[PATCH] coredump filter: fix stack overflow with =all
We translate 'all' to UNIT64_MAX, which has a lot more 'f's. Use the
helper macro, since a decimal uint64_t will always be >> than a hex
representation.
root@image:~# systemd-run -t --property CoredumpFilter=all ls /tmp
Running as unit: run-u13.service
Press ^] three times within 1s to disconnect TTY.
*** stack smashing detected ***: terminated
[137256.320511] systemd[1]: run-u13.service: Main process exited, code=dumped, status=6/ABRT
[137256.320850] systemd[1]: run-u13.service: Failed with result 'core-dump'.
The kernel provides %d which is documented as
"dump mode—same as value returned by prctl(2) PR_GET_DUMPABLE".
We already query /proc/pid/auxv for this information, but unfortunately this
check is subject to a race, because the crashed process may be replaced by an
attacker before we read this data, for example replacing a SUID process that
was killed by a signal with another process that is not SUID, tricking us into
making the coredump of the original process readable by the attacker.
With this patch, we effectively add one more check to the list of conditions
that need be satisfied if we are to make the coredump accessible to the user.
No functional change. This change is done in preparation for future changes.
Currently, the list of fields which are received on the command line is a
strict subset of the fields which are always expected to be received on a
socket. But when we add new kernel args in the future, we'll have two
non-overlapping sets and this approach will not work. Get rid of the variable
and enumerate the required fields. This set will never change, so this is
actually more maintainable.
The message with the hint where to add new fields is switched with
_META_ARGV_MAX. The new order is more correct.
coredump: restore compatibility with older patterns
This was broken in f45b8015513d38ee5f7cc361db9c5b88c9aae704. Unfortunately
the review does not talk about backward compatibility at all. There are
two places where it matters:
- During upgrades, the replacement of kernel.core_pattern is asynchronous.
For example, during rpm upgrades, it would be updated a post-transaction
file trigger. In other scenarios, the update might only happen after
reboot. We have a potentially long window where the old pattern is in
place. We need to capture coredumps during upgrades too.
- With --backtrace. The interface of --backtrace, in hindsight, is not
great. But there are users of --backtrace which were written to use
a specific set of arguments, and we can't just break compatiblity.
One example is systemd-coredump-python, but there are also reports of
users using --backtrace to generate coredump logs.
Thus, we require the original set of args, and will use the additional args if
found.
A test is added to verify that --backtrace works with and without the optional
args.
Ronan Pigott [Sun, 25 Feb 2024 07:23:32 +0000 (00:23 -0700)]
resolved: reduce the maximum nsec3 iterations to 100
According to RFC9267, the 2500 value is not helpful, and in fact it can
be harmful to permit a large number of iterations. Combined with limits
on the number of signature validations, I expect this will mitigate the
impact of maliciously crafted domains designed to cause excessive
cryptographic work.
Gbp-Pq: Name 0003-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch
Ronan Pigott [Sun, 25 Feb 2024 01:21:24 +0000 (18:21 -0700)]
resolved: limit the number of signature validations in a transaction
It has been demonstrated that tolerating an unbounded number of dnssec
signature validations is a bad idea. It is easy for a maliciously
crafted DNS reply to contain as many keytag collisions as desired,
causing us to iterate every dnskey and signature combination in vain.
The solution is to impose a maximum number of validations we will
tolerate. While collisions are not hard to craft, I still expect they
are unlikely in the wild so it should be safe to pick fairly small
values.
Here two limits are imposed: one on the maximum number of invalid
signatures encountered per rrset, and another on the total number of
validations performed per transaction.
Gbp-Pq: Name 0002-resolved-limit-the-number-of-signature-validations-i.patch
Michael Biebl [Mon, 15 Feb 2021 23:18:50 +0000 (00:18 +0100)]
Downgrade a couple of warnings to debug
If a package still ships only a SysV init script or if a service file or
tmpfile uses /var/run, downgrade those messages to debug. We can use
lintian to detect those issues.
