review.tizen.org Git - platform/upstream/systemd.git/log

packaing: Add WITH_SMACK option to switch smack feature

Add WITH_SMACK option to switch smack feature during compile time.
- If WITH_SMACK is 1, systemd requires SMACK feature for security.
- If WITH_SMACK is 0, systemd doesn't require SMACK feature.

Change-Id: If4a4a6f24d9f34b4cb44b28324341d46f2193d9f
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>

sd-device: make devpath check stricter

See assertion in sd_device_get_devpath().

(Backporting comment)
There sometimes and empty devpath comes from the function. See the
deviced commit, 2628c5aed5c0e712e1fbd7d571ef0b640f5afbec.

Original: upstream, https://github.com/systemd/systemd/pull/18684
Change-Id: I29816219b3fc40eb13c1bf4bbb5d84b9782da333
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

sd-device: do not cache an empty string but clear cache on failre

And propagate the original error on write.
Note that some attributes are read-only.

Original: upstream, https://github.com/systemd/systemd/pull/18684
Change-Id: I995f86a156b5e974844e0fec9aabf384302a0c3b
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

tizen: Use openssl3 if needed

This commit updates ssl dependency to openssl3.

However, in default tizen configuration openssl is not
used at all as only component using it (systemd-resolved,
as enabled/disabled via -Dresolve=true/false) is disabled.

Change-Id: I3a51139cef21ce80acecfef84f5c3a47a7d7cca1

Fix to check if string is NULL or not

An error occured while trying to build for riscv64 using gcc-13:
> [  105s] In file included from ../src/nspawn/test-nspawn-tables.c:4:
> [  105s] ../src/shared/test-tables.h: In function '_test_table.constprop':
> [  105s] ../src/shared/test-tables.h:30:42: error: '%s' directive argument is null [-Werror=format-overflow=]
> [  105s]    30 |                         printf("%s: %d → %s → %d\n", name, i, val, rev);
> [  105s]       |                                          ^~
> [  105s] ../src/shared/test-tables.h:30:42: error: '%s' directive argument is null [-Werror=format-overflow=]
> [  105s] cc1: some warnings being treated as errors

The "val" can be NULL but the original code does not checking it, so the
compiler is complaining about it.

To fix this issue, ternary operator for val was used:
> printf("%s: %d → %s → %d\n", name, i, val ? val : "(null)", rev);

Change-Id: I8f1b2b45d152ec362977154f62e333807392da76
Signed-off-by: SangYoun Kwak <sy.kwak@samsung.com>

Avoid passing NULL as format parameter

GCC reported possible problem with passing NULL returned from
*_to_string() helpers as an argument for '%s' in a format string.

../src/core/job.c: In function 'job_finish_and_invalidate':
../src/core/job.c:976:27: error: '%s' directive argument is null [-Werror=format-overflow=]
  976 |         log_unit_debug(u, "Job %" PRIu32 " %s/%s finished, result=%s", j->id, u->id, job_type_to_string(t), job_result_to_string(result));
      |                           ^~~~~~~
../src/core/unit.h:878:190: note: in definition of macro 'log_unit_full'
  878 |                 _u ? log_object_internal(level, error, PROJECT_FILE, __LINE__, __func__, _u->manager->unit_log_field, _u->id, _u->manager->invocation_log_field, _u->invocation_id_string, ##__VA_ARGS__) : \
      |                                                                                                                                                                                              ^~~~~~~~~~~
../src/core/job.c:976:9: note: in expansion of macro 'log_unit_debug'
  976 |         log_unit_debug(u, "Job %" PRIu32 " %s/%s finished, result=%s", j->id, u->id, job_type_to_string(t), job_result_to_string(result));
      |         ^~~~~~~~~~~~~~

Wrapping the helpers in strna() prevents this from happening.

Further fixes may be applied depending on the outcomes of the discussion
on the systemd-devel mailing list.

Change-Id: Id73f2bc887f46bb07fc960d264953cd5dfce82de
Link: https://lists.freedesktop.org/archives/systemd-devel/2023-June/049215.html
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>

Include <sys/mount.h> in decl_headers

To properly decide whetehr to include <linux/fs.h> or not <sys/mount.h>
needs to be included too.

Change-Id: I897ad9cffd24f10fbfeda244101f3048239cfaac
Fixes: cbe32a421e ("glibc: Remove #include <linux/fs.h> to resolve fsconfig_command/mount_attr conflict with glibc 2.36")
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>

Drop bundled copy of linux/if_arp.h

As far as I can see, we use this to get a list of ARPHRD_* defines (used in
particular for Type= in .link files). If we drop our copy, and build against
old kernel headers, the user will have a shorter list of types available.  This
seems OK, and I don't think it's worth carrying our own version of this file
just to have newest possible entries.

7c5b9952c4f6e2b72f90edbe439982528b7cf223 recently updated this file, but we'd
have to update it every time the kernel adds new entries. But if we look at
the failure carefully:

src/basic/arphrd-from-name.gperf:65:16: error: ‘ARPHRD_MCTP’ undeclared (first use in this function); did you mean ‘ARPHRD_FCPP’?
   65 | MCTP, ARPHRD_MCTP
      |                ^~
      |                ARPHRD_FCPP

we see that the list we were generating was from the system headers, so it was
only as good as the system headers anyway, without the newer entries in our
bundled copy, if there were any. So let's make things simpler by always using
system headers.

