Bug#933125: buster-pu: package systemd/241-5+deb10u1
Michael Biebl
biebl at debian.org
Fri Jul 26 20:43:12 BST 2019
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
Hi,
I'd like to make a stable upload for systemd, fixing the following
issues:
systemd (241-5+deb10u1) buster; urgency=medium
* ask-password: Prevent buffer overflow when reading from keyring.
Fixes a possible memory corruption that causes systemd-cryptsetup to
crash either when a single large password is used or when multiple
passwords have already been pushed to the keyring. (Closes: #929726)
https://salsa.debian.org/systemd-team/systemd/commit/3baec22e1fcd89a3b6d93d9a3e59bf7fa7114714
* Clarify documentation regarding %h/%u/%U specifiers.
Make it clear, that setting "User=" has no effect on those specifiers.
Also ensure that "%h" is actually resolved to "/root" for the system
manager instance as documented in the systemd.unit man page.
(Closes: #927911)
https://salsa.debian.org/systemd-team/systemd/commit/fef3138711bd858d1718b458d257fa73317d532d
* network: Behave more gracefully when IPv6 has been disabled.
Ignore any configured IPv6 settings when IPv6 has been disabled in the
kernel via sysctl. Instead of failing completely, continue and log a
warning instead. (Closes: #929469)
https://salsa.debian.org/systemd-team/systemd/commit/2f37176282a3f02d8839158441ba70fe3975d2b0
* network: Fix failure to bring up interface with Linux kernel 5.2.
Backport two patches from systemd master in order to fix a bug with 5.2
kernels where the network interface fails to come up with the following
error: "enp3s0: Could not bring up interface: Invalid argument"
(Closes: #931636)
https://salsa.debian.org/systemd-team/systemd/commit/cce6b9e2c23c315659147cb28ad1a8947995a997
* Use /usr/sbin/nologin as nologin shell.
In Debian the nologin shell is installed in /usr/sbin, not /sbin.
(Closes: #931850)
https://salsa.debian.org/systemd-team/systemd/commit/b0c697c519b731094d4ad11ae59afd76c1901aae
[ Mert Dirik ]
* 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset
(Closes: #931719)
https://salsa.debian.org/systemd-team/systemd/commit/3f1c8e9d4c9bc5f49a13b2415f8f8845423f347f
241-5+deb10u1 is identical to 241-7 which has been uploaded to
unstable/bullseye and we haven't received any regression reports so far.
None of those changes should touch udev-udeb, i.e. d-i.
That said, I've added kibi/debian-boot to CC for his ack.
Regards,
Michael
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index ed55c95..a421cb9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+systemd (241-5+deb10u1) buster; urgency=medium
+
+ * ask-password: Prevent buffer overflow when reading from keyring.
+ Fixes a possible memory corruption that causes systemd-cryptsetup to
+ crash either when a single large password is used or when multiple
+ passwords have already been pushed to the keyring. (Closes: #929726)
+ * Clarify documentation regarding %h/%u/%U specifiers.
+ Make it clear, that setting "User=" has no effect on those specifiers.
+ Also ensure that "%h" is actually resolved to "/root" for the system
+ manager instance as documented in the systemd.unit man page.
+ (Closes: #927911)
+ * network: Behave more gracefully when IPv6 has been disabled.
+ Ignore any configured IPv6 settings when IPv6 has been disabled in the
+ kernel via sysctl. Instead of failing completely, continue and log a
+ warning instead. (Closes: #929469)
+ * network: Fix failure to bring up interface with Linux kernel 5.2.
+ Backport two patches from systemd master in order to fix a bug with 5.2
+ kernels where the network interface fails to come up with the following
+ error: "enp3s0: Could not bring up interface: Invalid argument"
+ (Closes: #931636)
+ * Use /usr/sbin/nologin as nologin shell.
+ In Debian the nologin shell is installed in /usr/sbin, not /sbin.
+ (Closes: #931850)
+
+ [ Mert Dirik ]
+ * 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset
+ (Closes: #931719)
+
+ -- Michael Biebl <biebl at debian.org> Fri, 26 Jul 2019 21:32:04 +0200
+
systemd (241-5) unstable; urgency=medium
* Revert "Add check to switch VTs only between K_XLATE or K_UNICODE"
diff --git a/debian/extra/init-functions.d/40-systemd b/debian/extra/init-functions.d/40-systemd
index 4fa9b9c..e944acb 100644
--- a/debian/extra/init-functions.d/40-systemd
+++ b/debian/extra/init-functions.d/40-systemd
@@ -8,12 +8,12 @@ if [ -d /run/systemd/system ]; then
executable="$__init_d_script_name"
argument="$1"
elif [ "${0##*/}" = "init-d-script" ] ||
- [ "${0##*/}" = "${1##*/}" ]; then # scripts run with old init-d-script
+ [ "${0##*/}" = "${1:-}" ]; then # scripts run with old init-d-script
executable="$1"
argument="$2"
else # plain old scripts
executable="$0"
- argument="$1"
+ argument="${1:-}"
fi
prog=${executable##*/}
diff --git a/debian/patches/ask-password-prevent-buffer-overflow-when-reading-from-ke.patch b/debian/patches/ask-password-prevent-buffer-overflow-when-reading-from-ke.patch
new file mode 100644
index 0000000..dc46353
--- /dev/null
+++ b/debian/patches/ask-password-prevent-buffer-overflow-when-reading-from-ke.patch
@@ -0,0 +1,32 @@
+From: Michael Biebl <biebl at debian.org>
+Date: Thu, 27 Jun 2019 15:02:40 +0200
+Subject: ask-password: prevent buffer overflow when reading from keyring
+
+When we read from keyring, a temporary buffer is allocated in order to
+determine the size needed for the entire data. However, when zeroing that area,
+we use the data size returned by the read instead of the lesser size allocate
+for the buffer.
+
+That will cause memory corruption that causes systemd-cryptsetup to crash
+either when a single large password is used or when multiple passwords have
+already been pushed to the keyring.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
+(cherry picked from commit 59c55e73eaee345e1ee67c23eace8895ed499693)
+---
+ src/shared/ask-password-api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
+index 072bf72..97a800f 100644
+--- a/src/shared/ask-password-api.c
++++ b/src/shared/ask-password-api.c
+@@ -81,7 +81,7 @@ static int retrieve_key(key_serial_t serial, char ***ret) {
+ if (n < m)
+ break;
+
+- explicit_bzero_safe(p, n);
++ explicit_bzero_safe(p, m);
+ free(p);
+ m *= 2;
+ }
diff --git a/debian/patches/core-unset-HOME-that-the-kernel-gives-us.patch b/debian/patches/core-unset-HOME-that-the-kernel-gives-us.patch
new file mode 100644
index 0000000..8ef74c1
--- /dev/null
+++ b/debian/patches/core-unset-HOME-that-the-kernel-gives-us.patch
@@ -0,0 +1,30 @@
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek at in.waw.pl>
+Date: Tue, 21 May 2019 19:26:12 +0200
+Subject: core: unset HOME=/ that the kernel gives us
+
+Partially fixes #12389.
+
+%h would return "/" in a machine, but "/root" in a container. Let's fix
+this by resetting $HOME to the expected value.
