+systemd (242-3) experimental; urgency=medium
+
+ [ Dan Streetman ]
+ * d/t/boot-and-services: fix test_failing()
+ * d/t/boot-and-services: check for any kernel message, not just first kernel
+ message (Closes: #929730)
+ * d/t/upstream: add TEST-30, TEST-34 to blacklist
+ * d/t/timedated: replace systemctl is-active with systemctl show
+ * d/t/control: root-unittests can break networking, add breaks-testbed
+ * d/t/control: mark udev test skippable
+ * d/t/upstream: always cleanup after (and before) each test
+ * d/t/control: upstream test requires dmeventd
+ * d/e/checkout-upstream: don't remove .git
+ * d/e/checkout-upstream: move change to debian/ files above other changes
+ * d/e/checkout-upstream: add UPSTREAM_KEEP_CHANGELOG param
+ * d/e/checkout-upstream: create git commits for each change
+ * d/e/checkout-upstream: switch from 'quilt' to 'native' format
+ * d/e/checkout-upstream: set user.name, user.email if unset
+ * d/t/storage: change plaintext_name to include testname
+ * d/t/storage: increase wait for plaintext_dev from 5 to 30 seconds
+ * d/t/storage: wait for service to start, only stop if active
+ * d/t/storage: don't search for 'scsi_debug' in ask_password
+ * d/t/storage: manage scsi_debug using add_hosts (Closes: #929728)
+ * d/t/storage: use short timeout waiting for scsi_debug block dev to appear
+ * d/t/storage: convert password agent into normal Thread
+ * d/t/storage: fail if socket info not in ask_password contents
+ * d/t/boot-smoke: pass failure reason to fail() to print instead of separate
+ echo
+ * d/t/boot-smoke: in fail() set +e so errors are ignored while gathering
+ data
+ * d/t/boot-smoke: gather still running jobs in fail()
+ * d/t/boot-smoke: wait for is-system-running
+ * d/t/boot-smoke: call fail if pidof polkitd fails
+ * d/t/boot-smoke: remove check for running jobs
+
+ [ Michael Biebl ]
+ * d/t/boot-smoke: check for NetworkManager instead of D-Bus activated
+ polkitd (Closes: #934992)
+
+ -- Michael Biebl <biebl@debian.org> Wed, 21 Aug 2019 00:12:22 +0200
+
+systemd (242-2) experimental; urgency=medium
+
+ [ Michael Biebl ]
+ * Drop dependency on lsb-base.
+ It is only needed when booting with sysvinit and initscripts, but
+ initscripts already Depends on lsb-base (see #864999).
+ * Stop removing enablement symlinks in /etc/systemd/system.
+ With v242 this is no longer necessary as `ninja install` will no longer
+ create those symlinks.
+ * Replace manual removal of halt-local.service with upstream patch
+
+ [ Dimitri John Ledkov ]
+ * Build manpages in .deb variant.
+ Upstream snapshots are switching to building manpages off by default.
+
+ [ Luca Boccassi ]
+ * Enable portabled and install related files in systemd-container.
+ Keep disabled for the udeb profile. (Closes: #918606)
+
+ -- Michael Biebl <biebl@debian.org> Fri, 07 Jun 2019 22:41:50 +0200
+
+systemd (242-1) experimental; urgency=medium
+
+ * New upstream version 242
+ - Change ownership/mode of the execution directories also for static users
+ (Closes: #919231)
+ - A new boolean sandboxing option RestrictSUIDSGID= has been added that is
+ built on seccomp. When turned on, creation of SUID/SGID files is
+ prohibited. The NoNewPrivileges= and the new RestrictSUIDSGID= options
+ are now implied if DynamicUser= is turned on for a service.
+ (Closes: #928102, CVE-2019-3843, CVE-2019-3844)
+ * Drop Revert-udev-network-device-renaming-immediately-give.patch.
+ This patch needs ongoing maintenance work to be adapted to new releases
+ and fails to apply with v242. Instead of investing more time into it we
+ are going to drop the patch as it was a hack anyway.
