fails with EIO. */
- ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
- else
- ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
-
- r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
- if (r < 0)
- return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
-
- r = sd_netlink_message_close_container(req);
- if (r < 0)
- return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
-
- r = sd_netlink_message_close_container(req);
- if (r < 0)
- return log_link_error_errno(link, r, "Could not close IFLA_AF_SPEC container: %m");
- }
-
r = netlink_call_async(link->manager->rtnl, NULL, req, link_up_handler,
link_netlink_destroy_callback, link);
if (r < 0)
@@ -3044,11 +3007,9 @@ static int link_configure(Link *link) {
return r;
}
- if (socket_ipv6_is_supported()) {
- r = link_configure_addrgen_mode(link);
- if (r < 0)
- return r;
- }
+ r = link_configure_addrgen_mode(link);
+ if (r < 0)
+ return r;
return link_configure_after_setting_mtu(link);
}
debian/patches/network-ignore-requested-ipv6-addresses-when-ipv6-is-disa.patch 0 → 100644
+ 67
0
View file @ 76e351d7
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 11 Jun 2019 23:20:56 +0900
Subject: network: ignore requested ipv6 addresses when ipv6 is disabled by
sysctl
(cherry picked from commit 54a1a535bd60f13964bbddd8f381601e33e8e56f)
---
src/network/networkd-address.c | 7 ++++++-
src/network/networkd-link.c | 4 ++--
src/network/networkd-ndisc.c | 4 ++--
3 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
index 3cdbd9e..a9f65e5 100644
--- a/src/network/networkd-address.c
+++ b/src/network/networkd-address.c
@@ -565,6 +565,11 @@ int address_configure(
assert(link->manager->rtnl);
assert(callback);
+ if (address->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ log_link_warning(link, "An IPv6 address is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
+
/* If this is a new address, then refuse adding more than the limit */
if (address_get(link, address->family, &address->in_addr, address->prefixlen, NULL) <= 0 &&
set_size(link->addresses) >= ADDRESSES_PER_LINK_MAX)
@@ -669,7 +674,7 @@ int address_configure(
return log_error_errno(r, "Could not add address: %m");
}
- return 0;
+ return 1;
}
int config_parse_broadcast(
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 322e701..638aae0 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -1123,8 +1123,8 @@ static int link_request_set_addresses(Link *link) {
link_enter_failed(link);
return r;
}
-
- link->address_messages++;
+ if (r > 0)
+ link->address_messages++;
}
LIST_FOREACH(labels, label, link->network->address_labels) {
diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
index e5b8d11..78c98a0 100644
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@@ -205,8 +205,8 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r
link_enter_failed(link);
return r;
}
-
- link->ndisc_messages++;
+ if (r > 0)
+ link->ndisc_messages++;
return 0;
}
debian/patches/network-ignore-requested-ipv6-route-when-ipv6-is-disabled.patch 0 → 100644
+ 88
0
View file @ 76e351d7
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 11 Jun 2019 23:26:11 +0900
Subject: network: ignore requested ipv6 route when ipv6 is disabled by sysctl
(cherry picked from commit c442331750a2a9711036080f7590e190b9b0eb54)
---
src/network/networkd-link.c | 4 ++--
src/network/networkd-ndisc.c | 12 ++++++------
src/network/networkd-route.c | 7 ++++++-
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 638aae0..5a181c2 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -840,8 +840,8 @@ static int link_request_set_routes(Link *link) {
link_enter_failed(link);
return r;
}
-
- link->route_messages++;
+ if (r > 0)