+
+(cherry picked from commit 9d48671c62de133a2b9fe7c31e70c0ff8e68f2db)
+---
+ src/core/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/core/main.c b/src/core/main.c
+index 561f956..bc7fcc6 100644
+--- a/src/core/main.c
++++ b/src/core/main.c
+@@ -1503,6 +1503,11 @@ static int fixup_environment(void) {
+ if (setenv("TERM", t, 1) < 0)
+ return -errno;
+
++ /* The kernels sets HOME=/ for init. Let's undo this. */
++ if (path_equal_ptr(getenv("HOME"), "/") &&
++ unsetenv("HOME") < 0)
++ log_warning_errno(errno, "Failed to unset $HOME: %m");
++
+ return 0;
+ }
+
diff --git a/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch b/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
index bc52430..f48d841 100644
--- a/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
+++ b/debian/patches/debian/Revert-core-set-RLIMIT_CORE-to-unlimited-by-default.patch
@@ -19,10 +19,10 @@ Bug-Debian: https://bugs.debian.org/815020
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/core/main.c b/src/core/main.c
-index 561f956..9ab9024 100644
+index bc7fcc6..87bee9f 100644
--- a/src/core/main.c
+++ b/src/core/main.c
-@@ -2454,8 +2454,6 @@ int main(int argc, char *argv[]) {
+@@ -2459,8 +2459,6 @@ int main(int argc, char *argv[]) {
kernel_timestamp = DUAL_TIMESTAMP_NULL;
}
diff --git a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
index 84aabfb..e4ca7b1 100644
--- a/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
+++ b/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch
@@ -239,10 +239,10 @@ index 0000000..b7ad58d
+
+</refentry>
diff --git a/meson.build b/meson.build
-index d340736..d4887d5 100644
+index 3afe168..b340139 100644
--- a/meson.build
+++ b/meson.build
-@@ -2395,6 +2395,14 @@ executable('systemd-makefs',
+@@ -2396,6 +2396,14 @@ executable('systemd-makefs',
install : true,
install_dir : rootlibexecdir)
diff --git a/debian/patches/man-add-note-that-h-u-U-are-mostly-useless.patch b/debian/patches/man-add-note-that-h-u-U-are-mostly-useless.patch
new file mode 100644
index 0000000..31a95da
--- /dev/null
+++ b/debian/patches/man-add-note-that-h-u-U-are-mostly-useless.patch
@@ -0,0 +1,45 @@
+From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek at in.waw.pl>
+Date: Tue, 21 May 2019 19:31:49 +0200
+Subject: man: add note that %h/%u/%U are mostly useless
+
+Fixes #12389.
+
+(cherry picked from commit b4e2407716731d1ce099bad1c2778f7a4424ed2e)
+---
+ man/systemd.unit.xml | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
+index f21f9ea..be6355d 100644
+--- a/man/systemd.unit.xml
++++ b/man/systemd.unit.xml
+@@ -1580,7 +1580,9 @@
+ <row>
+ <entry><literal>%h</literal></entry>
+ <entry>User home directory</entry>
+- <entry>This is the home directory of the user running the service manager instance. In case of the system manager this resolves to <literal>/root</literal>.</entry>
++ <entry>This is the home directory of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>/root</literal>.
++
++Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
+ </row>
+ <row>
+ <entry><literal>%H</literal></entry>
+@@ -1670,12 +1672,16 @@
+ <row>
+ <entry><literal>%u</literal></entry>
+ <entry>User name</entry>
+- <entry>This is the name of the user running the service manager instance. In case of the system manager this resolves to <literal>root</literal>.</entry>
++ <entry>This is the name of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>root</literal>.
++
++Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
+ </row>
+ <row>
+ <entry><literal>%U</literal></entry>
+ <entry>User UID</entry>
+- <entry>This is the numeric UID of the user running the service manager instance. In case of the system manager this resolves to <literal>0</literal>.</entry>
++ <entry>This is the numeric UID of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>0</literal>.
++
++Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
+ </row>
+ <row>
+ <entry><literal>%v</literal></entry>
diff --git a/debian/patches/meson-make-nologin-path-build-time-configurable.patch b/debian/patches/meson-make-nologin-path-build-time-configurable.patch
new file mode 100644
index 0000000..38c91d7
--- /dev/null
+++ b/debian/patches/meson-make-nologin-path-build-time-configurable.patch
@@ -0,0 +1,354 @@
+From: Michael Biebl <biebl at debian.org>
+Date: Thu, 18 Jul 2019 01:24:00 +0200
+Subject: meson: make nologin path build time configurable
+
+Some distros install nologin as /usr/sbin/nologin, others as
+/sbin/nologin.
+Since we can't really on merged-usr everywhere (where the path wouldn't
+matter), make the path build time configurable via -Dnologin-path=.
+
+Closes #13028
+
+(cherry picked from commit 6db904625d413739c480ddbe7667d3f40acc4ae0)
+---
+ man/nss-mymachines.xml | 4 ++--
+ man/sysusers.d.xml | 4 ++--
+ meson.build | 1 +
+ meson_options.txt | 1 +
+ src/basic/user-util.c | 4 ++--
+ src/nss-mymachines/nss-mymachines.c | 4 ++--
+ src/nss-systemd/nss-systemd.c | 4 ++--
+ src/sysusers/sysusers.c | 2 +-
+ src/test/test-user-util.c | 4 ++--
+ test/TEST-21-SYSUSERS/test-1.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-10.expected-passwd | 4 ++--
+ test/TEST-21-SYSUSERS/test-11.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-12.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-2.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-3.expected-passwd | 8 +++----
+ test/TEST-21-SYSUSERS/test-4.expected-passwd | 4 ++--
+ test/TEST-21-SYSUSERS/test-5.expected-passwd | 34 +++++++++++++--------------
+ test/TEST-21-SYSUSERS/test-6.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-7.expected-passwd | 10 ++++----
+ test/TEST-21-SYSUSERS/test-8.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-9.expected-passwd | 4 ++--
+ test/TEST-21-SYSUSERS/test.sh | 9 ++++++-
+ 22 files changed, 61 insertions(+), 52 deletions(-)
+
+diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml
+index 5742d89..5100cd0 100644
+--- a/man/nss-mymachines.xml
++++ b/man/nss-mymachines.xml
+@@ -101,8 +101,8 @@ MACHINE CLASS SERVICE OS VERSION ADDRESSES
+ rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
+
+ $ getent passwd vu-rawhide-0 vu-rawhide-81
+-vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/sbin/nologin
+-vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/sbin/nologin
++vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
++vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
+
+ $ getent group vg-rawhide-0 vg-rawhide-81
+ vg-rawhide-0:*:20119552:
