Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

`stat` doesn't work well due `coreutils-gplv2`
created by Debos returning "?" instead of mount point.
Fall back to the provided directory, since we have separate
partition for "/boot/efi".
This change allow to use correct paths for kernel and initrd
for entry generation.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Update names for entry directories variables and fix options count.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

`kernel-install` pass 5 args to modules anyway, so empty argument
do not allow to install the initrd file into boot entry directory.
Since we do not pass the initrd name via options module
`90-loaderentry.install` also skip the initrd copying and setup.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Fix parameters assignment in `kernel-install` while calling
from `update-initramfs` or any package update except kernel.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Commit [cf73f650890](https://github.com/systemd/systemd/commit/cf73f650890

)
provides script `00-entry-directory.install` which creates the entry
directory only if `$BOOT/$MACHINE_ID` folder exists.
This part was moved out of `kernel-install` script and may introduce
the problem during upgrade since before Apertis v2022dev2 we do kernel
install with `$MACHINE_ID` generated in a build time. Later we remove
`/etc/machine-id` file allowing to generate an unique machine ID during
first boot, so there will be no directory `$BOOT/$MACHINE_ID` with a new
ID preventing from new entry generation during kernel upgrade in runtime.
Hence remove the part checking the `$BOOT/$MACHINE_ID` existence and
allow to create the proper entry in any case, returning the previous
`kernel-install` behaviour.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Remove negotiation from `-z` to test for non-emptiness instead of
previously added version reversing those tests logic.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

- Use [ not [[ and -n to test for non-emptiness

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Fixed syntax of kernel-install script introduced during
the merge with newer version from bullseye.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Apertis CI <devel@lists.apertis.org>

To follow the Apertis guidelines, which chooses OpenSSL as TLS stack, switch
systemd to be build against it.

In the same line drop systemd-journal-remote and its dependency
libmicrohttpd-dev since it can only be built against GnuTLS but has no value
for Apertis.

Signed-off-by: Walter Lozano <walter.lozano@collabora.com>

Signed-off-by: Sjoerd simons <sjoerd@collabora.com>

- Drop patches from upstream
- Refresh remainder

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Debian's systemd has split-usr enabled as both Debian and in principle Apertis
support both a split and a merged-usr setup. This mostly adds search paths to
system (e.g. to look at both `/bin/` and `/usr/bin`) however it also means that
if `/usr` is a mountpoint system will try to unmount it.  Unfortunately this causes
issues at shutdown for systems with a merged-usr layout as basic libraries (e.g. libc)
are located in `/usr` making it impossible to unmount.

For Apertis we don't support `/usr` being a seperate partition, the only time
`/usr` is on a mountpoint is when using ostree images (where it is a bind mount
and which use a merged-usr layout). So also add `/usr` to the list of paths that
are considered unmountable even with split-usr support enabled in systemd.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Drop below patch which is now part of this upstream release

apertis/0101-basic-cap-list-parse-print-numerical-capabilities.patch

Dropped the below mentioned patches as they are not needed any more

apertis/0103-basic-cap-list-reduce-scope-of-variables.patch
apertis/0102-basic-capability-util-let-cap_last_cap-return-unsign.patch

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

systemd (241-7~deb10u6) buster; urgency=medium

  * journal: do not trigger assertion when journal_file_close() get NULL
    (Closes: #975561)
  * test-bpf: skip test when run inside containers.
    The test reliably fails inside LXC and Docker when run on a new enough
    kernel. It's unclear whether this is a kernel, LXC/Docker or systemd
    issue and apparently there is no real interest to get this fixed, so
    let's skip this test.
  * autopkgtest: mark networkd-test.py as flaky.
    See https://github.com/systemd/systemd/issues/18357
    and https://github.com/systemd/systemd/issues/18196

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

The problem with failed `/var` unmount placed on separate partition
have a long story: https://github.com/systemd/systemd/issues/867
According messages after the fix integrated into upstream -- there are
some corner cases which aren't fully fixed by patches adding [relinquish
options](!26

)

In case of ostree-based images we have a similar issue since `/var` is
bind-mounted in initramfs. Systemd is trying to unmount `/var` on
shutdown, however `ExecStop=` command from `systemd-journal-flush`
service is not executed during shutdown.
By adding `PartOf=var.mount` into service file we force the
`systemd-journal-flush.service` to be called prior the `/var` unmount.
This allow to unlock the bind-mount, since `journald` have a chance to
re-link it's journal into `/run` with `journalctl
--smart-relinquish-var` call.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

Backported PR 16424 to avoid message
'Failed to parse bus message: Invalid argument'
with an updated kernel using new capabilities.

Signed-off-by: Denis Pynkin <denis.pynkin@collabora.com>

systemd (241-7~deb10u5) buster; urgency=medium

  * basic/cap-list: parse/print numerical capabilities (Closes: #964926)
  * missing: add new Linux capabilities.
    Linux kernel v5.8 adds two new capabilities. Make sure we can recognize
    them even when built with an older kernel.
  * networkd: do not generate MAC for bridge device (Closes: #963488)

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

systemd-boot selects the last valid entry by default, not the first, which
prevent correct rollback.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

Newer version of systemd-journald support the --relinquish and
--smart-relinquish options that enable cleaner handling of mounts at
shutdown as journald can be told to close any logging under
/var/log/journal so that the /var filesystem can be unmounted should it be
on a separate partition.

