Bug#782426: unblock: systemd/215-15

[Martin Pitt <mpitt@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

systemd 215-15 hit unstable two days ago. There have been no new RC
bugs since 215-14, so for a change this is a "polishing" upload with
small and safe fixes for some corner cases. One was already
pre-approved.

So far there have been no regression reports, and these changes have
already been tested in experimental, Ubuntu, and upstream for a much
longer time, so I'm quite confident in them.

I attach the full debdiff between 215-14 and -15, but as usual I also
link to the individual commits on anonscm.

Note that there are zero changes for udev-udeb (for d-i).

Annotated changelog:

|systemd (215-15) unstable; urgency=medium
|
|  [ Adam Conrad ]
|  * debian/systemd.{triggers,postinst}: Trigger a systemctl daemon-reload
|    when init scripts are installed or removed (Closes: #766429)

http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=e32b9e9b8b

Adam got this pre-ack'ed by the release team already. This doesn't
actually affect any existing package in Jessie, but there were several
reports about "I am packaging foo and stumbled over this". There might
also be some third-party packages which are affected by this. After
the update-rc.d fix in sysvinit for the same bug this really just
covers some small corner cases, but systemctl daemon-reload is
relatively cheap and quite safe (it's already called from update-rc.d,
invoke-rc.d, and various maintscripts).

|  [ Martin Pitt ]
|  * Fix getty restart loop when PTS device is gone. (Closes: #780711)

http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=72f6dc81

Backported from upstream, affects containers, simple declarative
change. No practical effect on "real iron" and VM installs as PTYs
don't just disappear there.

|  * Run timesyncd in virtual machines. (Closes: #762343)

http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=3138dc8dc5

Backported from upstream, affects VMs only, simple declarative change.
No practical effect on "real iron" installs. Also, in jessie timesyncd
is *not* enabled by default anyway (only in experimental), so it does
not even affect default installs in VMs.

|  * Make logind work in environments without CAP_SYS_ADMIN (mostly
|    containers). Thanks Christian Seiler for the backporting!
|    (Closes: #778608)

http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=50446f97

Backported from upstream. Affects containers only (i. e. makes
containers without CAP_SYS_ADMIN actually work). No practical effect
on real-iron and VMs as they do have CAP_SYS_ADMIN and this code
change only affects the fallback code paths in the error handling.

|  * Check for correct signatures when setting properties. Fixes systemd
|    getting stuck on trying to set invalid property types. (Closes: #781602)

http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?id=bf86d1

Backported from upstream. Affects all kinds of installations. I'd like
to get this in as without the type check it's very simple to send an
ill-typed D-Bus property set request to essentially wreck pid 1. The
code change is straightforward (just an additional type check).

| -- Martin Pitt <mpitt@debian.org>  Thu, 09 Apr 2015 10:12:37 +0200

Thanks for considering,

Martin

unblock systemd/215-15

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

diff --git a/debian/changelog b/debian/changelog
index b5ac97e..929502c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+systemd (215-15) unstable; urgency=medium
+
+  [ Adam Conrad ]
+  * debian/systemd.{triggers,postinst}: Trigger a systemctl daemon-reload
+    when init scripts are installed or removed (Closes: #766429)
+
+  [ Martin Pitt ]
+  * Fix getty restart loop when PTS device is gone. (Closes: #780711)
+  * Run timesyncd in virtual machines. (Closes: #762343)
+  * Make logind work in environments without CAP_SYS_ADMIN (mostly
+    containers). Thanks Christian Seiler for the backporting!
+    (Closes: #778608)
+  * Check for correct signatures when setting properties. Fixes systemd
+    getting stuck on trying to set invalid property types. (Closes: #781602)
+
+ -- Martin Pitt <mpitt@debian.org>  Thu, 09 Apr 2015 10:12:37 +0200
+
 systemd (215-14) unstable; urgency=medium
 