+diff --git a/man/sysusers.d.xml b/man/sysusers.d.xml
+index e47d36c..b470532 100644
+--- a/man/sysusers.d.xml
++++ b/man/sysusers.d.xml
+@@ -207,12 +207,12 @@ u root 0 "Superuser" /root /bin/zsh</pro
+ <title>Shell</title>
+
+ <para>The login shell of the user. If not specified, this will be set to
+- <filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
++ <filename>/usr/sbin/nologin</filename>, except if the UID of the user is 0, in
+ which case <filename>/bin/sh</filename> will be used.</para>
+
+ <para>Only applies to lines of type <varname>u</varname> and should otherwise
+ be left unset (or <literal>-</literal>). It is recommended to omit this, unless
+- a shell different <filename>/sbin/nologin</filename> must be used.</para>
++ a shell different <filename>/usr/sbin/nologin</filename> must be used.</para>
+ </refsect2>
+ </refsect1>
+
+diff --git a/meson.build b/meson.build
+index d340736..3afe168 100644
+--- a/meson.build
++++ b/meson.build
+@@ -611,6 +611,7 @@ progs = [['quotaon', '/usr/sbin/quotaon' ],
+ ['umount', '/usr/bin/umount', 'UMOUNT_PATH'],
+ ['loadkeys', '/usr/bin/loadkeys', 'KBD_LOADKEYS'],
+ ['setfont', '/usr/bin/setfont', 'KBD_SETFONT'],
++ ['nologin', '/usr/sbin/nologin', ],
+ ]
+ foreach prog : progs
+ path = get_option(prog[0] + '-path')
+diff --git a/meson_options.txt b/meson_options.txt
+index 044bb79..6304511 100644
+--- a/meson_options.txt
++++ b/meson_options.txt
+@@ -43,6 +43,7 @@ option('mount-path', type : 'string', description : 'path to mount')
+ option('umount-path', type : 'string', description : 'path to umount')
+ option('loadkeys-path', type : 'string', description : 'path to loadkeys')
+ option('setfont-path', type : 'string', description : 'path to setfont')
++option('nologin-path', type : 'string', description : 'path to nologin')
+
+ option('debug-shell', type : 'string', value : '/bin/sh',
+ description : 'path to debug shell binary')
+diff --git a/src/basic/user-util.c b/src/basic/user-util.c
+index 260f3d2..78656d9 100644
+--- a/src/basic/user-util.c
++++ b/src/basic/user-util.c
+@@ -146,7 +146,7 @@ static int synthesize_user_creds(
+ *home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
+
+ if (shell)
+- *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/sbin/nologin";
++ *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
+
+ return 0;
+ }
+@@ -522,7 +522,7 @@ int get_shell(char **_s) {
+ }
+ if (synthesize_nobody() &&
+ u == UID_NOBODY) {
+- s = strdup("/sbin/nologin");
++ s = strdup(NOLOGIN);
+ if (!s)
+ return -ENOMEM;
+
+diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c
+index 486a658..d576e69 100644
+--- a/src/nss-mymachines/nss-mymachines.c
++++ b/src/nss-mymachines/nss-mymachines.c
+@@ -501,7 +501,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
+ pwd->pw_gecos = buffer;
+ pwd->pw_passwd = (char*) "*"; /* locked */
+ pwd->pw_dir = (char*) "/";
+- pwd->pw_shell = (char*) "/sbin/nologin";
++ pwd->pw_shell = (char*) NOLOGIN;
+
+ return NSS_STATUS_SUCCESS;
+
+@@ -581,7 +581,7 @@ enum nss_status _nss_mymachines_getpwuid_r(
+ pwd->pw_gecos = buffer;
+ pwd->pw_passwd = (char*) "*"; /* locked */
+ pwd->pw_dir = (char*) "/";
+- pwd->pw_shell = (char*) "/sbin/nologin";
++ pwd->pw_shell = (char*) NOLOGIN;
+
+ return NSS_STATUS_SUCCESS;
+
+diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c
+index f8db27a..0ca0e8d 100644
+--- a/src/nss-systemd/nss-systemd.c
++++ b/src/nss-systemd/nss-systemd.c
+@@ -23,7 +23,7 @@
+ #define DYNAMIC_USER_GECOS "Dynamic User"
+ #define DYNAMIC_USER_PASSWD "*" /* locked */
+ #define DYNAMIC_USER_DIR "/"
+-#define DYNAMIC_USER_SHELL "/sbin/nologin"
++#define DYNAMIC_USER_SHELL NOLOGIN
+
+ static const struct passwd root_passwd = {
+ .pw_name = (char*) "root",
+@@ -42,7 +42,7 @@ static const struct passwd nobody_passwd = {
+ .pw_gid = GID_NOBODY,
+ .pw_gecos = (char*) "User Nobody",
+ .pw_dir = (char*) "/",
+- .pw_shell = (char*) "/sbin/nologin",
++ .pw_shell = (char*) NOLOGIN,
+ };
+
+ static const struct group root_group = {
+diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
+index df28bcf..91d46a7 100644
+--- a/src/sysusers/sysusers.c
++++ b/src/sysusers/sysusers.c
+@@ -361,7 +361,7 @@ static int rename_and_apply_smack(const char *temp_path, const char *dest_path)
+ }
+
+ static const char* default_shell(uid_t uid) {
+- return uid == 0 ? "/bin/sh" : "/sbin/nologin";
++ return uid == 0 ? "/bin/sh" : NOLOGIN;
+ }
+
+ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char **tmpfile_path) {
+diff --git a/src/test/test-user-util.c b/src/test/test-user-util.c
+index 801824a..2e303ad 100644
+--- a/src/test/test-user-util.c
++++ b/src/test/test-user-util.c
+@@ -205,8 +205,8 @@ int main(int argc, char *argv[]) {
+
+ test_get_user_creds_one("root", "root", 0, 0, "/root", "/bin/sh");
+ test_get_user_creds_one("0", "root", 0, 0, "/root", "/bin/sh");
+- test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
+- test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
++ test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
++ test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
+
+ test_get_group_creds_one("root", "root", 0);
+ test_get_group_creds_one("0", "root", 0);
+diff --git a/test/TEST-21-SYSUSERS/test-1.expected-passwd b/test/TEST-21-SYSUSERS/test-1.expected-passwd
+index 8d0bfff..f59303b 100644
+--- a/test/TEST-21-SYSUSERS/test-1.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-1.expected-passwd
+@@ -1 +1 @@
+-u1:x:222:222::/:/sbin/nologin
++u1:x:222:222::/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-10.expected-passwd b/test/TEST-21-SYSUSERS/test-10.expected-passwd
+index 222334b..ca2d764 100644
+--- a/test/TEST-21-SYSUSERS/test-10.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-10.expected-passwd
+@@ -1,2 +1,2 @@
+-u1:x:300:300::/:/sbin/nologin
+-u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
++u1:x:300:300::/:NOLOGIN
++u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-11.expected-passwd b/test/TEST-21-SYSUSERS/test-11.expected-passwd
+index 3f9ab39..737e43b 100644
+--- a/test/TEST-21-SYSUSERS/test-11.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-11.expected-passwd
+@@ -2,5 +2,5 @@ root:x:0:0:root:/root:/bin/bash
+ systemd-network:x:492:492:Systemd Network Management:/:/usr/sbin/nologin
+ systemd-resolve:x:491:491:Systemd Resolver:/:/usr/sbin/nologin
+ systemd-timesync:x:493:493:Systemd Time Synchronization:/:/usr/sbin/nologin
+-u1:x:222:222::/:/sbin/nologin
++u1:x:222:222::/:NOLOGIN
+ +::::::