For service files and tmpfiles in /etc, keep the warning, as those files
are typically added locally and aren't checked by lintian.
Closes: #981407
Gbp-Pq: Topic debian
Gbp-Pq: Name Downgrade-a-couple-of-warnings-to-debug.patch
systemctl: do not shutdown immediately on scheduled shutdown
When, for whatever reason, a scheduled shutdown fails to be set, systemd
will proceed with immediate shutdown without allowing the user to react.
This is counterintuitive because when a scheduled shutdown is issued,
it means the user wants to shutdown at a specified time in the future,
not immediately. This patch prevents the immediate shutdown and informs
the user that no action will be taken.
Fixes: #17575
Gbp-Pq: Topic debian
Gbp-Pq: Name systemctl-do-not-shutdown-immediately-on-scheduled-shutdo.patch
Michael Biebl [Thu, 15 Oct 2020 21:11:01 +0000 (23:11 +0200)]
Move sysusers.d/sysctl.d/binfmt.d/modules-load.d back to /usr
In Debian, late mounting of /usr is no longer supported, so it is safe
to install those files in /usr.
We want those facilities in /usr, not /, as this will make an eventual
switch to a merged-usr setup easier.
Closes: #971282
Gbp-Pq: Topic debian
Gbp-Pq: Name Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-back-to-.patch
Michael Biebl [Mon, 17 Aug 2020 20:11:19 +0000 (22:11 +0200)]
Keep journal files compatible with older versions
Disable the KEYED-HASH journal feature by default and keep LZ4 (instead
of ZSTD) as default compression for new journal files. Otherwise journal
files are incompatible and can't be read by older journalctl
implementations.
This patch can be dropped in bullseye+1, as journalctl from bullseye
will then be able to read journal files with those features.
Closes: #968055
Gbp-Pq: Topic debian
Gbp-Pq: Name Keep-journal-files-compatible-with-older-versions.patch
Michael Biebl [Tue, 19 Nov 2019 08:10:23 +0000 (09:10 +0100)]
udev: drop SystemCallArchitectures=native from systemd-udevd.service
We can't really control what helper programs are run from other udev
rules. E.g. running i386 binaries under amd64 is a valid use case and
should not trigger a SIGSYS failure.
Closes: #869719
Gbp-Pq: Topic debian
Gbp-Pq: Name udev-drop-SystemCallArchitectures-native-from-systemd-ude.patch
Michael Biebl [Wed, 18 Jul 2018 21:49:16 +0000 (23:49 +0200)]
Drop seccomp system call filter for udev
The seccomp based system call whitelist requires at least systemd 239 to
be the active init and during a dist-upgrade we can't guarantee that
systemd has been fully configured before udev is restarted.
Martin Pitt [Wed, 18 Jan 2017 10:21:35 +0000 (11:21 +0100)]
Add env variable for machine ID path
During package build, in minimal chroots, or other systems which do not already
have an /etc/machine-id we get six test failures. Introduce a
$SYSTEMD_MACHINE_ID_PATH environment variable which can specify a location
other than /etc/machine-id, so that the unit tests are independent from the
environment.
Also adjust test-fs-util to not assume that /etc/machine-id exists. Use
/etc/passwd instead which is created by base-files.
Martin Pitt [Sat, 27 Feb 2016 11:27:06 +0000 (12:27 +0100)]
Revert "core: set RLIMIT_CORE to unlimited by default"
Partially revert commit 15a900327ab as this completely breaks core dumps
without systemd-coredump. It's also contradicting core(8), and it's not
systemd's place to redefine the kernel definitions of core files.
Commit bdfd7b2c now honours the process' RLIMIT_CORE for systemd-coredump. This
isn't what RLIMIT_CORE is supposed to do (it limits the size of the core
*file*, but the kernel deliberately ignores it for piping), so set a static
2^63 core size limit for systemd-coredump to go back to the previous behaviour
(otherwise the change above would break systemd-coredump).