   [ Michael Biebl ]
diff --git a/debian/patches/logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch b/debian/patches/logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch
new file mode 100644
index 0000000..d5ab4ae
--- /dev/null
+++ b/debian/patches/logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch
@@ -0,0 +1,56 @@
+From: Christian Seiler <christian@iwakd.de>
+Date: Wed, 8 Apr 2015 11:11:46 +0200
+Subject: logind: handle runtime dir without CAP_SYS_ADMIN
+
+In (e.g. LXC) containers without CAP_SYS_ADMIN, logind fails to mount
+a tmpfs over /run/user/$UID (lacking mount permissions).
+
+Now, logind will resort to chown+chmod of the directory instead. This
+allows logind to still work in those environments, although without
+the guarantees it provides (i.e. users not being able to DoS /run or
+other users' /run/user/$UID space) when CAP_SYS_ADMIN is available.
+---
+ src/login/logind-user.c | 23 ++++++++++++++++++++---
+ 1 file changed, 20 insertions(+), 3 deletions(-)
+
+diff --git a/src/login/logind-user.c b/src/login/logind-user.c
+index fdbccb3..b5e58c1 100644
+--- a/src/login/logind-user.c
++++ b/src/login/logind-user.c
+@@ -332,8 +332,21 @@ static int user_mkdir_runtime_path(User *u) {
+ 
+                 r = mount("tmpfs", p, "tmpfs", MS_NODEV|MS_NOSUID, t);
+                 if (r < 0) {
+-                        log_error("Failed to mount per-user tmpfs directory %s: %s", p, strerror(-r));
+-                        goto fail;
++                        r = -errno;
++                        if (r != -EPERM) {
++                                log_error("Failed to mount per-user tmpfs directory %s: %m", p);
++                                goto fail;
++                        }
++
++                        /* Lacking permissions, maybe
++                         * CAP_SYS_ADMIN-less container? In this case,
++                         * just use a normal director. */
++
++                        r = chmod_and_chown(p, 0700, u->uid, u->gid);
++                        if (r < 0) {
++                                log_error("Failed to change runtime directory ownership and mode: %s", strerror(-r));
++                                goto fail;
++                        }
+                 }
+         }
+ 
+@@ -341,7 +354,11 @@ static int user_mkdir_runtime_path(User *u) {
+         return 0;
+ 
+ fail:
+-        free(p);
++        if (p) {
++                /* Try to clean up, but ignore errors */
++                (void) rmdir(p);
++                free(p);
++        }
+         u->runtime_path = NULL;
+         return r;
+ }
diff --git a/debian/patches/sd-bus-create-clean-error-when-a-property-Set-call-w.patch b/debian/patches/sd-bus-create-clean-error-when-a-property-Set-call-w.patch
new file mode 100644
index 0000000..be4228f
--- /dev/null
+++ b/debian/patches/sd-bus-create-clean-error-when-a-property-Set-call-w.patch
@@ -0,0 +1,37 @@
+From: Lennart Poettering <lennart@poettering.net>
+Date: Thu, 20 Nov 2014 20:58:39 +0100
+Subject: sd-bus: create clean error when a property Set() call with incorrect
+ signature is passed in
+
+---
+ src/libsystemd/sd-bus/bus-objects.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
+index dbb04e5..d8ee8ff 100644
+--- a/src/libsystemd/sd-bus/bus-objects.c
++++ b/src/libsystemd/sd-bus/bus-objects.c
+@@ -619,6 +619,9 @@ static int property_get_set_callbacks_run(
+                         return r;
+ 
+         } else {
++                const char *signature = NULL;
++                char type = 0;
++
+                 if (c->vtable->type != _SD_BUS_VTABLE_WRITABLE_PROPERTY)
+                         return sd_bus_reply_method_errorf(m, SD_BUS_ERROR_PROPERTY_READ_ONLY, "Property '%s' is not writable.", c->member);
+ 
+@@ -630,6 +633,13 @@ static int property_get_set_callbacks_run(
+ 
+                 c->last_iteration = bus->iteration_counter;
+ 
++                r = sd_bus_message_peek_type(m, &type, &signature);
++                if (r < 0)
++                        return r;
++
++                if (type != 'v' || !streq(strempty(signature), strempty(c->vtable->x.property.signature)))
++                        return sd_bus_reply_method_errorf(m, SD_BUS_ERROR_INVALID_ARGS, "Incorrect parameters for property '%s', expected '%s', got '%s'.", c->member, strempty(c->vtable->x.property.signature), strempty(signature));
++
+                 r = sd_bus_message_enter_container(m, 'v', c->vtable->x.property.signature);
+                 if (r < 0)
+                         return r;
diff --git a/debian/patches/series b/debian/patches/series
index 450d093..1fdc97f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -144,6 +144,10 @@ scope-make-attachment-of-initial-PIDs-a-bit-more-rob.patch
 journald-also-increase-the-SendBuffer-of-dev-log-to-.patch
 list-add-macro-for-iterating-through-a-list-an-item-.patch
 core-if-two-start-jobs-for-the-same-swap-device-node.patch
+units-make-sure-container-getty-.service-stops-resta.patch
+timesyncd-enable-timesyncd-in-virtual-machines.patch
+logind-handle-runtime-dir-without-CAP_SYS_ADMIN.patch
+sd-bus-create-clean-error-when-a-property-Set-call-w.patch
 