+diff --git a/test/TEST-21-SYSUSERS/test-12.expected-passwd b/test/TEST-21-SYSUSERS/test-12.expected-passwd
+index 75fe9b4..f076f3d 100644
+--- a/test/TEST-21-SYSUSERS/test-12.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-12.expected-passwd
+@@ -1,2 +1,2 @@
+ root:x:0:0:root:/root:/bin/bash
+-systemd-coredump:x:1:1:systemd Core Dumper:/:/sbin/nologin
++systemd-coredump:x:1:1:systemd Core Dumper:/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-2.expected-passwd b/test/TEST-21-SYSUSERS/test-2.expected-passwd
+index 9eeee5d..af80688 100644
+--- a/test/TEST-21-SYSUSERS/test-2.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-2.expected-passwd
+@@ -1,4 +1,4 @@
+-u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:/sbin/nologin
++u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:NOLOGIN
+ u2:x:777:777:some gecos:/random/dir:/bin/zsh
+ u3:x:778:778::/random/dir2:/bin/bash
+ u4:x:779:779::/:/bin/csh
+diff --git a/test/TEST-21-SYSUSERS/test-3.expected-passwd b/test/TEST-21-SYSUSERS/test-3.expected-passwd
+index a86954f..946303f 100644
+--- a/test/TEST-21-SYSUSERS/test-3.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-3.expected-passwd
+@@ -1,4 +1,4 @@
+-foo:x:301:301::/:/sbin/nologin
+-aaa:x:303:302::/:/sbin/nologin
+-bbb:x:304:302::/:/sbin/nologin
+-ccc:x:305:305::/:/sbin/nologin
++foo:x:301:301::/:NOLOGIN
++aaa:x:303:302::/:NOLOGIN
++bbb:x:304:302::/:NOLOGIN
++ccc:x:305:305::/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-4.expected-passwd b/test/TEST-21-SYSUSERS/test-4.expected-passwd
+index e0370a4..99d1048 100644
+--- a/test/TEST-21-SYSUSERS/test-4.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-4.expected-passwd
+@@ -1,2 +1,2 @@
+-yyy:x:311:310::/:/sbin/nologin
+-xxx:x:312:310::/:/sbin/nologin
++yyy:x:311:310::/:NOLOGIN
++xxx:x:312:310::/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-5.expected-passwd b/test/TEST-21-SYSUSERS/test-5.expected-passwd
+index 116b126..a83d566 100644
+--- a/test/TEST-21-SYSUSERS/test-5.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-5.expected-passwd
+@@ -1,18 +1,18 @@
+ root:x:0:0::/root:/bin/sh
+-daemon:x:1:1::/usr/sbin:/sbin/nologin
+-bin:x:2:2::/bin:/sbin/nologin
+-sys:x:3:3::/dev:/sbin/nologin
+-sync:x:4:65534::/bin:/sbin/nologin
+-games:x:5:60::/usr/games:/sbin/nologin
+-man:x:6:12::/var/cache/man:/sbin/nologin
+-lp:x:7:7::/var/spool/lpd:/sbin/nologin
+-mail:x:8:8::/var/mail:/sbin/nologin
+-news:x:9:9::/var/spool/news:/sbin/nologin
+-uucp:x:10:10::/var/spool/uucp:/sbin/nologin
+-proxy:x:13:13::/bin:/sbin/nologin
+-www-data:x:33:33::/var/www:/sbin/nologin
+-backup:x:34:34::/var/backups:/sbin/nologin
+-list:x:38:38::/var/list:/sbin/nologin
+-irc:x:39:39::/var/run/ircd:/sbin/nologin
+-gnats:x:41:41::/var/lib/gnats:/sbin/nologin
+-nobody:x:65534:65534::/nonexistent:/sbin/nologin
++daemon:x:1:1::/usr/sbin:NOLOGIN
++bin:x:2:2::/bin:NOLOGIN
++sys:x:3:3::/dev:NOLOGIN
++sync:x:4:65534::/bin:NOLOGIN
++games:x:5:60::/usr/games:NOLOGIN
++man:x:6:12::/var/cache/man:NOLOGIN
++lp:x:7:7::/var/spool/lpd:NOLOGIN
++mail:x:8:8::/var/mail:NOLOGIN
++news:x:9:9::/var/spool/news:NOLOGIN
++uucp:x:10:10::/var/spool/uucp:NOLOGIN
++proxy:x:13:13::/bin:NOLOGIN
++www-data:x:33:33::/var/www:NOLOGIN
++backup:x:34:34::/var/backups:NOLOGIN
++list:x:38:38::/var/list:NOLOGIN
++irc:x:39:39::/var/run/ircd:NOLOGIN
++gnats:x:41:41::/var/lib/gnats:NOLOGIN
++nobody:x:65534:65534::/nonexistent:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-6.expected-passwd b/test/TEST-21-SYSUSERS/test-6.expected-passwd
+index 5af9d11..ba55a13 100644
+--- a/test/TEST-21-SYSUSERS/test-6.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-6.expected-passwd
+@@ -1 +1 @@
+-u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
++u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-7.expected-passwd b/test/TEST-21-SYSUSERS/test-7.expected-passwd
+index 79668c0..0c5d370 100644
+--- a/test/TEST-21-SYSUSERS/test-7.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-7.expected-passwd
+@@ -1,5 +1,5 @@
+-bin:x:1:1::/:/sbin/nologin
+-daemon:x:2:2::/:/sbin/nologin
+-mail:x:8:12::/var/spool/mail:/sbin/nologin
+-ftp:x:14:11::/srv/ftp:/sbin/nologin
+-http:x:33:33::/srv/http:/sbin/nologin
++bin:x:1:1::/:NOLOGIN
++daemon:x:2:2::/:NOLOGIN
++mail:x:8:12::/var/spool/mail:NOLOGIN
++ftp:x:14:11::/srv/ftp:NOLOGIN
++http:x:33:33::/srv/http:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-8.expected-passwd b/test/TEST-21-SYSUSERS/test-8.expected-passwd
+index 727b819..23e99f0 100644
+--- a/test/TEST-21-SYSUSERS/test-8.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-8.expected-passwd
+@@ -1 +1 @@
+-username:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
++username:x:SYSTEM_UID_MAX:300::/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test-9.expected-passwd b/test/TEST-21-SYSUSERS/test-9.expected-passwd
+index a23260f..0bffbcd 100644
+--- a/test/TEST-21-SYSUSERS/test-9.expected-passwd
++++ b/test/TEST-21-SYSUSERS/test-9.expected-passwd
+@@ -1,2 +1,2 @@
+-user1:x:300:300::/:/sbin/nologin
+-user2:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
++user1:x:300:300::/:NOLOGIN
++user2:x:SYSTEM_UID_MAX:300::/:NOLOGIN
+diff --git a/test/TEST-21-SYSUSERS/test.sh b/test/TEST-21-SYSUSERS/test.sh
+index b1049e7..809653c 100755
+--- a/test/TEST-21-SYSUSERS/test.sh
++++ b/test/TEST-21-SYSUSERS/test.sh
+@@ -25,7 +25,14 @@ preprocess() {
+ # get this value from config.h, however the autopkgtest fails with
+ # it
+ SYSTEM_UID_MAX=$(awk 'BEGIN { uid=999 } /^\s*SYS_UID_MAX\s+/ { uid=$2 } END { print uid }' /etc/login.defs)
+- sed "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" "$in"
++
++ # we can't rely on config.h to get the nologin path, as autopkgtest
++ # uses pre-compiled binaries, so extract it from the systemd-sysusers
++ # binary which we are about to execute
++ NOLOGIN=$(strings $(type -p systemd-sysusers) | grep nologin)
++
++ sed -e "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" \
++ -e "s#NOLOGIN#${NOLOGIN}#g" "$in"
+ }
+
+ compare() {
diff --git a/debian/patches/network-check-whether-ipv6-is-enabled-in-sysctl.patch b/debian/patches/network-check-whether-ipv6-is-enabled-in-sysctl.patch
new file mode 100644
index 0000000..2b65530
--- /dev/null
+++ b/debian/patches/network-check-whether-ipv6-is-enabled-in-sysctl.patch
@@ -0,0 +1,119 @@
+From: Yu Watanabe <watanabe.yu+github at gmail.com>
+Date: Mon, 18 Feb 2019 15:00:15 +0900
+Subject: network: check whether ipv6 is enabled in sysctl
+
+Currently, the value is read only once.