And if somebody wants to fix things so that we always have the newest list,
then we should just generate and store the converted list, not the full header.

Change-Id: I03616d75404bea068c2e56bf47417b0fb9cd32a0
Origin: upstream, https://github.com/systemd/systemd/commit/e7f46ee3ae1cc66a94b293957721d68dc09d7449
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>

Fix an error on dlog-redirection

When both stdout and stderr are set as dlog, log tag and priority of
stderr is not set properly.

Change-Id: Ia14de6aeff3828aa0d6a27210fa96c53ee577c8d
Signed-off-by: Junghak Sung <jh1009.sung@samsung.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>

Merge changes from topic "CVE-2020-1712" into tizen

* changes:
  Fix typo in function name
  man: document the new sd_bus_enqueue_for_read() API call
  polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it
  sd-bus: introduce API for re-enqueuing incoming messages
  polkit: use structured initialization
  polkit: on async pk requests, re-validate action/details
  polkit: reuse some common bus message appending code
  bus-polkit: rename return error parameter to ret_error
  shared: split out polkit stuff from bus-util.c → bus-polkit.c

Fix typo in function name

Origin: upstream, https://github.com/systemd/systemd/commit/bc130b6858327b382b07b3985cf48e2aa9016b2d
Change-Id: Ia51b9fa4c747fa80f4f6f7a7c44c7c5225b0f5b1
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

man: document the new sd_bus_enqueue_for_read() API call

Origin: upstream, https://github.com/systemd/systemd/commit/5c1163273569809742c164260cfd9f096520cb82
Change-Id: I40ea7e0d913bc80e96a4875818ae3d266e0cf70e
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

polkit: when authorizing via PK let's re-resolve callback/userdata instead of caching it

Previously, when doing an async PK query we'd store the original
callback/userdata pair and call it again after the PK request is
complete. This is problematic, since PK queries might be slow and in the
meantime the userdata might be released and re-acquired. Let's avoid
this by always traversing through the message handlers so that we always
re-resolve the callback and userdata pair and thus can be sure it's
up-to-date and properly valid.

Origin: upstream, https://github.com/systemd/systemd/commit/637486261528e8aa3da9f26a4487dc254f4b7abb
Change-Id: Ifaeb5142c9a574a04017167fbccc45388cc72956
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

sd-bus: introduce API for re-enqueuing incoming messages

When authorizing via PolicyKit we want to process incoming method calls
twice: once to process and figure out that we need PK authentication,
and a second time after we aquired PK authentication to actually execute
the operation. With this new call sd_bus_enqueue_for_read() we have a
way to put an incoming message back into the read queue for this
purpose.

This might have other uses too, for example debugging.

(Resolve build error from cherry-pick) In libsystemd.sym, removed
unnecessary symbols:
  LIBSYSTEMD_245 {
  global:
          sd_bus_enqueue_for_read;
-        sd_bus_message_dump;
-        sd_bus_message_sensitive;
-        sd_event_add_child_pidfd;
-        sd_event_source_get_child_pidfd;
-        sd_event_source_get_child_pidfd_own;
-        sd_event_source_set_child_pidfd_own;
-        sd_event_source_get_child_process_own;
-        sd_event_source_set_child_process_own;
-        sd_event_source_send_child_signal;
-        sd_journal_open_namespace;
  } LIBSYSTEMD_243;

Origin: upstream, https://github.com/systemd/systemd/commit/1068447e6954dc6ce52f099ed174c442cb89ed54
Change-Id: Iad04610bf0b50be04bc870c7fc42b1d9c991cfa2
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

polkit: use structured initialization

Origin: upstream, https://github.com/systemd/systemd/commit/f4425c72c7395ec93ae00052916a66e2f60f200b
Change-Id: Ife9992a56217915576538fca72a1e1acafdd0eb5
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

polkit: on async pk requests, re-validate action/details

When we do an async pk request, let's store which action/details we used
for the original request, and when we are called for the second time,
let's compare. If the action/details changed, let's not allow the access
to go through.

Origin: upstream, https://github.com/systemd/systemd/commit/7f56982289275ce84e20f0554475864953e6aaab
Change-Id: I677423b7fba07222e39b7df965d3896f4d2f2875
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

polkit: reuse some common bus message appending code

Origin: upstream, https://github.com/systemd/systemd/commit/95f82ae9d774f3508ce89dcbdd0714ef7385df59
Change-Id: Idbe75031d9e9c23248fe4174c9ad48c67caf2ca2
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

bus-polkit: rename return error parameter to ret_error

Origin: upstream, https://github.com/systemd/systemd/commit/773b1a7916bfce3aa2a21ecf534d475032e8528e
Change-Id: Ife1bb544e3d0c868f62f37ea0172d1f105b710db
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

shared: split out polkit stuff from bus-util.c → bus-polkit.c

It's enough, complex stuff to warrant its own source file.

No other changes, just splitting out.