+ * Rebase patches
+ * Drop pre-stretch migration code
+ * Drop /sbin/udevadm compat symlink (Closes: #852580)
+ * socket-util: Make sure flush_accept() doesn't hang on unexpected
+ EOPNOTSUPP
+ * Enable regexp matching support in journalctl using pcre2 (Closes: #898892)
+ * Switch from libidn to libidn2 (Closes: #928615)
+
+ -- Michael Biebl <biebl@debian.org> Wed, 08 May 2019 01:33:56 +0200
+
+ systemd (241-7) unstable; urgency=medium
+
+ [ Michael Biebl ]
+ * network: Fix failure to bring up interface with Linux kernel 5.2.
+ Backport two patches from systemd master in order to fix a bug with 5.2
+ kernels where the network interface fails to come up with the following
+ error: "enp3s0: Could not bring up interface: Invalid argument"
+ (Closes: #931636)
+ * Use /usr/sbin/nologin as nologin shell.
+ In Debian the nologin shell is installed in /usr/sbin, not /sbin.
+ (Closes: #931850)
+
+ [ Mert Dirik ]
+ * 40-systemd: Don't fail if SysV init script uses set -u and $1 is unset
+ (Closes: #931719)
+
+ -- Michael Biebl <biebl@debian.org> Thu, 18 Jul 2019 19:38:23 +0200
+
+ systemd (241-6) unstable; urgency=medium
+
+ * ask-password: Prevent buffer overflow when reading from keyring.
+ Fixes a possible memory corruption that causes systemd-cryptsetup to
+ crash either when a single large password is used or when multiple
+ passwords have already been pushed to the keyring. (Closes: #929726)
+ * Clarify documentation regarding %h/%u/%U specifiers.
+ Make it clear, that setting "User=" has no effect on those specifiers.
+ Also ensure that "%h" is actually resolved to "/root" for the system
+ manager instance as documented in the systemd.unit man page.
+ (Closes: #927911)
+ * network: Behave more gracefully when IPv6 has been disabled.
+ Ignore any configured IPv6 settings when IPv6 has been disabled in the
+ kernel via sysctl. Instead of failing completely, continue and log a
+ warning instead. (Closes: #929469)
+
+ -- Michael Biebl <biebl@debian.org> Mon, 08 Jul 2019 11:27:51 +0200
+
+ systemd (241-5) unstable; urgency=medium
+
+ * Revert "Add check to switch VTs only between K_XLATE or K_UNICODE"
+ This change left the keyboard in an unusable state when exiting an X
+ session. (Closes: #929229)
+
+ -- Michael Biebl <biebl@debian.org> Fri, 24 May 2019 22:58:59 +0200
+
+ systemd (241-4) unstable; urgency=medium
+
+ * journal-remote: Do not request Content-Length if Transfer-Encoding is
+ chunked (Closes: #927008)
+ * systemctl: Restore "systemctl reboot ARG" functionality.
+ Fixes a regression introduced in v240. (Closes: #928659)
+ * random-util: Eat up bad RDRAND values seen on AMD CPUs.
+ Some AMD CPUs return bogus data via RDRAND after a suspend/resume cycle
+ while still reporting success via the carry flag.
+ Filter out invalid data like -1 (and also 0, just to be sure).
+ (Closes: #921267)
+ * Add check to switch VTs only between K_XLATE or K_UNICODE.
+ Switching to K_UNICODE from other than L_XLATE can make the keyboard
+ unusable and possibly leak keypresses from X.
+ (CVE-2018-20839, Closes: #929116)
+ * Document that DRM render nodes are now owned by group "render"
+ (Closes: #926886)
+
+ -- Michael Biebl <biebl@debian.org> Fri, 17 May 2019 21:16:33 +0200
+
systemd (241-3) unstable; urgency=high
[ Michael Biebl ]
--- /dev/null
-From: Michael Biebl <biebl@debian.org>
-Date: Thu, 27 Jun 2019 15:02:40 +0200
++From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
++Date: Mon, 13 May 2019 16:58:01 -0300
+ Subject: ask-password: prevent buffer overflow when reading from keyring
+
+ When we read from keyring, a temporary buffer is allocated in order to
+ determine the size needed for the entire data. However, when zeroing that area,
+ we use the data size returned by the read instead of the lesser size allocate
+ for the buffer.