 ## Debian specific patches:
 Add-back-support-for-Debian-specific-config-files.patch
diff --git a/debian/patches/timesyncd-enable-timesyncd-in-virtual-machines.patch b/debian/patches/timesyncd-enable-timesyncd-in-virtual-machines.patch
new file mode 100644
index 0000000..48752e9
--- /dev/null
+++ b/debian/patches/timesyncd-enable-timesyncd-in-virtual-machines.patch
@@ -0,0 +1,35 @@
+From: Kay Sievers <kay@vrfy.org>
+Date: Sun, 15 Mar 2015 19:44:59 +0100
+Subject: timesyncd: enable timesyncd in virtual machines
+
+On Fri, Mar 13, 2015 at 8:25 PM, Michael Marineau <michael.marineau@coreos.com> wrote:
+> Currently systemd-timesyncd.service includes
+> ConditionVirtualization=no, disabling it in both containers and
+> virtual machines. Each VM platform tends to deal with or ignore the
+> time problem in their own special ways, KVM/QEMU has the kernel time
+> source kvm-clock, Xen has had different schemes over the years, VMware
+> expects a userspace daemon sync the clock, and other platforms are
+> content to drift with the wind as far as I can tell.
+>
+> I don't know of a robust way to know if a platform needs a little
+> extra help from userspace to keep the clock sane or not but it seems
+> generally safer to try than to risk drifting. Does anyone know of a
+> reason to leave timesyncd off by default? Otherwise switching to
+> ConditionVirtualization=!container should be reasonable.
+---
+ units/systemd-timesyncd.service.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
+index 39edafc..8219c95 100644
+--- a/units/systemd-timesyncd.service.in
++++ b/units/systemd-timesyncd.service.in
+@@ -9,7 +9,7 @@
+ Description=Network Time Synchronization
+ Documentation=man:systemd-timesyncd.service(8)
+ ConditionCapability=CAP_SYS_TIME
+-ConditionVirtualization=no
++ConditionVirtualization=!container
+ DefaultDependencies=no
+ RequiresMountsFor=/var/lib/systemd/clock
+ After=systemd-remount-fs.service systemd-tmpfiles-setup.service systemd-sysusers.service
diff --git a/debian/patches/units-make-sure-container-getty-.service-stops-resta.patch b/debian/patches/units-make-sure-container-getty-.service-stops-resta.patch
new file mode 100644
index 0000000..259a2a1
--- /dev/null
+++ b/debian/patches/units-make-sure-container-getty-.service-stops-resta.patch
@@ -0,0 +1,25 @@
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 9 Dec 2014 02:12:11 +0100
+Subject: units: make sure container-getty@.service stops restarting when the
+ pts device it is bound to is gone
+
+We only want to restart the getty as long as the pts device is still
+around. As soon as it is gone, the service should be removed to.
+
+http://lists.freedesktop.org/archives/systemd-devel/2014-December/026048.html
+---
+ units/container-getty@.service.m4.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/units/container-getty@.service.m4.in b/units/container-getty@.service.m4.in
+index 4f7794b..5120466 100644
+--- a/units/container-getty@.service.m4.in
++++ b/units/container-getty@.service.m4.in
+@@ -14,6 +14,7 @@ After=rc-local.service
+ )m4_dnl
+ Before=getty.target
+ IgnoreOnIsolate=yes
++ConditionPathExists=/dev/pts/%I
+ 
+ [Service]
+ ExecStart=-/sbin/agetty --noclear --keep-baud pts/%I 115200,38400,9600 $TERM
diff --git a/debian/systemd.postinst b/debian/systemd.postinst
index de92c57..7a45dbf 100644
--- a/debian/systemd.postinst
+++ b/debian/systemd.postinst
@@ -12,9 +12,19 @@ _update_catalog() {
     journalctl --update-catalog || true
 }
 
-# Update Message Catalogs database in response to dpkg trigger
+# Update Message Catalogs database and reload in response to dpkg triggers
 if [ "$1" = "triggered" ]; then
-    _update_catalog
+    shift
+    for trigger in "$@"; do
+        case $trigger in
+            /usr/lib/systemd/catalog)
+                _update_catalog
+                ;;
+            /etc/init.d)
+                _systemctl daemon-reload
+                ;;
+        esac
+    done
     exit 0
 fi
 
diff --git a/debian/systemd.triggers b/debian/systemd.triggers
index 69246ec..299a3f9 100644
--- a/debian/systemd.triggers
+++ b/debian/systemd.triggers
@@ -1 +1,2 @@
 interest-noawait /usr/lib/systemd/catalog
+interest-noawait /etc/init.d

Attachment: signature.asc
Description: Digital signature