+ link->route_messages++;
}
if (link->route_messages == 0) {
diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
index 78c98a0..36fbe29 100644
--- a/src/network/networkd-ndisc.c
+++ b/src/network/networkd-ndisc.c
@@ -117,8 +117,8 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) {
link_enter_failed(link);
return r;
}
-
- link->ndisc_messages++;
+ if (r > 0)
+ link->ndisc_messages++;
return 0;
}
@@ -255,8 +255,8 @@ static int ndisc_router_process_onlink_prefix(Link *link, sd_ndisc_router *rt) {
link_enter_failed(link);
return r;
}
-
- link->ndisc_messages++;
+ if (r > 0)
+ link->ndisc_messages++;
return 0;
}
@@ -316,8 +316,8 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
link_enter_failed(link);
return r;
}
-
- link->ndisc_messages++;
+ if (r > 0)
+ link->ndisc_messages++;
return 0;
}
diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
index 5553a7e..5b7e019 100644
--- a/src/network/networkd-route.c
+++ b/src/network/networkd-route.c
@@ -509,6 +509,11 @@ int route_configure(
assert(IN_SET(route->family, AF_INET, AF_INET6));
assert(callback);
+ if (route->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ log_link_warning(link, "An IPv6 route is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
+
if (route_get(link, route->family, &route->dst, route->dst_prefixlen, route->tos, route->priority, route->table, NULL) <= 0 &&
set_size(link->routes) >= routes_max())
return -E2BIG;
@@ -675,7 +680,7 @@ int route_configure(
sd_event_source_unref(route->expire);
route->expire = TAKE_PTR(expire);
- return 0;
+ return 1;
}
int config_parse_gateway(
debian/patches/network-ignore-requested-ipv6-routing-policy-rule-when-ip.patch 0 → 100644
+ 51
0
View file @ 76e351d7
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 11 Jun 2019 23:29:57 +0900
Subject: network: ignore requested ipv6 routing policy rule when ipv6 is
disabled by sysctl
(cherry picked from commit 7ef7e5509b637e660e89ba8a938930ec01de6e54)
---
src/network/networkd-link.c | 4 ++--
src/network/networkd-routing-policy-rule.c | 7 ++++++-
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 5a181c2..13852af 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -765,8 +765,8 @@ static int link_request_set_routing_policy_rule(Link *link) {
link_enter_failed(link);
return r;
}
-
- link->routing_policy_rule_messages++;
+ if (r > 0)
+ link->routing_policy_rule_messages++;
}
routing_policy_rule_purge(link->manager, link);
diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
index 65a9af2..0b62a0e 100644
--- a/src/network/networkd-routing-policy-rule.c
+++ b/src/network/networkd-routing-policy-rule.c
@@ -492,6 +492,11 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
assert(link->manager);
assert(link->manager->rtnl);
+ if (rule->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ log_link_warning(link, "An IPv6 routing policy rule is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
+
r = sd_rtnl_message_new_routing_policy_rule(link->manager->rtnl, &m, RTM_NEWRULE, rule->family);
if (r < 0)
return log_error_errno(r, "Could not allocate RTM_NEWRULE message: %m");
@@ -609,7 +614,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
if (r < 0)
return log_error_errno(r, "Could not add rule: %m");
- return 0;
+ return 1;
}
static int parse_fwmark_fwmask(const char *s, uint32_t *fwmark, uint32_t *fwmask) {
debian/patches/network-read-link-specific-sysctl-value.patch 0 → 100644
+ 208
0
View file @ 76e351d7
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Fri, 14 Jun 2019 09:42:51 +0900
Subject: network: read link specific sysctl value
This introduce link_sysctl_ipv6_enabled() and replaces
manager_sysctl_ipv6_enabled() with it.