Bug-Debian: https://bugs.debian.org/815020
Gbp-Pq: Topic debian
Gbp-Pq: Name Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
Martin Pitt [Mon, 27 Apr 2015 13:29:13 +0000 (15:29 +0200)]
Revert "core: one step back again, for nspawn we actually can't wait for cgroups running empty since systemd will get exactly zero notifications about it"
Didier Roche [Fri, 22 May 2015 11:04:38 +0000 (13:04 +0200)]
fsckd daemon for inter-fsckd communication
Global logic:
Add systemd-fsckd multiplexer which accepts multiple (via systemd-fsck's
/run/systemd/fsck.progress socket) fsck instances to connect to it and sends
progress report. systemd-fsckd then computes and writes to /dev/console the
number of devices currently being checked and the minimum fsck progress.
Plymouth and user interaction:
Forward the progress to plymouth and support canellation of in progress fsck.
Try to connect and send to plymouth (if running) some checked report progress,
using direct plymouth protocole.
Update message is the following:
fsckd:<num_devices>:<progress>:<string>
* num_devices corresponds to the current number of devices being checked (int)
* progress corresponds to the current minimum percentage of all devices being
checked (float, from 0 to 100)
* string is a translated message ready to be displayed by the plymouth theme
displaying the information above. It can be overridden by plymouth themes
supporting i18n.
Grab in fsckd plymouth watch key Control+C, and propagate this cancel request
to systemd-fsck which will terminate fsck.
Send a message to signal to user what key we are grabbing for fsck cancel.
Message is: fsckd-cancel-msg:<string>
Where string is a translated string ready to be displayed by the plymouth theme
indicating that Control+C can be used to cancel current checks. It can be
overridden (matching only fsckd-cancel-msg prefix) for themes supporting i18n.
Misc:
systemd-fsckd stops on idle when no fsck is connected.
Add man page explaining the plymouth theme protocol, usage of the daemon
as well as the socket activation part. Adapt existing fsck man page.
Note that fsckd had lived in the upstream tree for a while, but was removed.
More information at
http://lists.freedesktop.org/archives/systemd-devel/2015-April/030175.html
-
Gbp-Pq: Topic debian
Gbp-Pq: Name fsckd-daemon-for-inter-fsckd-communication.patch
Martin Pitt [Mon, 9 Feb 2015 09:53:43 +0000 (10:53 +0100)]
Only start logind if dbus is installed
logind fails to start in environments without dbus, such as LXC containers or
servers. Add a startup condition to avoid the very noisy startup failure.
Part of #772700
Gbp-Pq: Topic debian
Gbp-Pq: Name Only-start-logind-if-dbus-is-installed.patch
for details. Once we grow a journal.conf.d/ directory, sysloggers can be moved
to pulling from the journal one by one and disable forwarding again in such a
conf.d snippet.
Gbp-Pq: Topic debian
Gbp-Pq: Name Re-enable-journal-forwarding-to-syslog.patch
systemd does not support non-mainline kernel features so upstream rejected this
patch.
It is however required for systemd integration by tuxonice-userui package.
Michael Biebl [Thu, 4 Sep 2014 23:15:16 +0000 (01:15 +0200)]
Make /run/lock tmpfs an API fs
The /run/lock directory is world-writable in Debian due to historic
reasons. To avoid user processes filling up /run, we mount a separate
tmpfs for /run/lock. As this directory needs to be available during
early boot, we make it an API fs.
Drop it from tmpfiles.d/legacy.conf to not clobber the permissions.
Closes: #751392
Gbp-Pq: Topic debian
Gbp-Pq: Name Make-run-lock-tmpfs-an-API-fs.patch
I added the filtering in 752fedbea7c02c82287c7ff2a4139f528b3f7ba8 as a way
to reduce the number of items in the tables. I thought it's "obvious", but
it might not be so.
One immediate problem is that the filter is broken, because on arm64,
os.uname().machine returns "aarch64", so we incorrectly filter out the arm
syscalls (there is just one: arm_fadvise64_64). Of course we could fix the
filter, but I think it's better to nuke it altogether. The filter on applies to
1 arm syscall and 5 s390 syscalls, and we have 500+ other syscalls, so this
"optimization" doesn't really matter. OTOH, if we get the filter wrong,
the result is bad. And also, the existence of the filter at all creates
problems for cross-builds.
