[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#985472: marked as done (buster-pu: package systemd/241-7~deb10u6)

Your message dated Sat, 27 Mar 2021 10:26:45 +0000
with message-id <702e3cb8159c9986264e966af79023672688a8a4.camel@adam-barratt.org.uk>
and subject line Closing p-u requests for fixes included in 10.9 point release
has caused the Debian Bug report #985472,
regarding buster-pu: package systemd/241-7~deb10u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
985472: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985472
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: kibi@debian.org, debian-boot@debian.org, pkg-systemd-maintainers@lists.alioth.debian.org

Hi,

I'd like to make a stable upload for systemd fixing two issues which
users explictly requested.
Both issues are fixed in unstable and direct cherry-picks from upstream.

Here's the annotated changelog

systemd (241-7~deb10u7) buster; urgency=medium

  * core: make sure to restore the control command id, too.
    Fixes a segfault in systemd that can be triggered when both
    daemon-reload and a service restart happen concurrently. (Closes: #984495)

https://salsa.debian.org/systemd-team/systemd/-/commit/99b743134a64d35506bdea0aac36eda47a19fc1a

Happens rarely and is not easy to trigger. But a segfault in PID 1 is
never nice, so seems worthwile to fix.

  * seccomp: allow turning off of seccomp filtering via env var.
    Since glibc 2.33 faccessat() is implemented via faccessat2(), which
    is breaking running containers that use such a version of glibc under
    systemd-nspawn in Buster.
    Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it
    possible to run such new containers. (Closes: #984573)

https://salsa.debian.org/systemd-team/systemd/-/commit/e3268f6d9a2bdc739c55292d579a818f1190b77a

With buster becoming older, we have more and more distros that use glibc
2.33 (like Arch or Fedora) and can't be run under systemd-nspawn.
With the above env var it is possible to do so.



There are no changes related to udev, so d-i should not be affected.
But as we need an ack because of the udeb, I've CCed kibi/debian-boot as
usual.

Complete debdiff is attached.


Regards,
Michael

diff --git a/debian/changelog b/debian/changelog
index 61dcee2..d9b9f23 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+systemd (241-7~deb10u7) buster; urgency=medium
+
+  * core: make sure to restore the control command id, too.
+    Fixes a segfault in systemd that can be triggered when both
+    daemon-reload and a service restart happen concurrently. (Closes: #984495)
+  * seccomp: allow turning off of seccomp filtering via env var.
+    Since glibc 2.33 faccessat() is implemented via faccessat2(), which
+    is breaking running containers that use such a version of glibc under
+    systemd-nspawn in Buster.
+    Turning off seccomp filtering via the SYSTEMD_SECCOMP env var makes it
+    possible to run such new containers. (Closes: #984573)
+
+ -- Michael Biebl <biebl@debian.org>  Thu, 18 Mar 2021 20:59:14 +0100
+
 systemd (241-7~deb10u6) buster; urgency=medium
 