+
+Fixes #11711.
+
+(cherry picked from commit 4b600505dda8af6c43496f9e93e420a192d9a38b)
+---
+ src/network/networkd-link.c | 12 ++++++++++++
+ src/network/networkd-manager.c | 18 ++++++++++++++++++
+ src/network/networkd-manager.h | 4 ++++
+ 3 files changed, 34 insertions(+)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 22392d7..322e701 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -51,6 +51,9 @@ static bool link_dhcp6_enabled(Link *link) {
+ if (!link->network)
+ return false;
+
++ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ return false;
++
+ return link->network->dhcp & ADDRESS_FAMILY_IPV6;
+ }
+
+@@ -108,6 +111,9 @@ static bool link_ipv6ll_enabled(Link *link) {
+ if (streq_ptr(link->kind, "wireguard"))
+ return false;
+
++ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ return false;
++
+ return link->network->link_local & ADDRESS_FAMILY_IPV6;
+ }
+
+@@ -120,6 +126,9 @@ static bool link_ipv6_enabled(Link *link) {
+ if (link->network->bridge)
+ return false;
+
++ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ return false;
++
+ /* DHCPv6 client will not be started if no IPv6 link-local address is configured. */
+ return link_ipv6ll_enabled(link) || network_has_static_ipv6_addresses(link->network);
+ }
+@@ -199,6 +208,9 @@ static bool link_ipv6_forward_enabled(Link *link) {
+ if (link->network->ip_forward == _ADDRESS_FAMILY_BOOLEAN_INVALID)
+ return false;
+
++ if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ return false;
++
+ return link->network->ip_forward & ADDRESS_FAMILY_IPV6;
+ }
+
+diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
+index c8d369e..f32bc7f 100644
+--- a/src/network/networkd-manager.c
++++ b/src/network/networkd-manager.c
+@@ -23,6 +23,7 @@
+ #include "path-util.h"
+ #include "set.h"
+ #include "strv.h"
++#include "sysctl-util.h"
+ #include "tmpfile-util.h"
+ #include "virt.h"
+
+@@ -1360,6 +1361,8 @@ int manager_new(Manager **ret) {
+ if (!m->state_file)
+ return -ENOMEM;
+
++ m->sysctl_ipv6_enabled = -1;
++
+ r = sd_event_default(&m->event);
+ if (r < 0)
+ return r;
+@@ -1858,3 +1861,18 @@ int manager_request_product_uuid(Manager *m, Link *link) {
+
+ return 0;
+ }
++
++int manager_sysctl_ipv6_enabled(Manager *manager) {
++ _cleanup_free_ char *value = NULL;
++ int r;
++
++ if (manager->sysctl_ipv6_enabled >= 0)
++ return manager->sysctl_ipv6_enabled;
++
++ r = sysctl_read_ip_property(AF_INET6, "all", "disable_ipv6", &value);
++ if (r < 0)
++ return log_warning_errno(r, "Failed to read net.ipv6.conf.all.disable_ipv6 sysctl property: %m");
++
++ manager->sysctl_ipv6_enabled = value[0] == '0';
++ return manager->sysctl_ipv6_enabled;
++}
+diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
+index 289ca96..d292d76 100644
+--- a/src/network/networkd-manager.h
++++ b/src/network/networkd-manager.h
+@@ -58,6 +58,8 @@ struct Manager {
+ Set *rules;
+ Set *rules_foreign;
+ Set *rules_saved;
++
++ int sysctl_ipv6_enabled;
+ };
+
+ extern const sd_bus_vtable manager_vtable[];
+@@ -95,4 +97,6 @@ Link *manager_dhcp6_prefix_get(Manager *m, struct in6_addr *addr);
+ int manager_dhcp6_prefix_add(Manager *m, struct in6_addr *addr, Link *link);
+ int manager_dhcp6_prefix_remove_all(Manager *m, Link *link);
+
++int manager_sysctl_ipv6_enabled(Manager *manager);
++
+ DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
diff --git a/debian/patches/network-do-not-send-ipv6-token-to-kernel.patch b/debian/patches/network-do-not-send-ipv6-token-to-kernel.patch
new file mode 100644
index 0000000..766d470
--- /dev/null
+++ b/debian/patches/network-do-not-send-ipv6-token-to-kernel.patch
@@ -0,0 +1,92 @@
+From: Yu Watanabe <watanabe.yu+github at gmail.com>
+Date: Thu, 9 May 2019 14:39:46 +0900
+Subject: network: do not send ipv6 token to kernel
+
+We disabled kernel RA support. Then, we should not send
+IFLA_INET6_TOKEN.
+Thus, we do not need to send IFLA_INET6_ADDR_GEN_MODE twice.
+
+Follow-up for 0e2fdb83bb5e22047e0c7cc058b415d0e93f02cf and
+4eb086a38712ea98faf41e075b84555b11b54362.
+
+(cherry picked from commit 9f6e82e6eb3b6e73d66d00d1d6eee60691fb702f)
+---
+ src/network/networkd-link.c | 51 ++++++---------------------------------------
+ 1 file changed, 6 insertions(+), 45 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 6445b94..ac76c86 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1816,6 +1816,9 @@ static int link_configure_addrgen_mode(Link *link) {
+ assert(link->manager);
+ assert(link->manager->rtnl);
+
++ if (!socket_ipv6_is_supported())
++ return 0;
++
+ log_link_debug(link, "Setting address genmode for link");
+
+ r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex);
+@@ -1917,46 +1920,6 @@ static int link_up(Link *link) {
+ return log_link_error_errno(link, r, "Could not set MAC address: %m");
+ }
+
+- if (link_ipv6_enabled(link)) {
+- uint8_t ipv6ll_mode;
+-
+- r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
+-
+- /* if the kernel lacks ipv6 support setting IFF_UP fails if any ipv6 options are passed */
+- r = sd_netlink_message_open_container(req, AF_INET6);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not open AF_INET6 container: %m");
+-
+- if (!in_addr_is_null(AF_INET6, &link->network->ipv6_token)) {
+- r = sd_netlink_message_append_in6_addr(req, IFLA_INET6_TOKEN, &link->network->ipv6_token.in6);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
+- }
+-
+- if (!link_ipv6ll_enabled(link))
+- ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
+- else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
+- /* The file may not exist. And event if it exists, when stable_secret is unset,
+- * reading the file fails with EIO. */
+- ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
+- else
+- ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+-
+- r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
+-
+- r = sd_netlink_message_close_container(req);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
+-
+- r = sd_netlink_message_close_container(req);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not close IFLA_AF_SPEC container: %m");
+- }
+-
+ r = netlink_call_async(link->manager->rtnl, NULL, req, link_up_handler,
+ link_netlink_destroy_callback, link);
+ if (r < 0)
+@@ -3044,11 +3007,9 @@ static int link_configure(Link *link) {
+ return r;
+ }
+
+- if (socket_ipv6_is_supported()) {
+- r = link_configure_addrgen_mode(link);
+- if (r < 0)
+- return r;
+- }
++ r = link_configure_addrgen_mode(link);
++ if (r < 0)
++ return r;
+
+ return link_configure_after_setting_mtu(link);
+ }
diff --git a/debian/patches/network-ignore-requested-ipv6-addresses-when-ipv6-is-disa.patch b/debian/patches/network-ignore-requested-ipv6-addresses-when-ipv6-is-disa.patch
new file mode 100644
index 0000000..5b6ea17
--- /dev/null
+++ b/debian/patches/network-ignore-requested-ipv6-addresses-when-ipv6-is-disa.patch
@@ -0,0 +1,67 @@
+From: Yu Watanabe <watanabe.yu+github at gmail.com>
+Date: Tue, 11 Jun 2019 23:20:56 +0900
+Subject: network: ignore requested ipv6 addresses when ipv6 is disabled by
+ sysctl
+