I wanted to get rid of 'generate-syscall-list.py', but we need to generate a
backslash in the output. https://github.com/mesonbuild/meson/issues/1564 makes
this very very hard, since any attempt to put a backslash an inline argument
results in the backslash being replaces by a forward slash, which doesn't quite
have the same meaning. So let's use a standalone script until
https://github.com/mesonbuild/meson/issues/1564 is resolved.
Luca Boccassi [Fri, 26 Jan 2024 00:22:38 +0000 (00:22 +0000)]
test: unset TZ before timezone-sensitive unit tests are run
Some tests have hard-coded results that need to match, and change if
the caller has a timezone set via the TZ= environment variable, as it
is the case during reproducible build tests. Unset it.
We rely on mktime() normalizing the time. The man page does not say that it'll
move the time forward, but our algorithm relies on this. So let's catch this
case explicitly.
With this patch:
$ TZ=Europe/Dublin faketime 2021-03-21 build/systemd-analyze calendar --iterations=5 'Sun *-*-* 01:00:00'
Normalized form: Sun *-*-* 01:00:00
Next elapse: Sun 2021-03-21 01:00:00 GMT
(in UTC): Sun 2021-03-21 01:00:00 UTC
From now: 59min left
Iter. #2: Sun 2021-04-04 01:00:00 IST
(in UTC): Sun 2021-04-04 00:00:00 UTC
From now: 1 weeks 6 days left <---- note the 2 week jump here
Iter. #3: Sun 2021-04-11 01:00:00 IST
(in UTC): Sun 2021-04-11 00:00:00 UTC
From now: 2 weeks 6 days left
Iter. #4: Sun 2021-04-18 01:00:00 IST
(in UTC): Sun 2021-04-18 00:00:00 UTC
From now: 3 weeks 6 days left
Iter. #5: Sun 2021-04-25 01:00:00 IST
(in UTC): Sun 2021-04-25 00:00:00 UTC
From now: 1 months 4 days left
shared/calendarspec: abort calculation after 1000 iterations
We have a bug where we seem to enter an infinite loop when running in the
Europe/Dublin timezone. The timezone is "special" because it has negative SAVE
values. The handling of this should obviously be fixed, but let's use a
belt-and-suspenders approach, and gracefully fail if we fail to find an answer
within a specific number of attempts. The code in this function is rather
complex, and it's hard to rule out another bug in the future.
coredump: do not allow user to access coredumps with changed uid/gid/capabilities
When the user starts a program which elevates its permissions via setuid,
setgid, or capabilities set on the file, it may access additional information
which would then be visible in the coredump. We shouldn't make the the coredump
visible to the user in such cases.
Reported-by: Matthias Gerstner <mgerstner@suse.de>
This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
PROC_AUXV. Before the coredump is submitted, it is parsed and if either
at_secure was set (which the kernel will do for processes that are setuid,
setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
is not made accessible to the user. If we can't access this data, we assume the
file should not be made accessible either. In principle we could also access
the auxv data from a note in the core file, but that is much more complex and
it seems better to use the stand-alone file that is provided by the kernel.
Attaching auxv is both convient for this patch (because this way it's passed
between the stages along with other fields), but I think it makes sense to save
it in general.
We use the information early in the core file to figure out if the program was
32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
whether the format of the auxv structure. This test might reject some cases on
fringe architecutes. But the impact would be limited: we just won't grant the
user permissions to view the coredump file. If people report that we're missing
some cases, we can always enhance this to support more architectures.
I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
ppc64el, but not the whole coredump handling.