(cherry picked from commit bafa9641446852f7fa15ca12d08a223d345c78ea)
---
src/network/networkd-address.c | 2 +-
src/network/networkd-link.c | 24 ++++++++++++++++++++----
src/network/networkd-link.h | 4 ++++
src/network/networkd-manager.c | 17 -----------------
src/network/networkd-manager.h | 4 ----
src/network/networkd-route.c | 2 +-
src/network/networkd-routing-policy-rule.c | 2 +-
7 files changed, 27 insertions(+), 28 deletions(-)
diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
index a9f65e5..e0ee896 100644
--- a/src/network/networkd-address.c
+++ b/src/network/networkd-address.c
@@ -565,7 +565,7 @@ int address_configure(
assert(link->manager->rtnl);
assert(callback);
- if (address->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ if (address->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
log_link_warning(link, "An IPv6 address is requested, but IPv6 is disabled by sysctl, ignoring.");
return 0;
}
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 13852af..3cfdf4a 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -28,6 +28,7 @@
#include "stdio-util.h"
#include "string-table.h"
#include "strv.h"
+#include "sysctl-util.h"
#include "tmpfile-util.h"
#include "util.h"
#include "virt.h"
@@ -39,6 +40,20 @@ DUID* link_get_duid(Link *link) {
return &link->manager->duid;
}
+int link_sysctl_ipv6_enabled(Link *link) {
+ _cleanup_free_ char *value = NULL;
+ int r;
+
+ r = sysctl_read_ip_property(AF_INET6, link->ifname, "disable_ipv6", &value);
+ if (r < 0)
+ return log_link_warning_errno(link, r,
+ "Failed to read net.ipv6.conf.%s.disable_ipv6 sysctl property: %m",
+ link->ifname);
+
+ link->sysctl_ipv6_enabled = value[0] == '0';
+ return link->sysctl_ipv6_enabled;
+}
+
static bool link_dhcp6_enabled(Link *link) {
assert(link);
@@ -51,7 +66,7 @@ static bool link_dhcp6_enabled(Link *link) {
if (!link->network)
return false;
- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ if (link_sysctl_ipv6_enabled(link) == 0)
return false;
return link->network->dhcp & ADDRESS_FAMILY_IPV6;
@@ -111,7 +126,7 @@ static bool link_ipv6ll_enabled(Link *link) {
if (streq_ptr(link->kind, "wireguard"))
return false;
- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ if (link_sysctl_ipv6_enabled(link) == 0)
return false;
return link->network->link_local & ADDRESS_FAMILY_IPV6;
@@ -126,7 +141,7 @@ static bool link_ipv6_enabled(Link *link) {
if (link->network->bridge)
return false;
- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ if (link_sysctl_ipv6_enabled(link) == 0)
return false;
/* DHCPv6 client will not be started if no IPv6 link-local address is configured. */
@@ -208,7 +223,7 @@ static bool link_ipv6_forward_enabled(Link *link) {
if (link->network->ip_forward == _ADDRESS_FAMILY_BOOLEAN_INVALID)
return false;
- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ if (link_sysctl_ipv6_enabled(link) == 0)
return false;
return link->network->ip_forward & ADDRESS_FAMILY_IPV6;
@@ -476,6 +491,7 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
.rtnl_extended_attrs = true,
.ifindex = ifindex,
.iftype = iftype,
+ .sysctl_ipv6_enabled = -1,
};
link->ifname = strdup(ifname);
diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h
index dcb1ea6..6adea64 100644
--- a/src/network/networkd-link.h
+++ b/src/network/networkd-link.h
@@ -128,6 +128,8 @@ typedef struct Link {
Hashmap *bound_by_links;
Hashmap *bound_to_links;
+
+ int sysctl_ipv6_enabled;
} Link;
typedef int (*link_netlink_message_handler_t)(sd_netlink*, sd_netlink_message*, Link*);