+
+ That will cause memory corruption that causes systemd-cryptsetup to crash
+ either when a single large password is used or when multiple passwords have
+ already been pushed to the keyring.
+
+ Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+ (cherry picked from commit 59c55e73eaee345e1ee67c23eace8895ed499693)
+ ---
+ src/shared/ask-password-api.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+ diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
-index 072bf72..97a800f 100644
++index ab0c346..6c0a369 100644
+ --- a/src/shared/ask-password-api.c
+ +++ b/src/shared/ask-password-api.c
-@@ -81,7 +81,7 @@ static int retrieve_key(key_serial_t serial, char ***ret) {
++@@ -80,7 +80,7 @@ static int retrieve_key(key_serial_t serial, char ***ret) {
+ if (n < m)
+ break;
+
+ - explicit_bzero_safe(p, n);
+ + explicit_bzero_safe(p, m);
- free(p);
- m *= 2;
- }
++
++ if (m > LONG_MAX / 2) /* overflow check */
++ return -ENOMEM;
--- /dev/null
-index 561f956..bc7fcc6 100644
+ From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+ Date: Tue, 21 May 2019 19:26:12 +0200
+ Subject: core: unset HOME=/ that the kernel gives us
+
+ Partially fixes #12389.
+
+ %h would return "/" in a machine, but "/root" in a container. Let's fix
+ this by resetting $HOME to the expected value.
+
+ (cherry picked from commit 9d48671c62de133a2b9fe7c31e70c0ff8e68f2db)
+ ---
+ src/core/main.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+ diff --git a/src/core/main.c b/src/core/main.c
-@@ -1503,6 +1503,11 @@ static int fixup_environment(void) {
++index 46db471..dffead5 100644
+ --- a/src/core/main.c
+ +++ b/src/core/main.c
++@@ -1504,6 +1504,11 @@ static int fixup_environment(void) {
+ if (setenv("TERM", t, 1) < 0)
+ return -errno;
+
+ + /* The kernels sets HOME=/ for init. Let's undo this. */
+ + if (path_equal_ptr(getenv("HOME"), "/") &&
+ + unsetenv("HOME") < 0)
+ + log_warning_errno(errno, "Failed to unset $HOME: %m");
+ +
+ return 0;
+ }
+
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/core/main.c b/src/core/main.c
- index 46db471..bbeea77 100644
-index bc7fcc6..87bee9f 100644
++index dffead5..adacad6 100644
--- a/src/core/main.c
+++ b/src/core/main.c
- @@ -2453,8 +2453,6 @@ int main(int argc, char *argv[]) {
-@@ -2459,8 +2459,6 @@ int main(int argc, char *argv[]) {
++@@ -2458,8 +2458,6 @@ int main(int argc, char *argv[]) {
kernel_timestamp = DUAL_TIMESTAMP_NULL;
}
+
+</refentry>
diff --git a/meson.build b/meson.build
- index 71e08d7..c4ec42c 100644
-index 3afe168..b340139 100644
++index 1166a2b..760b393 100644
--- a/meson.build
+++ b/meson.build
- @@ -2413,6 +2413,14 @@ executable('systemd-makefs',
-@@ -2396,6 +2396,14 @@ executable('systemd-makefs',
++@@ -2414,6 +2414,14 @@ executable('systemd-makefs',
install : true,
install_dir : rootlibexecdir)
--- /dev/null
-index f21f9ea..be6355d 100644
+ From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+ Date: Tue, 21 May 2019 19:31:49 +0200
+ Subject: man: add note that %h/%u/%U are mostly useless
+
+ Fixes #12389.
+
+ (cherry picked from commit b4e2407716731d1ce099bad1c2778f7a4424ed2e)
+ ---
+ man/systemd.unit.xml | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+ diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
-@@ -1580,7 +1580,9 @@
++index 81a0225..ae834f0 100644
+ --- a/man/systemd.unit.xml
+ +++ b/man/systemd.unit.xml
-@@ -1670,12 +1672,16 @@
++@@ -1597,7 +1597,9 @@
+ <row>
+ <entry><literal>%h</literal></entry>
+ <entry>User home directory</entry>
+ - <entry>This is the home directory of the user running the service manager instance. In case of the system manager this resolves to <literal>/root</literal>.</entry>
+ + <entry>This is the home directory of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>/root</literal>.
+ +
+ +Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
+ </row>
+ <row>
+ <entry><literal>%H</literal></entry>
++@@ -1687,12 +1689,16 @@
+ <row>
+ <entry><literal>%u</literal></entry>
+ <entry>User name</entry>
+ - <entry>This is the name of the user running the service manager instance. In case of the system manager this resolves to <literal>root</literal>.</entry>
+ + <entry>This is the name of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>root</literal>.
+ +
+ +Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
+ </row>
+ <row>
+ <entry><literal>%U</literal></entry>
+ <entry>User UID</entry>
+ - <entry>This is the numeric UID of the user running the service manager instance. In case of the system manager this resolves to <literal>0</literal>.</entry>
+ + <entry>This is the numeric UID of the <emphasis>user running the service manager instance</emphasis>. In case of the system manager this resolves to <literal>0</literal>.
+ +
+ +Note that this setting is <emphasis>not</emphasis> influenced by the <varname>User=</varname> setting configurable in the [Service] section of the service unit.</entry>
+ </row>
+ <row>
+ <entry><literal>%v</literal></entry>
--- /dev/null
-index 5742d89..5100cd0 100644
+ From: Michael Biebl <biebl@debian.org>
+ Date: Thu, 18 Jul 2019 01:24:00 +0200
+ Subject: meson: make nologin path build time configurable
+
+ Some distros install nologin as /usr/sbin/nologin, others as
+ /sbin/nologin.
+ Since we can't really on merged-usr everywhere (where the path wouldn't
+ matter), make the path build time configurable via -Dnologin-path=.
+
+ Closes #13028
+
+ (cherry picked from commit 6db904625d413739c480ddbe7667d3f40acc4ae0)
+ ---
+ man/nss-mymachines.xml | 4 ++--
+ man/sysusers.d.xml | 4 ++--
+ meson.build | 1 +
+ meson_options.txt | 1 +
+ src/basic/user-util.c | 4 ++--
+ src/nss-mymachines/nss-mymachines.c | 4 ++--
+ src/nss-systemd/nss-systemd.c | 4 ++--
+ src/sysusers/sysusers.c | 2 +-
+ src/test/test-user-util.c | 4 ++--
+ test/TEST-21-SYSUSERS/test-1.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-10.expected-passwd | 4 ++--
+ test/TEST-21-SYSUSERS/test-11.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-12.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-2.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-3.expected-passwd | 8 +++----
+ test/TEST-21-SYSUSERS/test-4.expected-passwd | 4 ++--
+ test/TEST-21-SYSUSERS/test-5.expected-passwd | 34 +++++++++++++--------------
+ test/TEST-21-SYSUSERS/test-6.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-7.expected-passwd | 10 ++++----
+ test/TEST-21-SYSUSERS/test-8.expected-passwd | 2 +-
+ test/TEST-21-SYSUSERS/test-9.expected-passwd | 4 ++--
+ test/TEST-21-SYSUSERS/test.sh | 9 ++++++-
+ 22 files changed, 61 insertions(+), 52 deletions(-)
+
+ diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml
-@@ -101,8 +101,8 @@ MACHINE CLASS SERVICE OS VERSION ADDRESSES
++index ed03035..40b0abe 100644
+ --- a/man/nss-mymachines.xml
+ +++ b/man/nss-mymachines.xml
-index e47d36c..b470532 100644
++@@ -98,8 +98,8 @@ MACHINE CLASS SERVICE OS VERSION ADDRESSES
+ rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
+
+ $ getent passwd vu-rawhide-0 vu-rawhide-81
+ -vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/sbin/nologin
+ -vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/sbin/nologin
+ +vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
+ +vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
+
+ $ getent group vg-rawhide-0 vg-rawhide-81
+ vg-rawhide-0:*:20119552:
+ diff --git a/man/sysusers.d.xml b/man/sysusers.d.xml
-@@ -207,12 +207,12 @@ u root 0 "Superuser" /root /bin/zsh</pro
++index 4314732..2e93715 100644
+ --- a/man/sysusers.d.xml
+ +++ b/man/sysusers.d.xml
-index d340736..3afe168 100644
++@@ -206,12 +206,12 @@ u root 0 "Superuser" /root /bin/zsh</pro
+ <title>Shell</title>
+
+ <para>The login shell of the user. If not specified, this will be set to
+ - <filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
+ + <filename>/usr/sbin/nologin</filename>, except if the UID of the user is 0, in
+ which case <filename>/bin/sh</filename> will be used.</para>
+
+ <para>Only applies to lines of type <varname>u</varname> and should otherwise
+ be left unset (or <literal>-</literal>). It is recommended to omit this, unless
+ - a shell different <filename>/sbin/nologin</filename> must be used.</para>
+ + a shell different <filename>/usr/sbin/nologin</filename> must be used.</para>
+ </refsect2>
+ </refsect1>
+
+ diff --git a/meson.build b/meson.build
-@@ -611,6 +611,7 @@ progs = [['quotaon', '/usr/sbin/quotaon' ],
++index 71e08d7..1166a2b 100644
+ --- a/meson.build
+ +++ b/meson.build
-index 044bb79..6304511 100644
++@@ -623,6 +623,7 @@ progs = [['quotaon', '/usr/sbin/quotaon' ],
+ ['umount', '/usr/bin/umount', 'UMOUNT_PATH'],
+ ['loadkeys', '/usr/bin/loadkeys', 'KBD_LOADKEYS'],
+ ['setfont', '/usr/bin/setfont', 'KBD_SETFONT'],
+ + ['nologin', '/usr/sbin/nologin', ],
+ ]
+ foreach prog : progs
+ path = get_option(prog[0] + '-path')
+ diff --git a/meson_options.txt b/meson_options.txt
-@@ -43,6 +43,7 @@ option('mount-path', type : 'string', description : 'path to mount')
++index e1f700a..db9f041 100644
+ --- a/meson_options.txt
+ +++ b/meson_options.txt
-index 260f3d2..78656d9 100644
++@@ -41,6 +41,7 @@ option('mount-path', type : 'string', description : 'path to mount')
+ option('umount-path', type : 'string', description : 'path to umount')
+ option('loadkeys-path', type : 'string', description : 'path to loadkeys')
+ option('setfont-path', type : 'string', description : 'path to setfont')
+ +option('nologin-path', type : 'string', description : 'path to nologin')
+
+ option('debug-shell', type : 'string', value : '/bin/sh',
+ description : 'path to debug shell binary')
+ diff --git a/src/basic/user-util.c b/src/basic/user-util.c
-@@ -522,7 +522,7 @@ int get_shell(char **_s) {
++index a479590..050ce6a 100644
+ --- a/src/basic/user-util.c
+ +++ b/src/basic/user-util.c
+ @@ -146,7 +146,7 @@ static int synthesize_user_creds(
+ *home = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/";
+
+ if (shell)
+ - *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : "/sbin/nologin";
+ + *shell = FLAGS_SET(flags, USER_CREDS_CLEAN) ? NULL : NOLOGIN;
+
+ return 0;
+ }
-index 486a658..d576e69 100644
++@@ -536,7 +536,7 @@ int get_shell(char **_s) {
+ }
+ if (synthesize_nobody() &&
+ u == UID_NOBODY) {
+ - s = strdup("/sbin/nologin");
+ + s = strdup(NOLOGIN);
+ if (!s)
+ return -ENOMEM;
+
+ diff --git a/src/nss-mymachines/nss-mymachines.c b/src/nss-mymachines/nss-mymachines.c
-@@ -501,7 +501,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
