Bug#985472: buster-pu: package systemd/241-7~deb10u6
Michael Biebl
biebl at debian.org
Thu Mar 18 20:12:05 GMT 2021
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org at packages.debian.org
Usertags: pu
X-Debbugs-Cc: kibi at debian.org, debian-boot at debian.org, pkg-systemd-maintainers at lists.alioth.debian.org
Hi,
I'd like to make a stable upload for systemd fixing two issues which
users explictly requested.
Both issues are fixed in unstable and direct cherry-picks from upstream.
Here's the annotated changelog
systemd (241-7~deb10u7) buster; urgency=medium
* core: make sure to restore the control command id, too.
Fixes a segfault in systemd that can be triggered when both
daemon-reload and a service restart happen concurrently. (Closes: #984495)
https://salsa.debian.org/systemd-team/systemd/-/commit/99b743134a64d35506bdea0aac36eda47a19fc1a
Happens rarely and is not easy to trigger. But a segfault in PID 1 is
never nice, so seems worthwile to fix.
* seccomp: allow turning off of seccomp filtering via env var.
Since glibc 2.33 faccessat() is implemented via faccessat2(), which
is breaking running containers that use such a version of glibc under
systemd-nspawn in Buster.
Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it
possible to run such new containers. (Closes: #984573)
https://salsa.debian.org/systemd-team/systemd/-/commit/e3268f6d9a2bdc739c55292d579a818f1190b77a
With buster becoming older, we have more and more distros that use glibc
2.33 (like Arch or Fedora) and can't be run under systemd-nspawn.
With the above env var it is possible to do so.
There are no changes related to udev, so d-i should not be affected.
But as we need an ack because of the udeb, I've CCed kibi/debian-boot as
usual.
Complete debdiff is attached.
Regards,
Michael
-------------- next part --------------
diff --git a/debian/changelog b/debian/changelog
index 61dcee2..d9b9f23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+systemd (241-7~deb10u7) buster; urgency=medium
+
+ * core: make sure to restore the control command id, too.
+ Fixes a segfault in systemd that can be triggered when both
+ daemon-reload and a service restart happen concurrently. (Closes: #984495)
+ * seccomp: allow turning off of seccomp filtering via env var.
+ Since glibc 2.33 faccessat() is implemented via faccessat2(), which
+ is breaking running containers that use such a version of glibc under
+ systemd-nspawn in Buster.
+ Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it
+ possible to run such new containers. (Closes: #984573)
+
+ -- Michael Biebl <biebl at debian.org> Thu, 18 Mar 2021 20:59:14 +0100
+
systemd (241-7~deb10u6) buster; urgency=medium
* journal: do not trigger assertion when journal_file_close() get NULL
diff --git a/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
new file mode 100644
index 0000000..5df25ac
--- /dev/null
+++ b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
@@ -0,0 +1,27 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Wed, 22 Apr 2020 20:34:02 +0200
+Subject: core: make sure to restore the control command id, too
+
+Fixes: #15356
+(cherry picked from commit e9da62b18af647bfa73807e1c7fc3bfa4bb4b2ac)
+---
+ src/core/service.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 5f5bcb3..eb66884 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -2689,9 +2689,10 @@ static int service_deserialize_exec_command(Unit *u, const char *key, const char
+ break;
+ }
+
+- if (command && control)
++ if (command && control) {
+ s->control_command = command;
+- else if (command)
++ s->control_command_id = id;
++ } else if (command)
+ s->main_command = command;
+ else
+ log_unit_warning(u, "Current command vanished from the unit file, execution of the command list won't be resumed.");
diff --git a/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
new file mode 100644
index 0000000..12d823f
--- /dev/null
+++ b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
@@ -0,0 +1,79 @@
+From: Lennart Poettering <lennart at poettering.net>
+Date: Mon, 2 Nov 2020 14:51:10 +0100
+Subject: seccomp: allow turning off of seccomp filtering via env var
+
+Fixes: #17504
+
+Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
+
+(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
+---
+ docs/ENVIRONMENT.md | 3 +++
+ src/nspawn/nspawn-seccomp.c | 2 +-
+ src/shared/seccomp-util.c | 19 +++++++++++++++----
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
+index 99b5b03..286a5e2 100644
+--- a/docs/ENVIRONMENT.md
++++ b/docs/ENVIRONMENT.md
+@@ -58,6 +58,9 @@ All tools:
+ this only controls use of Unicode emoji glyphs, and has no effect on other
+ Unicode glyphs.
+
++* `$SYSTEMD_SECCOMP=0` ? if set, seccomp filters will not be enforced, even if
++ support for it is compiled in and available in the kernel.
++
+ systemctl:
+
+ * `$SYSTEMCTL_FORCE_BUS=1` ? if set, do not connect to PID1's private D-Bus
+diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
+index e7ef80f..17abfce 100644
+--- a/src/nspawn/nspawn-seccomp.c
++++ b/src/nspawn/nspawn-seccomp.c
+@@ -168,7 +168,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
+ int r;
+
+ if (!is_seccomp_available()) {
+- log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
++ log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
+ return 0;
+ }
+
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index 958128c..cbab63c 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -19,6 +19,7 @@
+ #include "strv.h"
+ #include "util.h"
+ #include "errno-list.h"
++#include "env-util.h"
+
+ const uint32_t seccomp_local_archs[] = {
+
+@@ -242,10 +243,20 @@ static bool is_seccomp_filter_available(void) {
+ bool is_seccomp_available(void) {
+ static int cached_enabled = -1;
+
+- if (cached_enabled < 0)
+- cached_enabled =
+- is_basic_seccomp_available() &&
+- is_seccomp_filter_available();
++ if (cached_enabled < 0) {
++ int b;
++
++ b = getenv_bool_secure("SYSTEMD_SECCOMP");
++ if (b != 0) {
++ if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
++ log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
++
++ cached_enabled =
++ is_basic_seccomp_available() &&
++ is_seccomp_filter_available();
++ } else
++ cached_enabled = false;
++ }
+
+ return cached_enabled;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 24dae93..a2bbd15 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -58,6 +58,8 @@ networkd-do-not-generate-MAC-for-bridge-device.patch
journal-do-not-trigger-assertion-when-journal_file_close-.patch
test-bpf-skip-test-when-run-inside-containers.patch
tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch
+core-make-sure-to-restore-the-control-command-id-too.patch
+seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
debian/Use-Debian-specific-config-files.patch
debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
debian/Make-run-lock-tmpfs-an-API-fs.patch
More information about the Pkg-systemd-maintainers
mailing list