+(cherry picked from commit 54a1a535bd60f13964bbddd8f381601e33e8e56f)
+---
+ src/network/networkd-address.c | 7 ++++++-
+ src/network/networkd-link.c | 4 ++--
+ src/network/networkd-ndisc.c | 4 ++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
+index 3cdbd9e..a9f65e5 100644
+--- a/src/network/networkd-address.c
++++ b/src/network/networkd-address.c
+@@ -565,6 +565,11 @@ int address_configure(
+ assert(link->manager->rtnl);
+ assert(callback);
+
++ if (address->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
++ log_link_warning(link, "An IPv6 address is requested, but IPv6 is disabled by sysctl, ignoring.");
++ return 0;
++ }
++
+ /* If this is a new address, then refuse adding more than the limit */
+ if (address_get(link, address->family, &address->in_addr, address->prefixlen, NULL) <= 0 &&
+ set_size(link->addresses) >= ADDRESSES_PER_LINK_MAX)
+@@ -669,7 +674,7 @@ int address_configure(
+ return log_error_errno(r, "Could not add address: %m");
+ }
+
+- return 0;
++ return 1;
+ }
+
+ int config_parse_broadcast(
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 322e701..638aae0 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1123,8 +1123,8 @@ static int link_request_set_addresses(Link *link) {
+ link_enter_failed(link);
+ return r;
+ }
+-
+- link->address_messages++;
++ if (r > 0)
++ link->address_messages++;
+ }
+
+ LIST_FOREACH(labels, label, link->network->address_labels) {
+diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
+index e5b8d11..78c98a0 100644
+--- a/src/network/networkd-ndisc.c
++++ b/src/network/networkd-ndisc.c
+@@ -205,8 +205,8 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r
+ link_enter_failed(link);
+ return r;
+ }
+-
+- link->ndisc_messages++;
++ if (r > 0)
++ link->ndisc_messages++;
+
+ return 0;
+ }
diff --git a/debian/patches/network-ignore-requested-ipv6-route-when-ipv6-is-disabled.patch b/debian/patches/network-ignore-requested-ipv6-route-when-ipv6-is-disabled.patch
new file mode 100644
index 0000000..0960802
--- /dev/null
+++ b/debian/patches/network-ignore-requested-ipv6-route-when-ipv6-is-disabled.patch
@@ -0,0 +1,88 @@
+From: Yu Watanabe <watanabe.yu+github at gmail.com>
+Date: Tue, 11 Jun 2019 23:26:11 +0900
+Subject: network: ignore requested ipv6 route when ipv6 is disabled by sysctl
+
+(cherry picked from commit c442331750a2a9711036080f7590e190b9b0eb54)
+---
+ src/network/networkd-link.c | 4 ++--
+ src/network/networkd-ndisc.c | 12 ++++++------
+ src/network/networkd-route.c | 7 ++++++-
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 638aae0..5a181c2 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -840,8 +840,8 @@ static int link_request_set_routes(Link *link) {
+ link_enter_failed(link);
+ return r;
+ }
+-
+- link->route_messages++;
++ if (r > 0)
++ link->route_messages++;
+ }
+
+ if (link->route_messages == 0) {
+diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
+index 78c98a0..36fbe29 100644
+--- a/src/network/networkd-ndisc.c
++++ b/src/network/networkd-ndisc.c
+@@ -117,8 +117,8 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) {
+ link_enter_failed(link);
+ return r;
+ }
+-
+- link->ndisc_messages++;
++ if (r > 0)
++ link->ndisc_messages++;
+
+ return 0;
+ }
+@@ -255,8 +255,8 @@ static int ndisc_router_process_onlink_prefix(Link *link, sd_ndisc_router *rt) {
+ link_enter_failed(link);
+ return r;
+ }
+-
+- link->ndisc_messages++;
++ if (r > 0)
++ link->ndisc_messages++;
+
+ return 0;
+ }
+@@ -316,8 +316,8 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
+ link_enter_failed(link);
+ return r;
+ }
+-
+- link->ndisc_messages++;
++ if (r > 0)
++ link->ndisc_messages++;
+
+ return 0;
+ }
+diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
+index 5553a7e..5b7e019 100644
+--- a/src/network/networkd-route.c
++++ b/src/network/networkd-route.c
+@@ -509,6 +509,11 @@ int route_configure(
+ assert(IN_SET(route->family, AF_INET, AF_INET6));
+ assert(callback);
+
++ if (route->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
++ log_link_warning(link, "An IPv6 route is requested, but IPv6 is disabled by sysctl, ignoring.");
++ return 0;
++ }
++
+ if (route_get(link, route->family, &route->dst, route->dst_prefixlen, route->tos, route->priority, route->table, NULL) <= 0 &&
+ set_size(link->routes) >= routes_max())
+ return -E2BIG;
+@@ -675,7 +680,7 @@ int route_configure(
+ sd_event_source_unref(route->expire);
+ route->expire = TAKE_PTR(expire);
+
+- return 0;
++ return 1;
+ }
+
+ int config_parse_gateway(
diff --git a/debian/patches/network-ignore-requested-ipv6-routing-policy-rule-when-ip.patch b/debian/patches/network-ignore-requested-ipv6-routing-policy-rule-when-ip.patch
new file mode 100644
index 0000000..270af9c
--- /dev/null
+++ b/debian/patches/network-ignore-requested-ipv6-routing-policy-rule-when-ip.patch
@@ -0,0 +1,51 @@
+From: Yu Watanabe <watanabe.yu+github at gmail.com>
+Date: Tue, 11 Jun 2019 23:29:57 +0900
+Subject: network: ignore requested ipv6 routing policy rule when ipv6 is
+ disabled by sysctl
+
+(cherry picked from commit 7ef7e5509b637e660e89ba8a938930ec01de6e54)
+---
+ src/network/networkd-link.c | 4 ++--
+ src/network/networkd-routing-policy-rule.c | 7 ++++++-
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 5a181c2..13852af 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -765,8 +765,8 @@ static int link_request_set_routing_policy_rule(Link *link) {
+ link_enter_failed(link);
+ return r;
+ }
+-
+- link->routing_policy_rule_messages++;
++ if (r > 0)
++ link->routing_policy_rule_messages++;
+ }
+
+ routing_policy_rule_purge(link->manager, link);
+diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
+index 65a9af2..0b62a0e 100644
+--- a/src/network/networkd-routing-policy-rule.c
++++ b/src/network/networkd-routing-policy-rule.c
+@@ -492,6 +492,11 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
+ assert(link->manager);
+ assert(link->manager->rtnl);
+
++ if (rule->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
++ log_link_warning(link, "An IPv6 routing policy rule is requested, but IPv6 is disabled by sysctl, ignoring.");
++ return 0;
++ }
++
+ r = sd_rtnl_message_new_routing_policy_rule(link->manager->rtnl, &m, RTM_NEWRULE, rule->family);
+ if (r < 0)
+ return log_error_errno(r, "Could not allocate RTM_NEWRULE message: %m");
+@@ -609,7 +614,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
+ if (r < 0)
+ return log_error_errno(r, "Could not add rule: %m");
+
+- return 0;
++ return 1;
+ }
+
+ static int parse_fwmark_fwmask(const char *s, uint32_t *fwmark, uint32_t *fwmask) {
diff --git a/debian/patches/network-read-link-specific-sysctl-value.patch b/debian/patches/network-read-link-specific-sysctl-value.patch
new file mode 100644
index 0000000..aaa29a6
--- /dev/null
+++ b/debian/patches/network-read-link-specific-sysctl-value.patch
@@ -0,0 +1,208 @@
+From: Yu Watanabe <watanabe.yu+github at gmail.com>
+Date: Fri, 14 Jun 2019 09:42:51 +0900
+Subject: network: read link specific sysctl value
+
+This introduce link_sysctl_ipv6_enabled() and replaces
+manager_sysctl_ipv6_enabled() with it.