   * journal: do not trigger assertion when journal_file_close() get NULL
diff --git a/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
new file mode 100644
index 0000000..5df25ac
--- /dev/null
+++ b/debian/patches/core-make-sure-to-restore-the-control-command-id-too.patch
@@ -0,0 +1,27 @@
+From: Lennart Poettering <lennart@poettering.net>
+Date: Wed, 22 Apr 2020 20:34:02 +0200
+Subject: core: make sure to restore the control command id, too
+
+Fixes: #15356
+(cherry picked from commit e9da62b18af647bfa73807e1c7fc3bfa4bb4b2ac)
+---
+ src/core/service.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/core/service.c b/src/core/service.c
+index 5f5bcb3..eb66884 100644
+--- a/src/core/service.c
++++ b/src/core/service.c
+@@ -2689,9 +2689,10 @@ static int service_deserialize_exec_command(Unit *u, const char *key, const char
+                                 break;
+         }
+ 
+-        if (command && control)
++        if (command && control) {
+                 s->control_command = command;
+-        else if (command)
++                s->control_command_id = id;
++        } else if (command)
+                 s->main_command = command;
+         else
+                 log_unit_warning(u, "Current command vanished from the unit file, execution of the command list won't be resumed.");
diff --git a/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
new file mode 100644
index 0000000..12d823f
--- /dev/null
+++ b/debian/patches/seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
@@ -0,0 +1,79 @@
+From: Lennart Poettering <lennart@poettering.net>
+Date: Mon, 2 Nov 2020 14:51:10 +0100
+Subject: seccomp: allow turning off of seccomp filtering via env var
+
+Fixes: #17504
+
+Also suggested in: https://github.com/systemd/systemd/issues/17245#issuecomment-704773603
+
+(cherry picked from commit ce8f6d478e3f6c6a313fb19615aa5029bb18f86d)
+---
+ docs/ENVIRONMENT.md         |  3 +++
+ src/nspawn/nspawn-seccomp.c |  2 +-
+ src/shared/seccomp-util.c   | 19 +++++++++++++++----
+ 3 files changed, 19 insertions(+), 5 deletions(-)
+
+diff --git a/docs/ENVIRONMENT.md b/docs/ENVIRONMENT.md
+index 99b5b03..286a5e2 100644
+--- a/docs/ENVIRONMENT.md
++++ b/docs/ENVIRONMENT.md
+@@ -58,6 +58,9 @@ All tools:
+   this only controls use of Unicode emoji glyphs, and has no effect on other
+   Unicode glyphs.
+ 
++* `$SYSTEMD_SECCOMP=0` – if set, seccomp filters will not be enforced, even if
++  support for it is compiled in and available in the kernel.
++
+ systemctl:
+ 
+ * `$SYSTEMCTL_FORCE_BUS=1` — if set, do not connect to PID1's private D-Bus
+diff --git a/src/nspawn/nspawn-seccomp.c b/src/nspawn/nspawn-seccomp.c
+index e7ef80f..17abfce 100644
+--- a/src/nspawn/nspawn-seccomp.c
++++ b/src/nspawn/nspawn-seccomp.c
+@@ -168,7 +168,7 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_whitelist, char **sys
+         int r;
+ 
+         if (!is_seccomp_available()) {
+-                log_debug("SECCOMP features not detected in the kernel, disabling SECCOMP filterering");
++                log_debug("SECCOMP features not detected in the kernel or disabled at runtime, disabling SECCOMP filtering");
+                 return 0;
+         }
+ 
+diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
+index 958128c..cbab63c 100644
+--- a/src/shared/seccomp-util.c
++++ b/src/shared/seccomp-util.c
+@@ -19,6 +19,7 @@
+ #include "strv.h"
+ #include "util.h"
+ #include "errno-list.h"
++#include "env-util.h"
+ 
+ const uint32_t seccomp_local_archs[] = {
+ 
+@@ -242,10 +243,20 @@ static bool is_seccomp_filter_available(void) {
+ bool is_seccomp_available(void) {
+         static int cached_enabled = -1;
+ 
+-        if (cached_enabled < 0)
+-                cached_enabled =
+-                        is_basic_seccomp_available() &&
+-                        is_seccomp_filter_available();
++        if (cached_enabled < 0) {
++                int b;
++
++                b = getenv_bool_secure("SYSTEMD_SECCOMP");
++                if (b != 0) {
++                        if (b < 0 && b != -ENXIO) /* ENXIO: env var unset */
++                                log_debug_errno(b, "Failed to parse $SYSTEMD_SECCOMP value, ignoring.");
++
++                        cached_enabled =
++                                is_basic_seccomp_available() &&
++                                is_seccomp_filter_available();
++                } else
++                        cached_enabled = false;
++        }
+ 
+         return cached_enabled;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 24dae93..a2bbd15 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -58,6 +58,8 @@ networkd-do-not-generate-MAC-for-bridge-device.patch
 journal-do-not-trigger-assertion-when-journal_file_close-.patch
 test-bpf-skip-test-when-run-inside-containers.patch
 tests-skip-test-bpf-only-when-we-re-100-sure-it-s-run-in-.patch
+core-make-sure-to-restore-the-control-command-id-too.patch
+seccomp-allow-turning-off-of-seccomp-filtering-via-env-va.patch
 debian/Use-Debian-specific-config-files.patch
 debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
 debian/Make-run-lock-tmpfs-an-API-fs.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 10.9

Hi,

Each of the updates referenced in these bugs was included in the 10.9
point release today.

Regards,

Adam

--- End Message ---
Reply to: