Import Debian changes 241-7~deb10u2

systemd (241-7~deb10u2) buster; urgency=medium

  * core: never propagate reload failure to service result.
    Fixes a regression introduced in v239 where the main process of a
    service unit gets killed on reload if ExecReload fails. (Closes: #936032)
  * shared/seccomp: add sync_file_range2.
    Some architectures need the arguments to be reordered because of alignment
    issues. Otherwise, it's the same as sync_file_range.
    Fixes sync_file_range failures in nspawn containers on arm, ppc.
    (Closes: #935091)
  * core: factor root_directory application out of apply_working_directory.
    Fixes RootDirectory not working when used in combination with User.
    (Closes: #939408)
  * shared/bus-util: drop trusted annotation from
    bus_open_system_watch_bind_with_description().
    This ensures that access controls on systemd-resolved's D-Bus interface
    are enforced properly.
    (CVE-2019-15718, Closes: #939353)
  * login: add a missing error check for session_set_leader()
    Fixes assertion due to insufficient function return check.
    (Closes: #939998)
  * d/e/r/73-usb-net-by-mac.rules: import net.ifnames only for network devices
    (Closes: #934589)
  * d/e/r/73-usb-net-by-mac.rules: skip if iface name was provided by user-space
  * namespace: make MountFlags=shared work again (Closes: #939551)
  * mount/generators: do not make unit wanted by its device unit.
    Among other things, this fixes StopWhenUnneeded=true being broken for
    mount units. (Closes: #941758)

debian/changelog

+systemd (241-7~deb10u2) buster; urgency=medium
+
+  * core: never propagate reload failure to service result.
+    Fixes a regression introduced in v239 where the main process of a
+    service unit gets killed on reload if ExecReload fails. (Closes: #936032)
+  * shared/seccomp: add sync_file_range2.
+    Some architectures need the arguments to be reordered because of alignment
+    issues. Otherwise, it's the same as sync_file_range.
+    Fixes sync_file_range failures in nspawn containers on arm, ppc.
+    (Closes: #935091)
+  * core: factor root_directory application out of apply_working_directory.
+    Fixes RootDirectory not working when used in combination with User.
+    (Closes: #939408)
+  * shared/bus-util: drop trusted annotation from
+    bus_open_system_watch_bind_with_description().
+    This ensures that access controls on systemd-resolved's D-Bus interface
+    are enforced properly.
+    (CVE-2019-15718, Closes: #939353)
+  * login: add a missing error check for session_set_leader()
+    Fixes assertion due to insufficient function return check.
+    (Closes: #939998)
+  * d/e/r/73-usb-net-by-mac.rules: import net.ifnames only for network devices
+    (Closes: #934589)
+  * d/e/r/73-usb-net-by-mac.rules: skip if iface name was provided by user-space
+  * namespace: make MountFlags=shared work again (Closes: #939551)
+  * mount/generators: do not make unit wanted by its device unit.
+    Among other things, this fixes StopWhenUnneeded=true being broken for
+    mount units. (Closes: #941758)
+
+ -- Michael Biebl <biebl@debian.org>  Wed, 16 Oct 2019 15:24:54 +0200
+
 systemd (241-7~deb10u1) buster; urgency=medium
 
   * Rebuild for buster

debian/extra/rules/73-usb-net-by-mac.rules

 # Use MAC based names for network interfaces which are directly or indirectly
 # on USB and have an universally administered (stable) MAC address (second bit
 # is 0). Don't do this when ifnames is disabled via kernel command line or
-# customizing/disabling 99-default.link (or previously 80-net-setup-link.rules).
+# customizing/disabling 99-default.link (or previously 80-net-setup-link.rules)
+# or if the interface name was provided by user-space.
+
+ACTION=="remove", GOTO="usb_net_by_mac_end"
+SUBSYSTEM!="net", GOTO="usb_net_by_mac_end"
+ATTR{name_assign_type}=="3", GOTO="usb_net_by_mac_end"
 
 IMPORT{cmdline}="net.ifnames"
 ENV{net.ifnames}=="0", GOTO="usb_net_by_mac_end"
 
-ACTION=="add", SUBSYSTEM=="net", SUBSYSTEMS=="usb", NAME=="", \
+SUBSYSTEMS=="usb", NAME=="", \
     ATTR{address}=="?[014589cd]:*", \
     TEST!="/etc/udev/rules.d/80-net-setup-link.rules", \
     TEST!="/etc/systemd/network/99-default.link", \