Michael Biebl [Wed, 12 Oct 2022 09:07:57 +0000 (11:07 +0200)]
logind: fix getting property OnExternalPower via D-Bus
The BUS_DEFINE_PROPERTY_GET_GLOBAL macro requires a value as third
argument, so we need to call manager_is_on_external_power(). Otherwise
the function pointer is interpreted as a boolean and always returns
true:
```
$ busctl get-property org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager OnExternalPower
b true
$ /lib/systemd/systemd-ac-power --verbose
no
```
Yu Watanabe [Thu, 3 Nov 2022 00:39:36 +0000 (09:39 +0900)]
udev: first set properties based on usb subsystem
After 479da1107a0d4e2f7ef5cd938512b87a0e45f180, the usb_id builtin
command does not set ID_SERIAL if ID_BUS is already set.
Before the commit, all properties set based on pci bus were overwritten
by the usb_id, hence now it is sufficient setting them only when ID_BUS is
not set yet.
The patch seems to cause usb devices to get some attributes set from the parent
PCI device. 'hwdb' builtin has support for breaking iteration upwards on usb
devices. But when '--subsystem=foo' is specified, iteration is continued. I'm
sure it *could* be figured out, but it seems hard to get all the combinations
correct. So let's revert to functional status quo ante, even if does the lookup
more than once unnecessarily.
Yu Watanabe [Sun, 30 Oct 2022 00:43:05 +0000 (09:43 +0900)]
udev: always create device symlinks for USB disks
Previously, ata_id might not be able to retrieve attributes correctly,
and properties from usb_id were used as a fallback. See issue #24921
and PR #24923. To keep backward compatibility, still we need to create
symlinks based on USB serial.
Fixes #25179.
Gbp-Pq: Name udev-always-create-device-symlinks-for-USB-disks.patch
Aleksey Vasenev [Wed, 5 Oct 2022 19:33:53 +0000 (22:33 +0300)]
ata_id: Fixed getting Response Code from SCSI Sense Data (#24921)
The Response Code is contained in the first byte of the SCSI Sense Data.
Bit number 7 is reserved or has a different meaning for some Response Codes
and is set to 1 for some drives.
Boqun Feng [Wed, 13 Oct 2021 03:32:09 +0000 (11:32 +0800)]
virt: Support detection for ARM64 Hyper-V guests
The detection of Microsoft Hyper-V VMs is done by cpuid currently,
however there is no cpuid on ARM64. And since ARM64 is now a supported
architecture for Microsoft Hyper-V guests[1], then use DMI tables to
detect a Hyper-V guest, which is more generic and works for ARM64.
As far as I can see, we use this to get a list of ARPHRD_* defines (used in
particular for Type= in .link files). If we drop our copy, and build against
old kernel headers, the user will have a shorter list of types available. This
seems OK, and I don't think it's worth carrying our own version of this file
just to have newest possible entries.
7c5b9952c4f6e2b72f90edbe439982528b7cf223 recently updated this file, but we'd
have to update it every time the kernel adds new entries. But if we look at
the failure carefully:
src/basic/arphrd-from-name.gperf:65:16: error: ‘ARPHRD_MCTP’ undeclared (first use in this function); did you mean ‘ARPHRD_FCPP’?
65 | MCTP, ARPHRD_MCTP
| ^~
| ARPHRD_FCPP
we see that the list we were generating was from the system headers, so it was
only as good as the system headers anyway, without the newer entries in our
bundled copy, if there were any. So let's make things simpler by always using
system headers.
And if somebody wants to fix things so that we always have the newest list,
then we should just generate and store the converted list, not the full header.
Luca Boccassi [Wed, 13 Jan 2021 23:52:00 +0000 (23:52 +0000)]
machine: enter target PID namespace when adding a live mount
machinectl fails since 21935150a0c42b91a322105f6a9129116bfc8e2e as it's now
mounting onto a file descriptor in a target namespace, without joining the
target's PID namespace.
Note that it's not enough to setns CLONE_NEWPID, but a double-fork is required
as well, as implemented by namespace_fork().
Add a test case to TEST-13-NSPAWN to cover this use case.
shared/rm-rf: loop over nested directories instead of instead of recursing
To remove directory structures, we need to remove the innermost items first,
and then recursively remove higher-level directories. We would recursively
descend into directories and invoke rm_rf_children and rm_rm_children_inner.