(Resolve build error from cherry-pick) In bus-util.c, leave fd-util.h
and proc-cmdline.h for code preprocessed by ENABLE_KDBUS macro.
+#if ENABLE_KDBUS
+#include "fd-util.h"
+#include "proc-cmdline.h"
+#endif

Origin: upstream, https://github.com/systemd/systemd/commit/269e4d2d6b75329ae39a71ebe2c14500e03cda95
Change-Id: I9cc9f51f614bf5f8059422cc1923aa88a5812560
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

Make an assertion stricter (SVACE)

Change-Id: I88e5ea15729c2d65638b5eb208d7c2c800010f14

glibc: Remove #include <linux/fs.h> to resolve fsconfig_command/mount_attr conflict with glibc 2.36

Origin: https://github.com/systemd/systemd/commit/3657d3a01c7e25ff86d7a4642065b367c4ff7484
Change-Id: I88e5ea15729c2d65638b5eb208d7c2c800010f13
Signed-off-by: Marek Pikuła <m.pikula@partner.samsung.com>

tizen: remove rules.d/60-persistent-v4l.rules

Calling v4lid sequentially on all /dev/videoX devices is known to cause
problems on various embedded/vendor kernels. Disable this by removing
60-persistent-v4l.rules udev rules. Vendor camera devices usually comes
with their own custom nubmering, so there is no need for such udev rule
anyway.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Change-Id: I6ccdf56eb6a10b341a9c5e330962bda97eed06ac

tizen: Change the SMACK label for systemd in the user session

Change the SMACK label for systemd in the user session to
System::Privileged to avoid problems with handling
org.freedesktop.systemd1.Manager.GetUnitByPID method.

Change-Id: If9f30e57050f01004c56b85235ad50d49710ac53
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>

tizen: Set DefaultSmackProcessLabel to User

Run user session services with the User SMACK label instead of
System::Privileged inherited from systemd.

Change-Id: Ia3759dea4fb248aa88dcd303a4ae4a400d89f580
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>

tizen: Set AmbientCapabilities in user@.service

Replace obsolete Capabilities option in user@.service with
AmbientCapabilities to provide appropriate set of capabilties for systemd
to manage user session.

According to capability set transformation rules described in
capabilities(7)

    if a process with nonzero user IDs performs an execve(2) then any
    capa‐ bilities that are present in its permitted and effective
    sets will be cleared.

This means that for systemd running with nonzero UID (i.e. as the user
session manager) to keep permitted and effective capability
sets non-empty without setting file capabilities for systemd it is
required to use ambient capabilities.

Using file capabilities for systemd may be a wrong choice in the long
term, because different sets of capabilities may be assigned to different
user sessions.

Change-Id: I479fbbcf153737dbf88340ef4eb4be15d707a9a4
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>

core: drop ambient capabilities in user manager

Ambient capabilities should not be passed implicitly to user
services. Dropping them does not affect other sets which are importat
for the manager itself to operate.

Change-Id: Ib3c4b2d59830537e89b5e85a196a4ca1a65fed77
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Forwarded: https://github.com/systemd/systemd/pull/23988

smack: Add DefaultSmackProcessLabel to user.conf and system.conf

DefaultSmackProcessLabel tells systemd what label to assign to its child
process in case SmackProcessLabel is not set in the service file. By
default, when DefaultSmackProcessLabel is not set child processes inherit
label from systemd.

If DefaultSmackProcessLabel is set to "/" (which is an invalid character
for a SMACK label) the DEFAULT_SMACK_PROCESS_LABEL set during compilation
is ignored and systemd act as if the option was unset.

Change-Id: Ia432ed6de72476984d22412467da48cc851fd32a
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Origin: https://github.com/systemd/systemd/commit/aa5ae9711ef3cd0c69b7fcfbd65bca05fb704a8a

basic: Drop ambient inherited capabilities by default

Modify the functions capability_update_inherited_set() and
capability_ambient_set_apply() to drop capabilities not explicitly
requested by the user.

Change-Id: I6e5c6426b946e652bc1fd0f75a8ae41bd2b9f8e2
Origin: https://github.com/systemd/systemd/commit/82d832b435a0ae799011aeec75584af8188fb8db
Signed-off-by: Łukasz Stelmach <l.stelmach@sasmsung.com>

core: Fix memory leaks

arg_early_core_pattern and arg_watchdog_device hold pointers to memory
allocated with strdup() (inside path_make_absolute_cwd). The memory needs
to be freed in reset_arguments() during reload rather than forgotten.

Change-Id: I2ab2fb856ce9dae70443430d99279f4d4848231e
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Origin: https://github.com/systemd/systemd/commit/919ea64f69f710840c1bc93f0f7cb7c51aae45d0

Refuse daemon-reload request during boot time

daemon-reload operations can empty the cgroup procs of transient unit,
resulting in user@5001.service stop.

org.freedesktop.systemd1.Manager.Reload
  V
unit_free()
  V
unit_unwatch_pid() Unit=user-5001.slice <-- tlm-sessiond
  V
/sys/fs/cgroup/systemd/user.slice/user-5001.slice/session-c1.scope becomes empty
  V
systemd-logind removes session-c1.scope by garbage collection
  V
user@5001.service stops

Change-Id: I6195ed25a99c8506534b3bc8d72fbf83906b107c
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Remove StopWhenUnneeded=yes in user-runtime-dir@.service.in

user-runtime-dir@.service should never stop.
When it stops,
user@5001.service(Requires=user-runtime-dir.service) stops accordingly.