debian/patches/core-factor-root_directory-application-out-of-apply_worki.patch

+From: Joerg Behrmann <behrmann@physik.fu-berlin.de>
+Date: Fri, 21 Jun 2019 13:51:53 +0200
+Subject: core: factor root_directory application out of
+ apply_working_directory
+
+Fixes: #12498
+(cherry picked from commit fa97f63067a05b4e793fd4e0a2b54797459b4812)
+---
+ src/core/execute.c | 38 ++++++++++++++++++++++++++++----------
+ 1 file changed, 28 insertions(+), 10 deletions(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index a708231..47518f4 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -2480,7 +2480,6 @@ static int apply_working_directory(
+                 const ExecContext *context,
+                 const ExecParameters *params,
+                 const char *home,
+-                const bool needs_mount_ns,
+                 int *exit_status) {
+ 
+         const char *d, *wd;
+@@ -2502,15 +2501,9 @@ static int apply_working_directory(
+         else
+                 wd = "/";
+ 
+-        if (params->flags & EXEC_APPLY_CHROOT) {
+-                if (!needs_mount_ns && context->root_directory)
+-                        if (chroot(context->root_directory) < 0) {
+-                                *exit_status = EXIT_CHROOT;
+-                                return -errno;
+-                        }
+-
++        if (params->flags & EXEC_APPLY_CHROOT)
+                 d = wd;
+-        } else
++        else
+                 d = prefix_roota(context->root_directory, wd);
+ 
+         if (chdir(d) < 0 && !context->working_directory_missing_ok) {
+@@ -2521,6 +2514,26 @@ static int apply_working_directory(
+         return 0;
+ }
+ 
++static int apply_root_directory(
++                const ExecContext *context,
++                const ExecParameters *params,
++                const bool needs_mount_ns,
++                int *exit_status) {
++
++        assert(context);
++        assert(exit_status);
++
++        if (params->flags & EXEC_APPLY_CHROOT) {
++                if (!needs_mount_ns && context->root_directory)
++                        if (chroot(context->root_directory) < 0) {
++                                *exit_status = EXIT_CHROOT;
++                                return -errno;
++                        }
++        }
++
++        return 0;
++}
++
+ static int setup_keyring(
+                 const Unit *u,
+                 const ExecContext *context,
+@@ -3425,6 +3438,11 @@ static int exec_child(
+                 }
+         }
+ 
++        /* chroot to root directory first, before we lose the ability to chroot */
++        r = apply_root_directory(context, params, needs_mount_namespace, exit_status);
++        if (r < 0)
++                return log_unit_error_errno(unit, r, "Chrooting to the requested root directory failed: %m");
++
+         if (needs_setuid) {
+                 if (context->user) {
+                         r = enforce_user(context, uid);
+@@ -3457,7 +3475,7 @@ static int exec_child(
+ 
+         /* Apply working directory here, because the working directory might be on NFS and only the user running
+          * this service might have the correct privilege to change to the working directory */
+-        r = apply_working_directory(context, params, home, needs_mount_namespace, exit_status);
++        r = apply_working_directory(context, params, home, exit_status);
+         if (r < 0)
+                 return log_unit_error_errno(unit, r, "Changing to the requested working directory failed: %m");
+ 

debian/patches/core-never-propagate-reload-failure-to-service-result.patch

+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 17 Jul 2019 19:16:33 +0200
+Subject: core: never propagate reload failure to service result
+
+Fixes: #11238
+(cherry picked from commit d611cfa748aaf600832160132774074e808c82c7)
+---
+ src/core/service.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 324dcf2..5f5bcb3 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -3335,7 +3335,7 @@ static void service_sigchld_event(Unit *u, pid_t pid, int code, int status) {
+                                 service_exec_command_to_string(s->control_command_id),
+                                 code, status);
+ 
+-                if (s->result == SERVICE_SUCCESS)
++                if (s->state != SERVICE_RELOAD && s->result == SERVICE_SUCCESS)
+                         s->result = f;
+ 
+                 if (s->control_command &&

debian/patches/login-add-a-missing-error-check-for-session_set_leader.patch

+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 14 Feb 2019 10:59:13 +0900
+Subject: login: add a missing error check for session_set_leader()
+
+session_set_leader() may fail. If it fails, then manager_start_scope()
+will trigger assertion.
+
+This may be related to RHBZ#1663704.
+
+(cherry picked from commit fe3ab8458b9c0ead4b3e14ac25b342d8c34376fe)
+---
+ src/login/logind-dbus.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
+index 8ab498f..b9ea370 100644
+--- a/src/login/logind-dbus.c
++++ b/src/login/logind-dbus.c
+@@ -790,7 +790,9 @@ static int method_create_session(sd_bus_message *message, void *userdata, sd_bus
+                 goto fail;
+ 
+         session_set_user(session, user);
+-        session_set_leader(session, leader);
++        r = session_set_leader(session, leader);
++        if (r < 0)
++                goto fail;
+ 
+         session->type = t;
+         session->class = c;