This is problematic when too many directories are nested.
Instead, let's create a "TODO" queue. In the the queue, for each level we
hold the DIR* object we were working on, and the name of the directory. This
allows us to leave a partially-processed directory, and restart the removal
loop one level down. When done with the inner directory, we use the name to
unlinkat() it from the parent, and proceed with the removal of other items.
Because the nesting is increased by one level, it is best to view this patch
with -b/--ignore-space-change.
This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639.
The issue was reported and patches reviewed by Qualys Team.
Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure.
The path may have unbounded length, for example through a fuse mount.
CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.
The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before 7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
network: Delay addition of IPv6 Proxy NDP addresses
Setting of IPv6 Proxy NDP addresses must be done at the same
time as static addresses, static routes, and other link attributes
that must be configured when the link is up. Doing this ensures
that they are reconfigured on the link if the link goes down
and returns to service.
LoadCredentials=foo causes an assertion to be triggered, as we
are not checking that the rvalue's right hand side part is non-empty
before using it in unit_full_printf.
Jan Tojnar [Sat, 2 Jan 2021 01:46:33 +0000 (02:46 +0100)]
pkg-config: make prefix overridable again
While we don't support prefix being != /usr, and this is hardcoded
all over the place, variables in pkg-config file are expected
to have overridable base directory.
This is important for at least the following two use cases:
- Installing projects to non-FHS package-specific prefixes for Nix-style
package managers. Of course, it is then their responsibility
to ensure systemd can find the service files.
- Installing to local path for development purposes.
This is a compromise between running a program from a build directory,
and running it fully installed to system prefix.
You will not want to write to system prefix in either case.
For more information, see also
https://www.bassi.io/articles/2018/03/15/pkg-config-and-paths/
rules: Move ID_SMARTCARD_READER definition to a <70 configuration.
70-uaccess.rules sets the uaccess tag on devices with ID_SMARTCARD_READER
set, but it is set in 99-systemd.rules .
Move this to a 60-*.rules which already matches USB CCID class, factorising
the matching, so 70-uaccess.rules sets up these devices as expected.
Nominally, the bug was in unit_load_dropin(), which just took the last mtime
instead of calculating the maximum. But instead of adding code to wrap the
loop, this patch goes in the other direction.
All (correct) callers of config_parse() followed a very similar pattern to
calculate the maximum mtime. So let's simplify things by making config_parse()
assume that mtime is initialized and update it to the maximum. This makes all
the callers that care about mtime simpler and also fixes the issue in
unit_load_dropin().
config_parse_many_nulstr() and config_parse_many() are different, because it
makes sense to call them just once, and current ret_mtime behaviour make sense.
Matthias Klumpp [Fri, 8 Jan 2021 22:59:38 +0000 (23:59 +0100)]
localed: Run locale-gen if available to generate missing locale
This change improves integration with distributions using locale-gen to
generate missing locale on-demand, like Debian-based distributions
(Debian/Ubuntu/PureOS/Tanglu/...) and Arch Linux.
We only ever enable new locales for generation, and never disable them.
Furthermore, we only generate UTF-8 locale.
This feature is only used if explicitly enabled at compile-time, and
will also be inert at runtime if the locale-gen binary is missing.
* Non-maintainer upload by the LTS Team.
* debian/patches/:
- CVE-2025-4598-{0,1,2,3,4}.patch: import and backport patches
from upstream to fix CVE-2025-4598.
- fix-stack-overflow-in-coredump-filter-{0,1,2}.patch: import and
backport patches from upstream to fix CoredumpFilter=all overflow.
* debian/salsa-ci.yml: add (E)LTS pipeline for bullseye.
Ronan Pigott [Sun, 25 Feb 2024 07:23:32 +0000 (00:23 -0700)]
resolved: reduce the maximum nsec3 iterations to 100
According to RFC9267, the 2500 value is not helpful, and in fact it can
be harmful to permit a large number of iterations. Combined with limits
on the number of signature validations, I expect this will mitigate the
impact of maliciously crafted domains designed to cause excessive
cryptographic work.