++index 0e76c43..364356d 100644
+ --- a/src/nss-mymachines/nss-mymachines.c
+ +++ b/src/nss-mymachines/nss-mymachines.c
-@@ -581,7 +581,7 @@ enum nss_status _nss_mymachines_getpwuid_r(
++@@ -503,7 +503,7 @@ enum nss_status _nss_mymachines_getpwnam_r(
+ pwd->pw_gecos = buffer;
+ pwd->pw_passwd = (char*) "*"; /* locked */
+ pwd->pw_dir = (char*) "/";
+ - pwd->pw_shell = (char*) "/sbin/nologin";
+ + pwd->pw_shell = (char*) NOLOGIN;
+
+ return NSS_STATUS_SUCCESS;
+
-index f8db27a..0ca0e8d 100644
++@@ -583,7 +583,7 @@ enum nss_status _nss_mymachines_getpwuid_r(
+ pwd->pw_gecos = buffer;
+ pwd->pw_passwd = (char*) "*"; /* locked */
+ pwd->pw_dir = (char*) "/";
+ - pwd->pw_shell = (char*) "/sbin/nologin";
+ + pwd->pw_shell = (char*) NOLOGIN;
+
+ return NSS_STATUS_SUCCESS;
+
+ diff --git a/src/nss-systemd/nss-systemd.c b/src/nss-systemd/nss-systemd.c
-@@ -23,7 +23,7 @@
++index 8beae06..8ef1cd5 100644
+ --- a/src/nss-systemd/nss-systemd.c
+ +++ b/src/nss-systemd/nss-systemd.c
-@@ -42,7 +42,7 @@ static const struct passwd nobody_passwd = {
++@@ -24,7 +24,7 @@
+ #define DYNAMIC_USER_GECOS "Dynamic User"
+ #define DYNAMIC_USER_PASSWD "*" /* locked */
+ #define DYNAMIC_USER_DIR "/"
+ -#define DYNAMIC_USER_SHELL "/sbin/nologin"
+ +#define DYNAMIC_USER_SHELL NOLOGIN
+
+ static const struct passwd root_passwd = {
+ .pw_name = (char*) "root",
-index df28bcf..91d46a7 100644
++@@ -43,7 +43,7 @@ static const struct passwd nobody_passwd = {
+ .pw_gid = GID_NOBODY,
+ .pw_gecos = (char*) "User Nobody",
+ .pw_dir = (char*) "/",
+ - .pw_shell = (char*) "/sbin/nologin",
+ + .pw_shell = (char*) NOLOGIN,
+ };
+
+ static const struct group root_group = {
+ diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
-index 801824a..2e303ad 100644
++index 843c383..a55a16c 100644
+ --- a/src/sysusers/sysusers.c
+ +++ b/src/sysusers/sysusers.c
+ @@ -361,7 +361,7 @@ static int rename_and_apply_smack(const char *temp_path, const char *dest_path)
+ }
+
+ static const char* default_shell(uid_t uid) {
+ - return uid == 0 ? "/bin/sh" : "/sbin/nologin";
+ + return uid == 0 ? "/bin/sh" : NOLOGIN;
+ }
+
+ static int write_temporary_passwd(const char *passwd_path, FILE **tmpfile, char **tmpfile_path) {
+ diff --git a/src/test/test-user-util.c b/src/test/test-user-util.c
++index 1a507bc..73f4834 100644
+ --- a/src/test/test-user-util.c
+ +++ b/src/test/test-user-util.c
+ @@ -205,8 +205,8 @@ int main(int argc, char *argv[]) {
+
+ test_get_user_creds_one("root", "root", 0, 0, "/root", "/bin/sh");
+ test_get_user_creds_one("0", "root", 0, 0, "/root", "/bin/sh");
+ - test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
+ - test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", "/sbin/nologin");
+ + test_get_user_creds_one(NOBODY_USER_NAME, NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
+ + test_get_user_creds_one("65534", NOBODY_USER_NAME, UID_NOBODY, GID_NOBODY, "/", NOLOGIN);
+
+ test_get_group_creds_one("root", "root", 0);
+ test_get_group_creds_one("0", "root", 0);
+ diff --git a/test/TEST-21-SYSUSERS/test-1.expected-passwd b/test/TEST-21-SYSUSERS/test-1.expected-passwd
+ index 8d0bfff..f59303b 100644
+ --- a/test/TEST-21-SYSUSERS/test-1.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-1.expected-passwd
+ @@ -1 +1 @@
+ -u1:x:222:222::/:/sbin/nologin