+
+(cherry picked from commit bafa9641446852f7fa15ca12d08a223d345c78ea)
+---
+ src/network/networkd-address.c | 2 +-
+ src/network/networkd-link.c | 24 ++++++++++++++++++++----
+ src/network/networkd-link.h | 4 ++++
+ src/network/networkd-manager.c | 17 -----------------
+ src/network/networkd-manager.h | 4 ----
+ src/network/networkd-route.c | 2 +-
+ src/network/networkd-routing-policy-rule.c | 2 +-
+ 7 files changed, 27 insertions(+), 28 deletions(-)
+
+diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
+index a9f65e5..e0ee896 100644
+--- a/src/network/networkd-address.c
++++ b/src/network/networkd-address.c
+@@ -565,7 +565,7 @@ int address_configure(
+ assert(link->manager->rtnl);
+ assert(callback);
+
+- if (address->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
++ if (address->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
+ log_link_warning(link, "An IPv6 address is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 13852af..3cfdf4a 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -28,6 +28,7 @@
+ #include "stdio-util.h"
+ #include "string-table.h"
+ #include "strv.h"
++#include "sysctl-util.h"
+ #include "tmpfile-util.h"
+ #include "util.h"
+ #include "virt.h"
+@@ -39,6 +40,20 @@ DUID* link_get_duid(Link *link) {
+ return &link->manager->duid;
+ }
+
++int link_sysctl_ipv6_enabled(Link *link) {
++ _cleanup_free_ char *value = NULL;
++ int r;
++
++ r = sysctl_read_ip_property(AF_INET6, link->ifname, "disable_ipv6", &value);
++ if (r < 0)
++ return log_link_warning_errno(link, r,
++ "Failed to read net.ipv6.conf.%s.disable_ipv6 sysctl property: %m",
++ link->ifname);
++
++ link->sysctl_ipv6_enabled = value[0] == '0';
++ return link->sysctl_ipv6_enabled;
++}
++
+ static bool link_dhcp6_enabled(Link *link) {
+ assert(link);
+
+@@ -51,7 +66,7 @@ static bool link_dhcp6_enabled(Link *link) {
+ if (!link->network)
+ return false;
+
+- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ return link->network->dhcp & ADDRESS_FAMILY_IPV6;
+@@ -111,7 +126,7 @@ static bool link_ipv6ll_enabled(Link *link) {
+ if (streq_ptr(link->kind, "wireguard"))
+ return false;
+
+- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ return link->network->link_local & ADDRESS_FAMILY_IPV6;
+@@ -126,7 +141,7 @@ static bool link_ipv6_enabled(Link *link) {
+ if (link->network->bridge)
+ return false;
+
+- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ /* DHCPv6 client will not be started if no IPv6 link-local address is configured. */
+@@ -208,7 +223,7 @@ static bool link_ipv6_forward_enabled(Link *link) {
+ if (link->network->ip_forward == _ADDRESS_FAMILY_BOOLEAN_INVALID)
+ return false;
+
+- if (manager_sysctl_ipv6_enabled(link->manager) == 0)
++ if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ return link->network->ip_forward & ADDRESS_FAMILY_IPV6;
+@@ -476,6 +491,7 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
+ .rtnl_extended_attrs = true,
+ .ifindex = ifindex,
+ .iftype = iftype,
++ .sysctl_ipv6_enabled = -1,
+ };
+
+ link->ifname = strdup(ifname);
+diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h
+index dcb1ea6..6adea64 100644
+--- a/src/network/networkd-link.h
++++ b/src/network/networkd-link.h
+@@ -128,6 +128,8 @@ typedef struct Link {
+
+ Hashmap *bound_by_links;
+ Hashmap *bound_to_links;
++
++ int sysctl_ipv6_enabled;
+ } Link;
+
+ typedef int (*link_netlink_message_handler_t)(sd_netlink*, sd_netlink_message*, Link*);
+@@ -209,6 +211,8 @@ int link_send_changed(Link *link, const char *property, ...) _sentinel_;
+ #define LOG_LINK_MESSAGE(link, fmt, ...) "MESSAGE=%s: " fmt, (link)->ifname, ##__VA_ARGS__
+ #define LOG_LINK_INTERFACE(link) "INTERFACE=%s", (link)->ifname
+
++int link_sysctl_ipv6_enabled(Link *link);
++
+ #define ADDRESS_FMT_VAL(address) \
+ be32toh((address).s_addr) >> 24, \
+ (be32toh((address).s_addr) >> 16) & 0xFFu, \
+diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
+index f32bc7f..acb9a75 100644
+--- a/src/network/networkd-manager.c
++++ b/src/network/networkd-manager.c
+@@ -1361,8 +1361,6 @@ int manager_new(Manager **ret) {
+ if (!m->state_file)
+ return -ENOMEM;
+
+- m->sysctl_ipv6_enabled = -1;
+-
+ r = sd_event_default(&m->event);
+ if (r < 0)
+ return r;
+@@ -1861,18 +1859,3 @@ int manager_request_product_uuid(Manager *m, Link *link) {
+
+ return 0;
+ }
+-
+-int manager_sysctl_ipv6_enabled(Manager *manager) {
+- _cleanup_free_ char *value = NULL;
+- int r;
+-
+- if (manager->sysctl_ipv6_enabled >= 0)
+- return manager->sysctl_ipv6_enabled;
+-
+- r = sysctl_read_ip_property(AF_INET6, "all", "disable_ipv6", &value);
+- if (r < 0)
+- return log_warning_errno(r, "Failed to read net.ipv6.conf.all.disable_ipv6 sysctl property: %m");
+-
+- manager->sysctl_ipv6_enabled = value[0] == '0';
+- return manager->sysctl_ipv6_enabled;
+-}
+diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
+index d292d76..289ca96 100644
+--- a/src/network/networkd-manager.h
++++ b/src/network/networkd-manager.h
+@@ -58,8 +58,6 @@ struct Manager {
+ Set *rules;
+ Set *rules_foreign;
+ Set *rules_saved;
+-
+- int sysctl_ipv6_enabled;
+ };
+
+ extern const sd_bus_vtable manager_vtable[];
+@@ -97,6 +95,4 @@ Link *manager_dhcp6_prefix_get(Manager *m, struct in6_addr *addr);
+ int manager_dhcp6_prefix_add(Manager *m, struct in6_addr *addr, Link *link);
+ int manager_dhcp6_prefix_remove_all(Manager *m, Link *link);
+
+-int manager_sysctl_ipv6_enabled(Manager *manager);
+-
+ DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
+diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
+index 5b7e019..67b0ab4 100644
+--- a/src/network/networkd-route.c
++++ b/src/network/networkd-route.c
+@@ -509,7 +509,7 @@ int route_configure(
+ assert(IN_SET(route->family, AF_INET, AF_INET6));
+ assert(callback);
+
+- if (route->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
++ if (route->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
+ log_link_warning(link, "An IPv6 route is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
+diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
+index 0b62a0e..2378ed2 100644
+--- a/src/network/networkd-routing-policy-rule.c
++++ b/src/network/networkd-routing-policy-rule.c
+@@ -492,7 +492,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
+ assert(link->manager);
+ assert(link->manager->rtnl);
+
+- if (rule->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
++ if (rule->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
+ log_link_warning(link, "An IPv6 routing policy rule is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
diff --git a/debian/patches/networkd-fix-link_up-12505.patch b/debian/patches/networkd-fix-link_up-12505.patch
new file mode 100644
index 0000000..a801d61
--- /dev/null
+++ b/debian/patches/networkd-fix-link_up-12505.patch
@@ -0,0 +1,62 @@
+From: Susant Sahani <ssahani at gmail.com>
+Date: Thu, 9 May 2019 07:35:35 +0530
+Subject: networkd: fix link_up() (#12505)
+
+Fillup IFLA_INET6_ADDR_GEN_MODE while we do link_up.