Gbp-Pq: Name 0003-resolved-reduce-the-maximum-nsec3-iterations-to-100.patch
Ronan Pigott [Sun, 25 Feb 2024 01:21:24 +0000 (18:21 -0700)]
resolved: limit the number of signature validations in a transaction
It has been demonstrated that tolerating an unbounded number of dnssec
signature validations is a bad idea. It is easy for a maliciously
crafted DNS reply to contain as many keytag collisions as desired,
causing us to iterate every dnskey and signature combination in vain.
The solution is to impose a maximum number of validations we will
tolerate. While collisions are not hard to craft, I still expect they
are unlikely in the wild so it should be safe to pick fairly small
values.
Here two limits are imposed: one on the maximum number of invalid
signatures encountered per rrset, and another on the total number of
validations performed per transaction.
Gbp-Pq: Name 0002-resolved-limit-the-number-of-signature-validations-i.patch
Michael Biebl [Mon, 15 Feb 2021 23:18:50 +0000 (00:18 +0100)]
Downgrade a couple of warnings to debug
If a package still ships only a SysV init script or if a service file or
tmpfile uses /var/run, downgrade those messages to debug. We can use
lintian to detect those issues.
For service files and tmpfiles in /etc, keep the warning, as those files
are typically added locally and aren't checked by lintian.
Closes: #981407
Gbp-Pq: Topic debian
Gbp-Pq: Name Downgrade-a-couple-of-warnings-to-debug.patch
systemctl: do not shutdown immediately on scheduled shutdown
When, for whatever reason, a scheduled shutdown fails to be set, systemd
will proceed with immediate shutdown without allowing the user to react.
This is counterintuitive because when a scheduled shutdown is issued,
it means the user wants to shutdown at a specified time in the future,
not immediately. This patch prevents the immediate shutdown and informs
the user that no action will be taken.
Fixes: #17575
Gbp-Pq: Topic debian
Gbp-Pq: Name systemctl-do-not-shutdown-immediately-on-scheduled-shutdo.patch
Michael Biebl [Thu, 15 Oct 2020 21:11:01 +0000 (23:11 +0200)]
Move sysusers.d/sysctl.d/binfmt.d/modules-load.d back to /usr
In Debian, late mounting of /usr is no longer supported, so it is safe
to install those files in /usr.
We want those facilities in /usr, not /, as this will make an eventual
switch to a merged-usr setup easier.
Closes: #971282
Gbp-Pq: Topic debian
Gbp-Pq: Name Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-back-to-.patch
Michael Biebl [Mon, 17 Aug 2020 20:11:19 +0000 (22:11 +0200)]
Keep journal files compatible with older versions
Disable the KEYED-HASH journal feature by default and keep LZ4 (instead
of ZSTD) as default compression for new journal files. Otherwise journal
files are incompatible and can't be read by older journalctl
implementations.
This patch can be dropped in bullseye+1, as journalctl from bullseye
will then be able to read journal files with those features.
Closes: #968055
Gbp-Pq: Topic debian
Gbp-Pq: Name Keep-journal-files-compatible-with-older-versions.patch
Michael Biebl [Tue, 19 Nov 2019 08:10:23 +0000 (09:10 +0100)]
udev: drop SystemCallArchitectures=native from systemd-udevd.service
We can't really control what helper programs are run from other udev
rules. E.g. running i386 binaries under amd64 is a valid use case and
should not trigger a SIGSYS failure.
Closes: #869719
Gbp-Pq: Topic debian
Gbp-Pq: Name udev-drop-SystemCallArchitectures-native-from-systemd-ude.patch
Michael Biebl [Wed, 18 Jul 2018 21:49:16 +0000 (23:49 +0200)]
Drop seccomp system call filter for udev
The seccomp based system call whitelist requires at least systemd 239 to
be the active init and during a dist-upgrade we can't guarantee that
systemd has been fully configured before udev is restarted.
projects / systemd.git / log