@@ -209,6 +211,8 @@ int link_send_changed(Link *link, const char *property, ...) _sentinel_;
#define LOG_LINK_MESSAGE(link, fmt, ...) "MESSAGE=%s: " fmt, (link)->ifname, ##__VA_ARGS__
#define LOG_LINK_INTERFACE(link) "INTERFACE=%s", (link)->ifname
+int link_sysctl_ipv6_enabled(Link *link);
+
#define ADDRESS_FMT_VAL(address) \
be32toh((address).s_addr) >> 24, \
(be32toh((address).s_addr) >> 16) & 0xFFu, \
diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index f32bc7f..acb9a75 100644
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -1361,8 +1361,6 @@ int manager_new(Manager **ret) {
if (!m->state_file)
return -ENOMEM;
- m->sysctl_ipv6_enabled = -1;
-
r = sd_event_default(&m->event);
if (r < 0)
return r;
@@ -1861,18 +1859,3 @@ int manager_request_product_uuid(Manager *m, Link *link) {
return 0;
}
-
-int manager_sysctl_ipv6_enabled(Manager *manager) {
- _cleanup_free_ char *value = NULL;
- int r;
-
- if (manager->sysctl_ipv6_enabled >= 0)
- return manager->sysctl_ipv6_enabled;
-
- r = sysctl_read_ip_property(AF_INET6, "all", "disable_ipv6", &value);
- if (r < 0)
- return log_warning_errno(r, "Failed to read net.ipv6.conf.all.disable_ipv6 sysctl property: %m");
-
- manager->sysctl_ipv6_enabled = value[0] == '0';
- return manager->sysctl_ipv6_enabled;
-}
diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
index d292d76..289ca96 100644
--- a/src/network/networkd-manager.h
+++ b/src/network/networkd-manager.h
@@ -58,8 +58,6 @@ struct Manager {
Set *rules;
Set *rules_foreign;
Set *rules_saved;
-
- int sysctl_ipv6_enabled;
};
extern const sd_bus_vtable manager_vtable[];
@@ -97,6 +95,4 @@ Link *manager_dhcp6_prefix_get(Manager *m, struct in6_addr *addr);
int manager_dhcp6_prefix_add(Manager *m, struct in6_addr *addr, Link *link);
int manager_dhcp6_prefix_remove_all(Manager *m, Link *link);
-int manager_sysctl_ipv6_enabled(Manager *manager);
-
DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
index 5b7e019..67b0ab4 100644
--- a/src/network/networkd-route.c
+++ b/src/network/networkd-route.c
@@ -509,7 +509,7 @@ int route_configure(
assert(IN_SET(route->family, AF_INET, AF_INET6));
assert(callback);
- if (route->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ if (route->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
log_link_warning(link, "An IPv6 route is requested, but IPv6 is disabled by sysctl, ignoring.");
return 0;
}
diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
index 0b62a0e..2378ed2 100644
--- a/src/network/networkd-routing-policy-rule.c
+++ b/src/network/networkd-routing-policy-rule.c
@@ -492,7 +492,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
assert(link->manager);
assert(link->manager->rtnl);
- if (rule->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ if (rule->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
log_link_warning(link, "An IPv6 routing policy rule is requested, but IPv6 is disabled by sysctl, ignoring.");
return 0;
}
debian/patches/networkd-fix-link_up-12505.patch 0 → 100644
+ 62
0
View file @ 76e351d7
From: Susant Sahani <ssahani@gmail.com>
Date: Thu, 9 May 2019 07:35:35 +0530
Subject: networkd: fix link_up() (#12505)
Fillup IFLA_INET6_ADDR_GEN_MODE while we do link_up.
Fixes the following error:
```
dummy-test: Could not bring up interface: Invalid argument
```
After reading the kernel code when we do a link up
```
net/core/rtnetlink.c
IFLA_AF_SPEC
af_ops->set_link_af(dev, af);
inet6_set_link_af
if (tb[IFLA_INET6_ADDR_GEN_MODE])
Here it looks for IFLA_INET6_ADDR_GEN_MODE
```
Since link up we didn't filling up that it's failing.
Closes #12504.
