Import Debian changes 241-7~deb10u7

b9b99555 · Michael Biebl · Emanuele Aina · 360260ef · b9b99555 · b9b99555
Commit b9b99555 authored 4 years ago by Michael Biebl Committed by Emanuele Aina 3 years ago
--- a/debian/changelog
+++ b/debian/changelog
+systemd (241-7~deb10u7) buster; urgency=medium
+
+  * core: make sure to restore the control command id, too.
+    Fixes a segfault in systemd that can be triggered when both
+    daemon-reload and a service restart happen concurrently. (Closes: #984495)
+  * seccomp: allow turning off of seccomp filtering via env var.
+    Since glibc 2.33 faccessat() is implemented via faccessat2(), which
+    is breaking running containers that use such a version of glibc under
+    systemd-nspawn in Buster.
+    Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it
+    possible to run such new containers. (Closes: #984573)
+
+ -- Michael Biebl <biebl@debian.org>  Thu, 18 Mar 2021 20:59:14 +0100
+
 systemd (241-7~deb10u6) buster; urgency=medium

  * journal: do not trigger assertion when journal_file_close() get NULL

--- a/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
+++ b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 22 Apr 2020 20:34:02 +0200
+Subject: core: make sure to restore the control command id, too
+
+Fixes: #15356
+(cherry picked from commit e9da62b18af647bfa73807e1c7fc3bfa4bb4b2ac)
+---
+ src/core/service.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 5f5bcb3..eb66884 100644
+--- a/src/core/service.c
+++ b/src/core/service.c
+@@ -2689,9 +2689,10 @@ static int service_deserialize_exec_command(Unit *u, const char *key, const char
+                                 break;
+         }
+ 
+-        if (command && control)
+        if (command && control) {
+                 s->control_command = command;
+-        else if (command)
+                s->control_command_id = id;
+        } else if (command)
+                 s->main_command = command;
+         else
+                 log_unit_warning(u, "Current command vanished from the unit file, execution of the command list won't be resumed.");
--- a/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
+++ b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 2 Nov 2020 14:51:10 +0100
+Subject: seccomp: allow turning off of seccomp filtering via env var
+
+Fixes: #17504
+
+Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
+
+(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
+---
+ docs/ENVIRONMENT.md         |  3 +++
+ src/nspawn/nspawn-seccomp.c |  2 +-
+ src/shared/seccomp-util.c   | 19 +++++++++++++++----
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
+index 99b5b03..286a5e2 100644
+--- a/docs/ENVIRONMENT.md
+++ b/docs/ENVIRONMENT.md
+@@ -58,6 +58,9 @@ All tools:
+   this only controls use of Unicode emoji glyphs, and has no effect on other
+   Unicode glyphs.
+ 
+* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if
+  support for it is compiled in and available in the kernel.
+
+ systemctl:
+ 
+ * `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus
+diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
+index e7ef80f..17abfce 100644
+--- a/src/nspawn/nspawn-seccomp.c
+++ b/src/nspawn/nspawn-seccomp.c
+@@ -168,7 +168,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
+         int r;
+ 
+         if (!is_seccomp_available()) {
+-                log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
+                log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
+                 return 0;
+         }
+ 
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index 958128c..cbab63c 100644
+--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
+@@ -19,6 +19,7 @@
+ #include "strv.h"
+ #include "util.h"
+ #include "errno-list.h"
+#include "env-util.h"
+ 
+ const uint32_t seccomp_local_archs[] = {
+ 
+@@ -242,10 +243,20 @@ static bool is_seccomp_filter_available(void) {
+ bool is_seccomp_available(void) {
+         static int cached_enabled = -1;
+ 
+-        if (cached_enabled < 0)
+-                cached_enabled =
+-                        is_basic_seccomp_available() &&
+-                        is_seccomp_filter_available();
+        if (cached_enabled < 0) {
+                int b;
+
+                b = getenv_bool_secure("SYSTEMD_SECCOMP");
+                if (b != 0) {
+                        if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
+                                log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
+
+                        cached_enabled =
+                                is_basic_seccomp_available() &&
+                                is_seccomp_filter_available();
+                } else
+                        cached_enabled = false;
+        }
+ 
+         return cached_enabled;
+ }
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -58,6 +58,8 @@ networkd-do-not-generate-MAC-for-bridge-device.patch
 journal-do-not-trigger-assertion-when-journal_file_close-.patch
 test-bpf-skip-test-when-run-inside-containers.patch
 tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch
+core-make-sure-to-restore-the-control-command-id-too.patch
+seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
 debian/Use-Debian-specific-config-files.patch
 debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
 debian/Make-run-lock-tmpfs-an-API-fs.patch