+
+Fixes the following error:
+```
+dummy-test: Could not bring up interface: Invalid argument
+```
+
+After reading the kernel code when we do a link up
+```
+net/core/rtnetlink.c
+IFLA_AF_SPEC
+ af_ops->set_link_af(dev, af);
+ inet6_set_link_af
+ if (tb[IFLA_INET6_ADDR_GEN_MODE])
+ Here it looks for IFLA_INET6_ADDR_GEN_MODE
+```
+Since link up we didn't filling up that it's failing.
+
+Closes #12504.
+
+(cherry picked from commit 4eb086a38712ea98faf41e075b84555b11b54362)
+---
+ src/network/networkd-link.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 3cfdf4a..6445b94 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1918,6 +1918,8 @@ static int link_up(Link *link) {
+ }
+
+ if (link_ipv6_enabled(link)) {
++ uint8_t ipv6ll_mode;
++
+ r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
+ if (r < 0)
+ return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
+@@ -1933,6 +1935,19 @@ static int link_up(Link *link) {
+ return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
+ }
+
++ if (!link_ipv6ll_enabled(link))
++ ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
++ else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
++ /* The file may not exist. And event if it exists, when stable_secret is unset,
++ * reading the file fails with EIO. */
++ ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
++ else
++ ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
++
++ r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
++ if (r < 0)
++ return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
++
+ r = sd_netlink_message_close_container(req);
+ if (r < 0)
+ return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
diff --git a/debian/patches/series b/debian/patches/series
index 8f3cac4..165795f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,6 +19,18 @@ pam-systemd-use-secure_getenv-rather-than-getenv.patch
journal-remote-do-not-request-Content-Length-if-Transfer-.patch
systemctl-restore-systemctl-reboot-ARG-functionality.patch
random-util-eat-up-bad-RDRAND-values-seen-on-AMD-CPUs.patch
+ask-password-prevent-buffer-overflow-when-reading-from-ke.patch
+core-unset-HOME-that-the-kernel-gives-us.patch
+man-add-note-that-h-u-U-are-mostly-useless.patch
+sysctl-util-add-sysctl_read_ip_property.patch
+network-check-whether-ipv6-is-enabled-in-sysctl.patch
+network-ignore-requested-ipv6-addresses-when-ipv6-is-disa.patch
+network-ignore-requested-ipv6-route-when-ipv6-is-disabled.patch
+network-ignore-requested-ipv6-routing-policy-rule-when-ip.patch
+network-read-link-specific-sysctl-value.patch
+networkd-fix-link_up-12505.patch
+network-do-not-send-ipv6-token-to-kernel.patch
+meson-make-nologin-path-build-time-configurable.patch
debian/Use-Debian-specific-config-files.patch
debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
debian/Make-run-lock-tmpfs-an-API-fs.patch
diff --git a/debian/patches/sysctl-util-add-sysctl_read_ip_property.patch b/debian/patches/sysctl-util-add-sysctl_read_ip_property.patch
new file mode 100644
index 0000000..b6adfb6
--- /dev/null
+++ b/debian/patches/sysctl-util-add-sysctl_read_ip_property.patch
@@ -0,0 +1,49 @@
+From: Yu Watanabe <watanabe.yu+github at gmail.com>
+Date: Mon, 18 Feb 2019 14:41:43 +0900
+Subject: sysctl-util: add sysctl_read_ip_property()
+
+(cherry picked from commit a6b3b0aace152b77682d68d99b3e41580c955efb)
+---
+ src/shared/sysctl-util.c | 22 ++++++++++++++++++++++
+ src/shared/sysctl-util.h | 1 +
+ 2 files changed, 23 insertions(+)
+
+diff --git a/src/shared/sysctl-util.c b/src/shared/sysctl-util.c
+index 480e6c3..ba89489 100644
+--- a/src/shared/sysctl-util.c
++++ b/src/shared/sysctl-util.c
+@@ -69,3 +69,25 @@ int sysctl_read(const char *property, char **content) {
+ p = strjoina("/proc/sys/", property);
+ return read_full_file(p, content, NULL);
+ }
++
++int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret) {
++ _cleanup_free_ char *value = NULL;
++ const char *p;
++ int r;
++
++ assert(IN_SET(af, AF_INET, AF_INET6));
++ assert(property);
++
++ p = strjoina("/proc/sys/net/ipv", af == AF_INET ? "4" : "6",
++ ifname ? "/conf/" : "", strempty(ifname),
++ property[0] == '/' ? "" : "/", property);
++
++ r = read_one_line_file(p, &value);
++ if (r < 0)
++ return r;
++
++ if (ret)
++ *ret = TAKE_PTR(value);
++
++ return r;
++}
+diff --git a/src/shared/sysctl-util.h b/src/shared/sysctl-util.h
+index fd7c78b..22f52f8 100644
+--- a/src/shared/sysctl-util.h
++++ b/src/shared/sysctl-util.h
+@@ -5,3 +5,4 @@ char *sysctl_normalize(char *s);
+ int sysctl_read(const char *property, char **value);
+ int sysctl_write(const char *property, const char *value);
+
++int sysctl_read_ip_property(int af, const char *ifname, const char *property, char **ret);
diff --git a/debian/rules b/debian/rules
index a1b568b..96ae117 100755
--- a/debian/rules
+++ b/debian/rules
@@ -49,6 +49,7 @@ CONFFLAGS = \
-Dumount-path=/bin/umount \
-Dloadkeys-path=/bin/loadkeys \
-Dsetfont-path=/bin/setfont \
+ -Dnologin-path=/usr/sbin/nologin \
-Dtelinit-path=/lib/sysvinit/telinit \
-Dsysvinit-path=/etc/init.d \
-Dsysvrcnd-path=/etc \
More information about the Pkg-systemd-maintainers
mailing list