(cherry picked from commit 4eb086a38712ea98faf41e075b84555b11b54362)
---
src/network/networkd-link.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
index 3cfdf4a..6445b94 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -1918,6 +1918,8 @@ static int link_up(Link *link) {
}
if (link_ipv6_enabled(link)) {
+ uint8_t ipv6ll_mode;
+
r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
if (r < 0)
return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
@@ -1933,6 +1935,19 @@ static int link_up(Link *link) {
return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
}
+ if (!link_ipv6ll_enabled(link))
+ ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
+ else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
+ /* The file may not exist. And event if it exists, when stable_secret is unset,
+ * reading the file fails with EIO. */
+ ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
+ else
+ ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+
+ r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
+ if (r < 0)
+ return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
+
r = sd_netlink_message_close_container(req);
if (r < 0)
return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
debian/patches/series
+ 12
0
View file @ 76e351d7
......@@ -19,6 +19,18 @@ pam-systemd-use-secure_getenv-rather-than-getenv.patch
journal-remote-do-not-request-Content-Length-if-Transfer-.patch
systemctl-restore-systemctl-reboot-ARG-functionality.patch
random-util-eat-up-bad-RDRAND-values-seen-on-AMD-CPUs.patch
ask-password-prevent-buffer-overflow-when-reading-from-ke.patch
core-unset-HOME-that-the-kernel-gives-us.patch
man-add-note-that-h-u-U-are-mostly-useless.patch
sysctl-util-add-sysctl_read_ip_property.patch
network-check-whether-ipv6-is-enabled-in-sysctl.patch
network-ignore-requested-ipv6-addresses-when-ipv6-is-disa.patch
network-ignore-requested-ipv6-route-when-ipv6-is-disabled.patch
network-ignore-requested-ipv6-routing-policy-rule-when-ip.patch
network-read-link-specific-sysctl-value.patch
networkd-fix-link_up-12505.patch
network-do-not-send-ipv6-token-to-kernel.patch
meson-make-nologin-path-build-time-configurable.patch
debian/Use-Debian-specific-config-files.patch
debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
debian/Make-run-lock-tmpfs-an-API-fs.patch
......
debian/patches/sysctl-util-add-sysctl_read_ip_property.patch 0 → 100644
+ 49
0
View file @ 76e351d7
From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Mon, 18 Feb 2019 14:41:43 +0900
Subject: sysctl-util: add sysctl_read_ip_property()
(cherry picked from commit a6b3b0aace152b77682d68d99b3e41580c955efb)
---
src/shared/sysctl-util.c | 22 ++++++++++++++++++++++
src/shared/sysctl-util.h | 1 +
2 files changed, 23 insertions(+)
diff --git a/src/shared/sysctl-util.c b/src/shared/sysctl-util.c
index 480e6c3..ba89489 100644
--- a/src/shared/sysctl-util.c
+++ b/src/shared/sysctl-util.c
@@ -69,3 +69,25 @@ int sysctl_read(const char *property, char **content) {
p = strjoina("/proc/sys/", property);
return read_full_file(p, content, NULL);
}
+
+int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret) {
+ _cleanup_free_ char *value = NULL;
+ const char *p;
+ int r;
+
+ assert(IN_SET(af, AF_INET, AF_INET6));
+ assert(property);
+
+ p = strjoina("/proc/sys/net/ipv", af == AF_INET ? "4" : "6",
+ ifname ? "/conf/" : "", strempty(ifname),
+ property[0] == '/' ? "" : "/", property);
+
+ r = read_one_line_file(p, &value);
+ if (r < 0)
+ return r;
+
+ if (ret)
+ *ret = TAKE_PTR(value);
+
+ return r;
+}
diff --git a/src/shared/sysctl-util.h b/src/shared/sysctl-util.h
index fd7c78b..22f52f8 100644
--- a/src/shared/sysctl-util.h
+++ b/src/shared/sysctl-util.h
@@ -5,3 +5,4 @@ char *sysctl_normalize(char *s);
int sysctl_read(const char *property, char **value);
int sysctl_write(const char *property, const char *value);
+int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret);
debian/rules
+ 1
0
View file @ 76e351d7
......@@ -49,6 +49,7 @@ CONFFLAGS = \
-Dumount-path=/bin/umount \
-Dloadkeys-path=/bin/loadkeys \
-Dsetfont-path=/bin/setfont \
-Dnologin-path=/usr/sbin/nologin \
-Dtelinit-path=/lib/sysvinit/telinit \
-Dsysvinit-path=/etc/init.d \
-Dsysvrcnd-path=/etc \
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
Apertis Website Terms of Use Privacy Policy