Change-Id: I24f5780ab0eebcfbd2efa4c75141f817a9242bca
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Run booting-done.service as root:root System

booting-done.service should be privileged to be responsible for
checkpointing booting status not only for normal booting
but also for FOTA and recovery booting.

Change-Id: Ic17dd0559544c323dedfe7c9b5ad13d01bc65588
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

tizen: mount /run/user/UID with noexec

There is no point in having /run/user/UID mounted with exec, especially
that /run itself is mounted with noexec.

Change-Id: I16d46c3f3103205edf81764ca479ee0a569f90f7

Add cap_sys_chroot=i in user@.service

[Problem]
Subject: FW: RE:(2) ~RE(3): [Debug Attach] Program Symbols Not Loading

+ Tomasz Swierczek

Hello Tomasz,

A problem has been reported that the "Debug Attach" function does not work in Tizen Studio.
(For more information, please refer to the mails below.)

This seems to be related to mount namespace separation operation.
If we revert https://review.tizen.org/gerrit/#/c/platform/core/appfw/launchpad/+/212712/ , it works well as expected.
It seems that the gdserver process requires setns operation to attach to the app process that is already in operation.

To solve this problem, capabilities need to be assigned to "gdserver" executable file, but it is pushed by tizen-studio
during the runtime of debugging, so "setcap" does not work because it has "sdk_user" permission.

There seems to be no solution at the moment, if you have any good ideas, please share them.

Thanks,
Jin-gyu Kim

[Solution]
Precondition : A. launchpad needs to know that the current request was made by the gdbserver.
               B. launchpad needs to know the pid of the target app process.
1. Add "cap_sys_chroot" to launchpad process. (It should be also included in user@.service as an inheritable option.)
2. If the current request is executed by the gdbserver, it's namespace needs to be equal to the target app process by using setns().
   - setns() requires the pid of target app process. (Please refer https://man7.org/linux/man-pages/man2/setns.2.html)
     example : int fd = open("/proc/1234/ns/mnt", O_RDONLY); setns(fd,0); // "/proc/[pid]/ns/mnt"
   - These must be executed before "security_manager_prepare_app()".

Change-Id: Ief42b5e40259fa074ec110cfac957508dcb468d3
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

tizen: ensure standard reboot/poweroff not return to shell

Change-Id: Iece3b236f3f2848179dacd3a7ac8afdb008af482

Fix build error regarding meson 0.60.3 upgrade

The new guideline is to use 'and' instead of '+'.

Change-Id: I92634e5d06d31858b1cac3eccd5e57625fdce28a
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Add device_board_set_boot_success in booting-done.service

/usr/bin/device_board_set_boot_success reports boot success to the bootloader.
If boot success is not reported for, e.g., 10-times booting in a row,
bootloader recovers the system.

-- Bootloader --
If (BOOT_SUCCESS flag is set) {
Clear the BOOT_SUCCESS flag
BOOT_FAIL_COUNT = 0
} Else {
If (++ BOOT_FAIL_COUNT > 10) {
BOOT_FAIL_COUNT = 0
Restore to the other partitions (e.g., b -> a)
Proceed to the recovery booting (ramdisk-recovery, bootmode="recovery")
}
}

Proceed to the normal booting (ramdisk, bootmode="")

Change-Id: I581c5dbcf216806dfcff826bbdf7ca82dc944676
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Merge "spec: remove unused dbus.target.wants" into tizen

spec: remove unused dbus.target.wants

Change-Id: Ibf05bd9901ce98110c7bb48e62810b8fd6baaf9c

systemd: fix smack error

A user systemd session accesses /proc/1/sched to detect container.

Jan 01 09:00:14 localhost audit[636]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=636 comm="systemd" name="sched" dev="proc" ino=12247
Jan 01 09:00:14 localhost audit[636]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=636 comm="systemd" name="sched" dev="proc" ino=12247
Jan 01 09:00:14 localhost audit[636]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=636 comm="systemd" name="sched" dev="proc" ino=12247
Jan 01 09:00:23 localhost audit[915]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=915 comm="systemctl" name="sched" dev="proc" ino=12247

Change-Id: I0d6f632b090582888c45f309c8a8bf06f4f0f510

udev: add "Requires: acl" dependency

input udev rule uses /usr/bin/setfacl command.
===============================================================================================n
55-udev-smack-default.rules:SUBSYSTEM=="input", KERNEL=="mouse*|mice|event*|ts[0-9]*|uinput",
GROUP="input", SECLABEL{smack}="*", RUN+="/usr/bin/setfacl -m group:priv_keygrab:r %N"
===============================================================================================

Change-Id: I041cfda0c1ef58f02dea8e2ec9fc004121a42cd8

basic/unit-name: do not use strdupa() on a path

The path may have unbounded length, for example through a fuse mount.

CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.

https://bugzilla.redhat.com/show_bug.cgi?id=1970887

The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.

Change-Id: I4e2d3a82bbc4f53845cca6186c62588d8894566e

spec: remove deprecated pc files

- /usr/lib/pkgconfig/libsystemd-daemon.pc
- /usr/lib/pkgconfig/libsystemd-id128.pc
- /usr/lib/pkgconfig/libsystemd-journal.pc
- /usr/lib/pkgconfig/libsystemd-login.pc

Change-Id: I4e2d3a82bbc4f53845cca6186c62588d8894566f

Redirect stdout/stderr to dlog by default

Change-Id: I5682de7dce014f76f403406ef73c7bd5a9661d5f
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Enable virtualization feature

From now on, tizen supports docker.

Change-Id: I2ec4d5a9266fb5190279e57906a056d090b8eb9a

Remove final.target dependency from reboot sequence

Change-Id: I289839f05abd3830691119ac8c9a8a7c370e757e
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

basic/cap-list: parse/print numerical capabilities

We would refuse to print capabilities which were didn't have a name
for. The kernel adds new capabilities from time to time, most recently
cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
"Failed to parse bus message: Invalid argument" because
capability_set_to_string_alloc() would fail with -EINVAL. So let's
print such capabilities in hexadecimal:

CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
  cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
  cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin
  cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 0x16
  0x17 0x18 0x19 0x1a ...

For symmetry, also allow capabilities that we don't know to be specified.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.

Change-Id: I9cb97a37024d9781fdf3bc741eb1cdc801e91bb5

Revert "Description : adding force option to reboot command."

This reverts commit e03bd8dae27026782e1cf524b78f87637238cf5c.

Description is not enough to keep this, and quite likely the
problem is long gone.

Tizen uses it's own shutdown program (deviced-shutdown) from
around Tizen 5.x, which handles the shutdown sequence exactly
as wanted.

Right now it actually causes more harm than good, as it makes
impossible to run any action for two out of four "shutdown"
actions.

Change-Id: I871ffa573fefbb280a5b23e4cd62727dda478eb5

tizen: Do not use shutdown.target for shutdown

shutdown.target is special unit to which systemd automatically adds
Conflicts= with for every unit.

By removing the relation to this target in shutdown units we practically
change the shutdown to use only explicitly configured units.

Change-Id: I93a43cdb3875250920e3e49817ffcd6f7f7725b6

Revert "Temporarily remove dlog_connect_fd()"

This reverts commit 34e316b4345a71a353c0ff622975144e0af98515.

Change-Id: I4f86bdfda8dd0a4b99dcb02bd2ad0a32a0602f93

Temporarily remove dlog_connect_fd()

Change-Id: Iba815676531a7561c4c4f7c12263464b1dba7f22
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Use new dlog-redirect-stdout api function

Change-Id: I5bcc23a74950d2d8ae0db2ecabf5ea14d358b0ec

Add "dlog|journal" output redirection option

Journal seems to default to /dev/null even when not explicitly
specified, so there is no separate "dlog|journal|null".

Change-Id: I5682de7dce014f76f403406ef73c7bd5a9661d5e

Merge "Basic PoC for DLog stdout redirector" into tizen

Basic PoC for DLog stdout redirector

Set Standard{Output,Error}=dlog in a service file,
or DefaultStandard{Output,Error}=dlog for global.

Note that setting the global default should only
really be done if DLog is working under the Android
Logger backend, since the Pipe backend daemon is
not really available early on which can make early
daemons fail.

Change-Id: Icf7224d1fabd4cdb45971ac9314ed4d19d220bbb

systemd: Fix busctl crash on aarch64 when setting output table format

The enum used for column names is integer type while table_set_display() is parsing
arguments on size_t alignment which may result in assert in table_set_display() if
the size between types missmatch. This patch cast the enums to size_t.
It also fixes all other occurences for table_set_display() and
table_set_sort().

Change-Id: Ie225491ae3f9752183d6ea7993d02ef450ed6ab6

systemd: Fix busctl crash on aarch64 when setting output table format

The enum used for column names is integer type while table_set_display() is parsing
arguments on size_t alignment which may result in assert in table_set_display() if
the size between types missmatch. This patch cast the enums to size_t.
An alternative solution would be to change the table_set_display() function
arguments to unsigned type.

Change-Id: I862db0168d58ecb3b7ee7dcf7f751be5a6121fd9

unit: fix serial console baudrate to 115200

Due to noise coming into the serial console or other abnormal behavior,
agetty changes the baudrate in the following order: 115200, 38400, 9600.

Since tizen only uses 115200 baudrate, this is fixed.

It is reported in the DA.

Change-Id: Icf7224d1fabd4cdb45971ac9314ed4d19d220bb1

spec: depend on libdbuspolicy1

kdbus.h is being moved to libdbuspolicy1 package.

Change-Id: Ib9009bc7fdc5c407d6e9349a028a81322294d2d7

delayed: rework dealyed service without capability of /usr/bin/touch

VD security remove capability of /usr/bin/touch. (cap_dac_override=ei)

Change permision and group of /run/systemd/system
from 0755/root/root to 0775/root/systemf_fw.