debian/patches/mount-generators-do-not-make-unit-wanted-by-its-device-un.patch

+From: Tom Yan <tom.ty89@gmail.com>
+Date: Wed, 9 Jan 2019 23:35:24 +0800
+Subject: mount/generators: do not make unit wanted by its device unit
+
+As device units will be reloaded by systemd whenever the corresponding device generates a "changed" event, if the mount unit / cryptsetup service is wanted by its device unit, the former can be restarted by systemd unexpectedly after the user stopped them explicitly. It is not sensible at all and can be considered dangerous. Neither is the behaviour conventional (as `auto` in fstab should only affect behaviour on boot and `mount -a`) or ever documented at all (not even in systemd, see systemd.mount(5) and crypttab(5)).
+
+(cherry picked from commit 142b8142d7bb84f07ac33fc00527a4d48ac8ef9f)
+---
+ src/core/mount.c                      | 6 +-----
+ src/cryptsetup/cryptsetup-generator.c | 4 ----
+ 2 files changed, 1 insertion(+), 9 deletions(-)
+
+diff --git a/src/core/mount.c b/src/core/mount.c
+index c31cad6..7064fa1 100644
+--- a/src/core/mount.c
++++ b/src/core/mount.c
+@@ -338,7 +338,6 @@ static int mount_add_mount_dependencies(Mount *m) {
+ }
+ 
+ static int mount_add_device_dependencies(Mount *m) {
+-        bool device_wants_mount;
+         UnitDependencyMask mask;
+         MountParameters *p;
+         UnitDependency dep;
+@@ -368,9 +367,6 @@ static int mount_add_device_dependencies(Mount *m) {
+         if (path_equal(m->where, "/"))
+                 return 0;
+ 
+-        device_wants_mount =
+-                mount_is_auto(p) && !mount_is_automount(p) && MANAGER_IS_SYSTEM(UNIT(m)->manager);
+-
+         /* Mount units from /proc/self/mountinfo are not bound to devices
+          * by default since they're subject to races when devices are
+          * unplugged. But the user can still force this dep with an
+@@ -381,7 +377,7 @@ static int mount_add_device_dependencies(Mount *m) {
+         /* We always use 'what' from /proc/self/mountinfo if mounted */
+         mask = m->from_proc_self_mountinfo ? UNIT_DEPENDENCY_MOUNTINFO_IMPLICIT : UNIT_DEPENDENCY_FILE;
+ 
+-        r = unit_add_node_dependency(UNIT(m), p->what, device_wants_mount, dep, mask);
++        r = unit_add_node_dependency(UNIT(m), p->what, false, dep, mask);
+         if (r < 0)
+                 return r;
+ 
+diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
+index 8759a26..ea18e84 100644
+--- a/src/cryptsetup/cryptsetup-generator.c
++++ b/src/cryptsetup/cryptsetup-generator.c
+@@ -287,10 +287,6 @@ static int create_disk(
+                 return log_error_errno(r, "Failed to write unit file %s: %m", n);
+ 
+         if (!noauto) {
+-                r = generator_add_symlink(arg_dest, d, "wants", n);
+-                if (r < 0)
+-                        return r;
+-
+                 r = generator_add_symlink(arg_dest,
+                                           netdev ? "remote-cryptsetup.target" : "cryptsetup.target",
+                                           nofail ? "wants" : "requires", n);

debian/patches/mount-remove-unused-mount_is_auto-and-mount_is_automount.patch

+From: Tom Yan <tom.ty89@gmail.com>
+Date: Thu, 10 Jan 2019 00:19:43 +0800
+Subject: mount: remove unused mount_is_auto and mount_is_automount
+
+(cherry picked from commit d0fe45cb151774827a3aca4ea5a19856dec9f600)
+---
+ src/core/mount.c | 14 --------------
+ 1 file changed, 14 deletions(-)
+
+diff --git a/src/core/mount.c b/src/core/mount.c
+index 7064fa1..8da818b 100644
+--- a/src/core/mount.c
++++ b/src/core/mount.c
+@@ -101,20 +101,6 @@ static bool mount_is_bind(const MountParameters *p) {
+         return false;
+ }
+ 
+-static bool mount_is_auto(const MountParameters *p) {
+-        assert(p);
+-
+-        return !fstab_test_option(p->options, "noauto\0");
+-}
+-
+-static bool mount_is_automount(const MountParameters *p) {
+-        assert(p);
+-
+-        return fstab_test_option(p->options,
+-                                 "comment=systemd.automount\0"
+-                                 "x-systemd.automount\0");
+-}
+-
+ static bool mount_is_bound_to_device(const Mount *m) {
+         const MountParameters *p;
+ 

