diff --git a/348a113ca01ff12c03148835428c96c3bd18524a.patch b/348a113ca01ff12c03148835428c96c3bd18524a.patch new file mode 100644 index 0000000..f991305 --- /dev/null +++ b/348a113ca01ff12c03148835428c96c3bd18524a.patch @@ -0,0 +1,25 @@ +From 348a113ca01ff12c03148835428c96c3bd18524a Mon Sep 17 00:00:00 2001 +From: Luca Boccassi +Date: Wed, 28 Feb 2024 00:52:36 +0000 +Subject: [PATCH] systemctl: fix fallback for pidfd_open permission error + +Follow-up for 857945cc5f2a4c1d6aa0bd7532a995c8480b1cc3 + +(cherry picked from commit 276a254c208fcaea6e00ba353b4d73ad6a75d8da) +--- + src/systemctl/systemctl-show.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c +index ce2f6f6db3..ea9dd83fd8 100644 +--- a/src/systemctl/systemctl-show.c ++++ b/src/systemctl/systemctl-show.c +@@ -2210,7 +2210,7 @@ static int get_unit_dbus_path_by_pid( + * sends the numeric PID. */ + + pidfd = pidfd_open(pid, 0); +- if (pidfd < 0 && ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) ++ if (pidfd < 0 && (ERRNO_IS_NOT_SUPPORTED(errno) || ERRNO_IS_PRIVILEGE(errno))) + return get_unit_dbus_path_by_pid_fallback(bus, pid, ret_path, ret_unit); + if (pidfd < 0) + return log_error_errno(errno, "Failed to open PID %"PRIu32": %m", pid); diff --git a/a3f3d470abf174217597d7a06c188f10300f7f4a.patch b/a3f3d470abf174217597d7a06c188f10300f7f4a.patch new file mode 100644 index 0000000..9c05313 --- /dev/null +++ b/a3f3d470abf174217597d7a06c188f10300f7f4a.patch @@ -0,0 +1,119 @@ +From a3f3d470abf174217597d7a06c188f10300f7f4a Mon Sep 17 00:00:00 2001 +From: Benjamin Peterson +Date: Mon, 25 Sep 2023 07:23:27 -0700 +Subject: [PATCH] resolve: tolerate merging a zero-ttl RR and a nonzero-ttl RR + if not mDNS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +resolved rejected RRsets containing a RR with a zero TTL and a RR with a nonzero TTL. In practice—see the linked issues—, this case triggered when an AF_UNSPEC query to a CNAMEd domain returned a zero TTL for the CNAME on one address family and a nonzero TTL for the CNAME on the other address family. + +The zero-nonzero TTL check cites RFC 2181 § 5.2 in a comment. That section says DNS clients should reject any RRset containing differing TTLs, which the check only implements a very special case of. That the old behavior caused real-world false NXDOMAIN results is reason enough to completely ignore the RFC's recommendation. However, mDNS treats zero TTLs specially, so the error case needs to be kept for mDNS. + +Fixes https://github.com/systemd/systemd/issues/22177 +Fixes https://github.com/systemd/systemd/issues/20617 +Fixes https://github.com/systemd/systemd/issues/19118 + +(cherry picked from commit 8ec951e8d5cdd3ad632b1cbd8bcbe21d68b17512) + +Related to https://github.com/systemd/systemd-stable/issues/336 +--- + src/resolve/resolved-dns-answer.c | 22 +++++++++++++++++----- + src/resolve/resolved-dns-answer.h | 17 +++++++++-------- + src/resolve/resolved-dns-packet.c | 7 +++++-- + src/resolve/resolved-mdns.c | 2 +- + 4 files changed, 32 insertions(+), 16 deletions(-) + +diff --git a/src/resolve/resolved-dns-answer.c