Backport this feature as it enables shutdown without failures, a highly
desirable trait in embedded products using systemd.

The significant changes from the upstream patches are:

* Including `util.h` rather than `errno-util.h`, as the functionality
  hasn't been split out into a separate header file in our version.
  https://gitlab.apertis.org/pkg/target/systemd/-/merge_requests/26/diffs#10b30dfe96faf3663f42076bdb4984ccdea14817_0_88
- Adding `ERRNO_IS_ACCEPT_AGAIN` to `varlink.c` (the header file it's
  expected to be in doesn't exist in our version)
  https://gitlab.apertis.org/pkg/target/systemd/-/merge_requests/26/diffs#10b30dfe96faf3663f42076bdb4984ccdea14817_0_93
- Working around the changed parameters for
  `JSON_VARIANT_OBJECT_FOREACH`, adding a call to
  `json_variant_string()`, based on how upstream was modified when the
  macro changed
  https://gitlab.apertis.org/pkg/target/systemd/-/merge_requests/26/diffs#10b30dfe96faf3663f42076bdb4984ccdea14817_0_772
- Expanding the code around `inotify_add_watch()` which got factored out
  to a function in newer versions of systemd
  https://gitlab.apertis.org/pkg/target/systemd/-/merge_requests/26/diffs#f4174ac09c9ebd5278fe22a02b6207223a00f92e_0_74



Signed-off-by: Martyn Welch <martyn.welch@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.com>

Signed-off-by: Ritesh Raj Sarraf <ritesh.sarraf@collabora.co.uk>

systemd (241-7~deb10u4) buster; urgency=medium

  * polkit: when authorizing via PolicyKit re-resolve callback/userdata
    instead of caching it.
    This fixes a heap use-after-free vulnerability in systemd, when
    asynchronous PolicyKit queries are performed while handling DBus messages.
    CVE-2020-1712 (Closes: #950732)
  * Install 60-block.rules in udev-udeb and initramfs-tools.
    The block device rules were split out from 60-persistent-storage.rules
    into its own rules file in v220. Those rules ensure that change events
    are emitted and the udev db is updated after metadata changes.
    Thanks to Pascal Hambourg (Closes: #958397)

systemd (241-7~deb10u3) buster; urgency=medium

  * core: set fs.file-max sysctl to LONG_MAX rather than ULONG_MAX.
    Since kernel 5.2 (but also stable kernels like 4.19.53) the kernel
    thankfully returns proper errors when we write a value out of range to
    the sysctl. Which however breaks writing ULONG_MAX to request the
    maximum value. Hence let's write the new maximum value instead,
    LONG_MAX. (Closes: #945018)
  * core: change ownership/mode of the execution directories also for static
    users.
    This ensures that execution directories like CacheDirectory and
    StateDirectory are properly chowned to the user specified in User= before
    launching the service. (Closes: #919231)

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Updating fails with the following error:
dpkg: error processing archive /var/cache/apt/archives/systemd_241-7~deb10u1co3bv2021dev0b3_amd64.deb (--unpack):
 trying to overwrite '/etc/apparmor.d/lib.systemd.systemd-logind', which is also in package chaiwala-apparmor-profiles 1.2019.2bv2021dev0b1

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

Move apparmor profile from apertis-customization to the package it is
related to.

Signed-off-by: Frédéric Danis <frederic.danis@collabora.com>

systemd (241-7~deb10u2) buster; urgency=medium

  * core: never propagate reload failure to service result.
    Fixes a regression introduced in v239 where the main process of a
    service unit gets killed on reload if ExecReload fails. (Closes: #936032)
  * shared/seccomp: add sync_file_range2.
    Some architectures need the arguments to be reordered because of alignment
    issues. Otherwise, it's the same as sync_file_range.
    Fixes sync_file_range failures in nspawn containers on arm, ppc.
    (Closes: #935091)
  * core: factor root_directory application out of apply_working_directory.
    Fixes RootDirectory not working when used in combination with User.
    (Closes: #939408)
  * shared/bus-util: drop trusted annotation from
    bus_open_system_watch_bind_with_description().
    This ensures that access controls on systemd-resolved's D-Bus interface
    are enforced properly.
    (CVE-2019-15718, Closes: #939353)
  * login: add a missing error check for session_set_leader()
    Fixes assertion due to insufficient function return check.
    (Closes: #939998)
  * d/e/r/73-usb-net-by-mac.rules: import net.ifnames only for network devices
    (Closes: #934589)
  * d/e/r/73-usb-net-by-mac.rules: skip if iface name was provided by user-space
  * namespace: make MountFlags=shared work again (Closes: #939551)
  * mount/generators: do not make unit wanted by its device unit.
    Among other things, this fixes StopWhenUnneeded=true being broken for
    mount units. (Closes: #941758)

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>