Change-Id: I6e2189c2cd0d4a86db995651b43a4dcdc25fcabf

tizen: Search for configuration files in /hal dir

Since Tizen 6.5, a HAL image is mounted on the /hal directory,
which contains hardware-specific configurations and drivers,
for better portability of Tizen.

This is the priority of path searching for configuration file.
1. /etc/
2. /run/
3. /usr/local/lib/
4. /usr/lib/
5. /hal/lib/

When the same file exists, the higher priority file is used.
In this case, "/etc" is the highest priority.

Because hal can never override platform,
hal has a lower priority than platform.

Change-Id: Ie5e6cf98e64b4317bda23d49571b5c0f60084569
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>
[ Change search order for /hal to be searched last ]
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>

sysctl: delete unnecessary sysctl-tizen-override.conf

/proc/sys/net/core/default_qdisc has only pfifo_fast values in all targets.
(TM1, TW2, TW3, RPI3, RPI4, ARTIK, EMUL)

If this conf does not exist, there is warning journal log and this is not harmful.
"Jan 01 11:36:16 localhost systemd-sysctl[208]: Couldn't write 'pfifo_fast' to 'net/core/default_qdisc', ignoring: No such file or directory"

Change-Id: I970dc97fc0771b1ef3fce1ef05b5f6a2d6b22778

delayed: remove unused file

Change-Id: Ifacc46fcc5c7ec7bb52f9b4f47ed5ea98aa5fd5a

Delayed target: add delaying the start of delayed.target #2

Delay time is also applied to user systemd.
System systemd is already applied.

Change-Id: I8da0c1f224a74d45badd82f2ac1dda13cb8febbb

sd-device-enumerator: do not return error when a device is removed

If /sys/class/OOO node is created and destroyed during booting (kernle driver initialization fails),
systemd-udev-trigger.service fails due to race condition.

***** race condition ***********************************************************************************
1. kernel driver create /sys/class/OOO
2. systemd-udev-trigger.service execues "/usr/bin/udevadm trigger --type=devices --action=add"

3. device_enumerator_scan_devices() => enumerator_scan_devices_all() => enumerator_scan_dir("class") =>
    opendir("/sys/class") and iterate all subdirs ==> enumerator_scan_dir_and_add_devices("/sys/class/OOO")

4. kernel driver fails and destroy /sys/class/OOO
5. enumerator_scan_dir_and_add_devices("/sys/class/OOO") fails in opendir("/sys/class/OOO")

6. "systemd-udev-trigger.service" fails
7. udev coldplug fails and some device units not ready
8. mount units asociated with device units fail
9. local-fs.target fails
10. enters emergency mode
********************************************************************************************************

***** status of systemd-udev-trigger.service unit ******************************************************
$ systemctl status systemd-udev-trigger.service
systemd-udev-trigger.service - udev Coldplug all Devices
   Loaded: loaded (/usr/lib/systemd/system/systemd-udev-trigger.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2020-01-02 13:16:54 KST; 22min ago
     Docs: man:udev(7)
           man:systemd-udevd.service(8)
  Process: 2162 ExecStart=/usr/bin/udevadm trigger --type=subsystems --action=add (code=exited, status=0/SUCCESS)
  Process: 2554 ExecStart=/usr/bin/udevadm trigger --type=devices --action=add (code=exited, status=1/FAILURE)
  Main PID: 2554 (code=exited, status=1/FAILURE)

  Jan 02 13:16:54 localhost udevadm[2554]: Failed to scan devices: No such file or directory
  Jan 02 13:16:54 localhost systemd[1]: systemd-udev-trigger.service: Main process exited, code=exited, status=1/FAILURE
  Jan 02 13:16:54 localhost systemd[1]: systemd-udev-trigger.service: Failed with result 'exit-code'.
  Jan 02 13:16:54 localhost systemd[1]: Failed to start udev Coldplug all Devices.
*******************************************************************************************************

***** journal log with Environment=SYSTEMD_LOG_LEVEL=debug in systemd-udev-trigger.service  ***********
  Jan 01 21:57:20 localhost udevadm[2039]: sd-device-enumerator: Scanning /sys/bus
  Jan 01 21:57:20 localhost udevadm[2522]: sd-device-enumerator: Scan all dirs
  Jan 01 21:57:20 localhost udevadm[2522]: sd-device-enumerator: Scanning /sys/bus
  Jan 01 21:57:21 localhost udevadm[2522]: sd-device-enumerator: Scanning /sys/class
  Jan 01 21:57:21 localhost udevadm[2522]: sd-device-enumerator: Failed to scan /sys/class: No such file or directory
  Jan 01 21:57:21 localhost udevadm[2522]: Failed to scan devices: No such file or directory
*******************************************************************************************************

Change-Id: Iefc64406a72e5facf1f9c48ea2f36fdadf18891d

spec: fix typo in %postun script

Change-Id: Ib4b6481a67646e02f59a622c42ca84f26616a394

Delayed target: add delaying the start of delayed.target

If /etc/systemd/delayed-target.conf exists and has DelayedTargetWait environment value,
delayed.target starts after DelayedTargetWait seconds.

If the /tmp/.systemd_delayed_target_wait file is created within the delayed time,
delayed.target starts immediately.