b/src/resolve/resolved-dns-answer.c +index 3d42b0d000..bf023a77e4 100644 +--- a/src/resolve/resolved-dns-answer.c ++++ b/src/resolve/resolved-dns-answer.c +@@ -181,11 +181,23 @@ int dns_answer_add( + + exist = ordered_set_get(a->items, &tmp); + if (exist) { +- /* There's already an RR of the same RRset in place! Let's see if the TTLs more or less +- * match. We don't really care if they match precisely, but we do care whether one is 0 and +- * the other is not. See RFC 2181, Section 5.2. */ +- if ((rr->ttl == 0) != (exist->rr->ttl == 0)) +- return -EINVAL; ++ /* There's already an RR of the same RRset in place! Let's see if the TTLs more or ++ * less match. RFC 2181, Section 5.2 suggests clients should reject RRsets ++ * containing RRs with differing TTLs. We are more tolerant of this situation except ++ * if one RR has a zero TTL and the other a nonzero TTL. In mDNS, zero TTLs are ++ * special, so we must error in that case. */ ++ if ((rr->ttl == 0) != (exist->rr->ttl == 0)) { ++ if ((exist->flags | flags) & DNS_ANSWER_REFUSE_TTL_NO_MATCH) ++ return log_debug_errno( ++ SYNTHETIC_ERRNO(EINVAL), ++ "Refusing to merge RRs with zero TTL and non-zero TTL: %s vs. %s", ++ dns_resource_record_to_string(rr), ++ dns_resource_record_to_string(exist->rr)); ++ ++ log_debug("Merging RRs with zero TTL and non-zero TTL (not RFC 2181/5.2 compliant): %s vs. %s", ++ dns_resource_record_to_string(rr), ++ dns_resource_record_to_string(exist->rr)); ++ } + + /* Entry already exists, keep the entry with the higher TTL. */ + if (rr->ttl > exist->rr->ttl) { +diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h +index 93afea32d5..068803c6cb 100644 +--- a/src/resolve/resolved-dns-answer.h ++++ b/src/resolve/resolved-dns-answer.h +@@ -14,14 +14,15 @@ typedef struct DnsAnswerItem DnsAnswerItem; + * Note that we usually encode the empty DnsAnswer object as a simple NULL. */ + + typedef enum DnsAnswerFlags { +- DNS_ANSWER_AUTHENTICATED = 1 << 0, /* Item has been authenticated */ +- DNS_ANSWER_CACHEABLE = 1 << 1, /* Item is subject to caching */ +- DNS_ANSWER_SHARED_OWNER = 1 << 2, /* For mDNS: RRset may be owner by multiple peers */ +- DNS_ANSWER_CACHE_FLUSH = 1 << 3, /* For mDNS: sets cache-flush bit in the rrclass of response records */ +- DNS_ANSWER_GOODBYE = 1 << 4, /* For mDNS: item is subject to disappear */ +- DNS_ANSWER_SECTION_ANSWER = 1 << 5, /* When parsing: RR originates from answer section */ +- DNS_ANSWER_SECTION_AUTHORITY = 1 << 6, /* When parsing: RR originates from authority section */ +- DNS_ANSWER_SECTION_ADDITIONAL = 1 << 7, /* When parsing: RR originates from additional section */ ++ DNS_ANSWER_AUTHENTICATED = 1 << 0, /* Item has been authenticated */ ++ DNS_ANSWER_CACHEABLE = 1 << 1, /* Item is subject to caching */ ++ DNS_ANSWER_SHARED_OWNER = 1 << 2, /* For mDNS: RRset may be owner by multiple peers */ ++ DNS_ANSWER_CACHE_FLUSH = 1 << 3, /* For mDNS: sets cache-flush bit in the rrclass of response records */ ++ DNS_ANSWER_GOODBYE = 1 << 4, /* For mDNS: item is subject to disappear */ ++ DNS_ANSWER_SECTION_ANSWER = 1 << 5, /* When parsing: RR originates from answer section */ ++ DNS_ANSWER_SECTION_AUTHORITY = 1 << 6, /* When parsing: RR originates from authority section */ ++ DNS_ANSWER_SECTION_ADDITIONAL = 1 << 7, /* When parsing: RR originates from additional section */ ++ DNS_ANSWER_REFUSE_TTL_NO_MATCH = 1 << 8, /* For mDNS; refuse to merge a zero TTL RR with a nonzero TTL RR */ + + DNS_ANSWER_MASK_SECTIONS = DNS_ANSWER_SECTION_ANSWER| + DNS_ANSWER_SECTION_AUTHORITY| +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 5338b5ec3d..426711b061 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -2365,8 +2365,11 @@ static int dns_packet_extract_answer(DnsPacket *p, DnsAnswer **ret_answer) { + } else { + DnsAnswerFlags flags = 0; + +- if (p->protocol == DNS_PROTOCOL_MDNS && !cache_flush) +- flags |= DNS_ANSWER_SHARED_OWNER; ++ if (p->protocol == DNS_PROTOCOL_MDNS) { ++ flags |= DNS_ANSWER_REFUSE_TTL_NO_MATCH; ++ if (!cache_flush) ++ flags |= DNS_ANSWER_SHARED_OWNER; ++ } + + /* According to RFC 4795, section 2.9. only the RRs from the Answer section shall be + * cached. Hence mark only those RRs as cacheable by default, but not the ones from +diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c +index 73bc576fe1..3e6e83fe62 100644 +--- a/src/resolve/resolved-mdns.c ++++ b/src/resolve/resolved-mdns.c +@@ -315,7 +315,7 @@ static int mdns_scope_process_query(DnsScope *s, DnsPacket *p) { + } + + DNS_ANSWER_FOREACH_ITEM(item, answer) { +- DnsAnswerFlags flags = item->flags; ++ DnsAnswerFlags flags = item->flags | DNS_ANSWER_REFUSE_TTL_NO_MATCH; + /* The cache-flush bit must not be set in legacy unicast responses. + * See section 6.7 of RFC 6762. */ + if (legacy_query) diff --git a/sources b/sources index 1f589c0..c61f711 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (systemd-254.9.tar.gz) = a0300693a044cfe4c76deb0e3e48a927125eb97c3952c07ba68936f1e093c93506d8044b249b534b8e778ade6143b43194f8d6b721a8cd520bc7bb4cb3d3e5c1 +SHA512 (systemd-254.10.tar.gz) = 0c127d38d0ade8655ae12172c2edbaa8af68bd29f42d965b988d75e74626846ae859bcf0b39b535c9a99ad8c709ad7575ed4d5ea5bc95ce8729e3caafdb32b70 diff --git a/systemd.spec b/systemd.spec index 78a1a66..9424d9d 100644 --- a/systemd.spec +++ b/systemd.spec @@ -35,7 +35,7 @@ Name: systemd Url: https://systemd.io %if %{without inplace} -Version: 254.9 +Version: 254.10 %else # determine the build information from local checkout Version: %(tools/meson-vcs-tag.sh . error | sed -r 's/-([0-9])/.^\1/; s/-g/_g/') @@ -120,6 +120,10 @@ Patch0010: 0001-core-add-new-PollLimit-settings-to-.socket-units.patch Patch0011: 0002-man-document-the-new-PollLimitIntervalSec-PollLimitB.patch Patch0012: 0003-ci-add-test-for-poll-limit.patch +# Yet-untagged patches from v254-stable +Patch0100: https://github.com/systemd/systemd-stable/commit/a3f3d470abf174217597d7a06c188f10300f7f4a.patch +Patch0101: https://github.com/systemd/systemd-stable/commit/348a113ca01ff12c03148835428c96c3bd18524a.patch + # Those are downstream-only patches, but we don't want them in packit builds: # https://bugzilla.redhat.com/show_bug.cgi?id=1738828 Patch0490: use-bfq-scheduler.patch