debian/patches/namespace-make-MountFlags-shared-work-again.patch

+From: Franck Bui <fbui@suse.com>
+Date: Wed, 13 Feb 2019 18:45:36 +0100
+Subject: namespace: make MountFlags=shared work again
+
+Since commit 0722b359342d2a9f9e0d453875624387a0ba1be2, the root mountpoint is
+unconditionnally turned to slave which breaks units that are using explicitly
+MountFlags=shared (and no other options that would implicitly require a slave
+root mountpoint).
+
+Here is a test case:
+
+  $ systemctl cat test-shared-mount-flag.service
+  # /etc/systemd/system/test-shared-mount-flag.service
+  [Service]
+  Type=simple
+  ExecStartPre=/usr/bin/mkdir -p /mnt/tmp
+  ExecStart=/bin/sh -c "/usr/bin/mount -t tmpfs -o size=10M none /mnt/tmp && sleep infinity"
+  ExecStop=-/bin/sh -c "/usr/bin/umount /mnt/tmp"
+  MountFlags=shared
+
+  $ systemctl start test-shared-mount-flag.service
+  $ findmnt /mnt/tmp
+  $
+
+Mount on /mnt/tmp is not visible from the host although MountFlags=shared was
+used.
+
+This patch fixes that and turns the root mountpoint to slave when it's really
+required.
+
+(cherry picked from commit 37ed15d7edaf59a1fc7c9e3552cd93a83f3814ef)
+---
+ src/core/execute.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index 47518f4..f2a4c54 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -1839,7 +1839,7 @@ static bool exec_needs_mount_namespace(
+         if (context->n_temporary_filesystems > 0)
+                 return true;
+ 
+-        if (context->mount_flags != 0)
++        if (!IN_SET(context->mount_flags, 0, MS_SHARED))
+                 return true;
+ 
+         if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
+@@ -2435,6 +2435,9 @@ static int apply_mount_namespace(
+         else
+                 ns_info = (NamespaceInfo) {};
+ 
++        if (context->mount_flags == MS_SHARED)
++                log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
++
+         r = setup_namespace(root_dir, root_image,
+                             &ns_info, context->read_write_paths,
+                             needs_sandboxing ? context->read_only_paths : NULL,

debian/patches/series

@@ -31,6 +31,14 @@ network-read-link-specific-sysctl-value.patch
 networkd-fix-link_up-12505.patch
 network-do-not-send-ipv6-token-to-kernel.patch
 meson-make-nologin-path-build-time-configurable.patch
+core-never-propagate-reload-failure-to-service-result.patch
+shared-seccomp-add-sync_file_range2.patch
+core-factor-root_directory-application-out-of-apply_worki.patch
+shared-bus-util-drop-trusted-annotation-from-bus_open_sys.patch
+login-add-a-missing-error-check-for-session_set_leader.patch
+namespace-make-MountFlags-shared-work-again.patch
+mount-generators-do-not-make-unit-wanted-by-its-device-un.patch
+mount-remove-unused-mount_is_auto-and-mount_is_automount.patch
 debian/Use-Debian-specific-config-files.patch
 debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
 debian/Make-run-lock-tmpfs-an-API-fs.patch

debian/patches/shared-bus-util-drop-trusted-annotation-from-bus_open_sys.patch

+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Tue, 27 Aug 2019 19:00:34 +0200
+Subject: shared/bus-util: drop trusted annotation from
+ bus_open_system_watch_bind_with_description()
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1746057
+
+This only affects systemd-resolved. bus_open_system_watch_bind_with_description()
+is also used in timesyncd, but it has no methods, only read-only properties, and
+in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does
+polkit checks.
+
+(cherry picked from commit 35e528018f315798d3bffcb592b32a0d8f5162bd)
+---
+ src/shared/bus-util.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
+index cbcf698..9d31fba 100644
+--- a/src/shared/bus-util.c
++++ b/src/shared/bus-util.c
+@@ -1696,10 +1696,6 @@ int bus_open_system_watch_bind_with_description(sd_bus **ret, const char *descri
+         if (r < 0)
+                 return r;
+ 
+-        r = sd_bus_set_trusted(bus, true);
+-        if (r < 0)
+-                return r;
+-
+         r = sd_bus_negotiate_creds(bus, true, SD_BUS_CREDS_UID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EFFECTIVE_CAPS);
+         if (r < 0)
+                 return r;

debian/patches/shared-seccomp-add-sync_file_range2.patch

+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Mon, 19 Aug 2019 08:51:39 +0200
+Subject: shared/seccomp: add sync_file_range2
+
+Some architectures need the arguments to be reordered because of alignment
+issues. Otherwise, it's the same as sync_file_range.
+
+(cherry picked from commit a8fb09f57395613d472d7b555db6e0ce802a8c84)
+---
+ src/shared/seccomp-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index cc58b3c..958128c 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -756,6 +756,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
+                 "msync\0"
+                 "sync\0"
+                 "sync_file_range\0"
++                "sync_file_range2\0"
+                 "syncfs\0"
+         },
+         [SYSCALL_FILTER_SET_SYSTEM_SERVICE] = {