Change-Id: I4ad1ff6a8084ed9db7d630f533a9348b41decbf0

packaging: Align alternatives setup with fedora-recommended scheme

Change-Id: I5ff9241180d32fb936a19dadfea9fa7d174a1dee

Add an api for early initialization of input udev

KERNEL[3.864698] add /devices/virtual/rc/rc1/input2 (input)
DEVPATH=/devices/virtual/rc/rc1/input2
UDEV [6.541278] add /devices/virtual/rc/rc1/input2 (input)
DEVPATH=/devices/virtual/rc/rc1/input2

For fast input accessing, input udev should be set up early,
so that udev_device_get_is_initialized(input_udev_dev) check can be skipped before UDEV [6.541278].

Change-Id: I8182f856b0169f9c434bb360a49cfef109485c94
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Restore 'Default Dependendies' to system-default-target-done.service and system-delayed-target-trigger.service

Add 'Requires=sysinit.target' and 'After=sysinit.target basic.target'

Two dependencies prevent those service from running in emergency mode,
because sysinit.target always fails in emergency mode.

Change-Id: I7602100652f478b3d66fcba215659f39a63694e2

Emergency mode: add emergency-target-holder.service

The emergency-target-holder.service prevents emergency.target from completing.
If emergency.target is not completed,
other services that are not intended can not be run in emergency mode.

Detailed information.
============================================================================================================================
1. If local-fs.target fails, emergency.target is started by 'OnFailure=emergency.target'.

2. By 'OnFailureJobMode=replace-irreversibly' option,
   emergency.target cannot be canceled until completion.

3. When starting a new service by any activation(dbus, path, socket) in emergency mode,
   sysinit.target is always checked and started by 'DefaultDependency=yes'.

4. sysinit.target stops emergency.target because of the 'Conflicts=emergency.target' setting.

5. However, emergency.target can not be stopped
   because it started with 'replace-irreversibly' and not finished yet.

6. So sysinit.target can not be started.

7. New service can not be run because sysinit.target could not be started.
============================================================================================================================

Logs when running new services after applying this patch
=============================================================================================================================
bash-3.2# systemctl start deviced.service
Failed to start deviced.service: Transaction for deviced.service/start is destructive (emergency.target has 'start' job queued, but 'stop' is included in transaction).
See system logs and 'systemctl status deviced.service' for details.

bash-3.2# systemctl start sysinit.target
Failed to start sysinit.target: Transaction for sysinit.target/start is destructive (emergency.target has 'start' job queued, but 'stop' is included in transaction).
See system logs and 'systemctl status sysinit.target' for details.
==============================================================================================================================

Change-Id: I2cefadd7228d463fe1755e0c475f4563d98c8260

packaging: Fixup removal of pamconsole-tmp.conf

Change-Id: Id8c736f5d00823a67446df98e19f8e9faa6536ca

Remove unused file pamconsole-tmp.conf

Change-Id: I0c737140c57588a2e8dc936b0e371040ab20e3d2

packaging: Ensure systemd-shutdown is owned by systemd

Change-Id: I37ced8706c8bb86e465226b01fffe9976edbf08c

packaging: Drop unused kernel-install utility

Change-Id: I73301481613fbefc77374fcc42297d10eebe3795

Alternativize shutdown command et al.

Change-Id: I43030af64c1791ffbc99aeb3906a5517edbd3670

packaging: Do not require WITH_... macros to be explicitly defined

Change-Id: I1496d79b626da11085caceec32e1748bb5b16836

spec: fix feature macro typo

Change-Id: Ifccdcf1561a32d04526d8ccf8ea76586b5a1c85c

Disable virtualization feature

1. Tizen does not support continer and vm.

2. Resolving Smack error.
==========================================================================================
Jan 01 09:00:19 localhost audit[591]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=591 comm="systemd" name="sched" dev="proc" ino=12322
Jan 01 09:00:19 localhost audit[591]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=591 comm="systemd" name="sched" dev="proc" ino=12322
Jan 01 09:00:19 localhost audit[591]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=591 comm="systemd" name="sched" dev="proc" ino=12322

Jan 01 09:00:19 localhost audit[535]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=535 comm="tlm-sessiond" name="environ" dev="proc" ino=12572
Jan 01 09:00:19 localhost audit[535]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=535 comm="tlm-sessiond" name="sched" dev="proc" ino=12322

Jan 01 09:00:30 localhost audit[949]: AVC lsm=SMACK fn=smack_inode_permission action=denied subject="User" object="System::Privileged" requested=r pid=949 comm="systemctl" name="sched" dev="proc" ino=12322
==========================================================================================

Change-Id: I8b947a0de6c030fa7dd4f8d8b080b1f7783a4010

spec: disable ldconfig feature

A ldconfig.service is not able to run because / is mounted as RO.

Change-Id: I36d579b147a74df2a2efb0349958f76f65f710a0

Add Conflicts=emergency.service in system-delayed-target-trigger.service

Change-Id: Ib742d57963db8cfba2a091d4de1562ab0b95fc7a
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Do not log reboots to utmp

This functionality is not used by Tizen services. Users can find
reboots using standard log facilities (journal).

Change-Id: Ie8926606ebb386684ba321ef4560eaec9143e4cf

Fix wait-target-done.c

1. Change inotify fd to nonblock.
2. Change timeout to use alarm(). And make it encompass
the whole process, which now includes wd allocation.
3. Add dependency with tlm.service to
system-delayed-target-trigger.service
4. Add journal log.

Change-Id: Ibec5e4f4030e26235dbba6610a5142d0e29e423f
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

Remove unused systemd-remount-fs.service and systemd-fstab-generator

Tizen no longer uses /etc/fstab.
So we don't need systemd-remount-fs.service and systemd-fstab-generager to handle /etc/fstab.

Change-Id: I64a3655f69f80d161b00fad40aef6b0235e71977

spec: remove unused service

- /usr/lib/systemd/systemd-volatile-root
- /usr/lib/systemd/system/systemd-volatile-root.service

Change-Id: Ib3cf266a5ed7bc53ee16a97d7514bfb0bcabd498

Apply SmackProcessLabel=System to system-update-cleanup.service

Change-Id: Ie8fd3b105508ff233d28c9f7e8f97beb12d1b1d7

Apply SmackProcessLabel=System to systemd-boot-check-no-failures.service

Change-Id: I25ff0d8d40a64ee9e9faa87db5ff2ce09bc9e976

spec: disable hibernate feature

Change-Id: Iecb223fc98412d8635b724ca6fc8952457820e45

spec: disable EFI feature

Change-Id: Ia4b0612f77c5bde4615af615bf8747168bb9abda

Apply SmackProcessLabel=System to systemd-OOO.service

- systemd-exit.service
- systemd-poweroff.service
- systemd-reboot.service

Change-Id: Ic5cde17a34fd75ca0157a56dc66534f23db62a15

Revert: Mask individual .wants/.requires symlinks v2

Fix issue that drop-in was not applied

Change-Id: I2ed5723a75cf0a5da6bd53faa9713a603985da7b
Signed-off-by: ingi2-kim <ingi2.kim@samsung.com>

Revert "test: add test for prefix unit loading"

This reverts commit 7ce49e656b1377713ade999dfe381807a78313cd.

The previous revert (6927aa2bc09726ff1f071770a8ce0c2ea6430b6b)
reverts more than it is described within its description. As it is
a base for some of subsequent commits in the upstream, they are
silently removed, probably because of conflict resolving.

Prefix unit loading is a feature that is a victim of such silent removal.
Therefore, the feature test is also (temporarily, I hope) removed with
this commit.

Change-Id: Ie82e5a54852ea08c8b3f0561f304fab6f3434aaf

Revert: Mask individual .wants/.requires symlinks

Revert below patches due to performance issue (Avoid increasing IO count)

Refer : https://github.com/systemd/systemd/pull/5231
- core/load-dropin: add more sanity checks on .wants/.requires symlinks
- core: drop code that is now unused
- core: implement masking of .wants/.requires symlinks
- core: when loading .wants and .requires, follow the same logic as .d conf dropins

Change-Id: I9f6712d9df2c6bb25ab736ae6b6d1f5adbf2a691
Signed-off-by: ingi2-kim <ingi2.kim@samsung.com>

Revert: Rework unit loading to take into account all aliases

Revert below patches due to increasing unit loading time (UnitsLoadFinishTimestamp - UnitsLoadStartTimestamp)

Refer: https://github.com/systemd/systemd/pull/13119/commits
- test-unit-file: allow printing of information about specific units
- pid1: drop unit caches only based on mtime
- analyze: add "unit-files" to dump the unit fragment map
- core: restore initialization of u->source_mtime
- pid1: use a cache for all unit aliases
- shared/unit-file: add a function to validate unit alias symlinks
- TEST-15-DROPIN: add test for details of unit aliasing

Change-Id: I1bff89f5851544cda7522bd3ceb398499dac57d4

Apply ASLR for send-booting-done and wait-target-done

Change-Id: I80b6c67671a4c8ebb1cb4afa5d8065a164554800
Signed-off-by: Hyotaek Shim <hyotaek.shim@samsung.com>

Revert "core/path: fix spurious triggering of PathExists= on restart/reload"

This reverts commit d7cf8c24d4ef6ed4c9d711ee82ba57a529baad34.

Change-Id: Ice828460a04862ad41495826566c0be1485bce63

Fix delayed.target

Add binary wait-target-done.c for waiting creation of *.done file.

Change-Id: I0d87c574086073b28aa52dccca3e760914e2abbd
Signed-off-by: Youngjae Cho <y0.cho@samsung.com>

Delayed target: check interval is changed from 1 second to 0.2 seconds.

Change-Id: I2206ada9509d503ac02733d0cb0c1539d932b184
Signed-off-by: INSUN PYO <insun.pyo@samsung.com>

spec: fix indent in systemd.spec

Change-Id: I7b48f4cd8e66e3c52a23305d48466c75e5443845
Signed-off-by: INSUN PYO <insun.pyo@samsung.com>

test-bus-async-match: remove unused variables

Change-Id: I0b900a9b0b04767123110ebcb88174d45fdc8ca3