+ +u1:x:222:222::/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-10.expected-passwd b/test/TEST-21-SYSUSERS/test-10.expected-passwd
+ index 222334b..ca2d764 100644
+ --- a/test/TEST-21-SYSUSERS/test-10.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-10.expected-passwd
+ @@ -1,2 +1,2 @@
+ -u1:x:300:300::/:/sbin/nologin
+ -u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
+ +u1:x:300:300::/:NOLOGIN
+ +u2:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-11.expected-passwd b/test/TEST-21-SYSUSERS/test-11.expected-passwd
+ index 3f9ab39..737e43b 100644
+ --- a/test/TEST-21-SYSUSERS/test-11.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-11.expected-passwd
+ @@ -2,5 +2,5 @@ root:x:0:0:root:/root:/bin/bash
+ systemd-network:x:492:492:Systemd Network Management:/:/usr/sbin/nologin
+ systemd-resolve:x:491:491:Systemd Resolver:/:/usr/sbin/nologin
+ systemd-timesync:x:493:493:Systemd Time Synchronization:/:/usr/sbin/nologin
+ -u1:x:222:222::/:/sbin/nologin
+ +u1:x:222:222::/:NOLOGIN
+ +::::::
+ diff --git a/test/TEST-21-SYSUSERS/test-12.expected-passwd b/test/TEST-21-SYSUSERS/test-12.expected-passwd
+ index 75fe9b4..f076f3d 100644
+ --- a/test/TEST-21-SYSUSERS/test-12.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-12.expected-passwd
+ @@ -1,2 +1,2 @@
+ root:x:0:0:root:/root:/bin/bash
+ -systemd-coredump:x:1:1:systemd Core Dumper:/:/sbin/nologin
+ +systemd-coredump:x:1:1:systemd Core Dumper:/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-2.expected-passwd b/test/TEST-21-SYSUSERS/test-2.expected-passwd
+ index 9eeee5d..af80688 100644
+ --- a/test/TEST-21-SYSUSERS/test-2.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-2.expected-passwd
+ @@ -1,4 +1,4 @@
+ -u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:/sbin/nologin
+ +u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX:some gecos:/random/dir:NOLOGIN
+ u2:x:777:777:some gecos:/random/dir:/bin/zsh
+ u3:x:778:778::/random/dir2:/bin/bash
+ u4:x:779:779::/:/bin/csh
+ diff --git a/test/TEST-21-SYSUSERS/test-3.expected-passwd b/test/TEST-21-SYSUSERS/test-3.expected-passwd
+ index a86954f..946303f 100644
+ --- a/test/TEST-21-SYSUSERS/test-3.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-3.expected-passwd
+ @@ -1,4 +1,4 @@
+ -foo:x:301:301::/:/sbin/nologin
+ -aaa:x:303:302::/:/sbin/nologin
+ -bbb:x:304:302::/:/sbin/nologin
+ -ccc:x:305:305::/:/sbin/nologin
+ +foo:x:301:301::/:NOLOGIN
+ +aaa:x:303:302::/:NOLOGIN
+ +bbb:x:304:302::/:NOLOGIN
+ +ccc:x:305:305::/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-4.expected-passwd b/test/TEST-21-SYSUSERS/test-4.expected-passwd
+ index e0370a4..99d1048 100644
+ --- a/test/TEST-21-SYSUSERS/test-4.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-4.expected-passwd
+ @@ -1,2 +1,2 @@
+ -yyy:x:311:310::/:/sbin/nologin
+ -xxx:x:312:310::/:/sbin/nologin
+ +yyy:x:311:310::/:NOLOGIN
+ +xxx:x:312:310::/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-5.expected-passwd b/test/TEST-21-SYSUSERS/test-5.expected-passwd
+ index 116b126..a83d566 100644
+ --- a/test/TEST-21-SYSUSERS/test-5.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-5.expected-passwd
+ @@ -1,18 +1,18 @@
+ root:x:0:0::/root:/bin/sh
+ -daemon:x:1:1::/usr/sbin:/sbin/nologin
+ -bin:x:2:2::/bin:/sbin/nologin
+ -sys:x:3:3::/dev:/sbin/nologin
+ -sync:x:4:65534::/bin:/sbin/nologin
+ -games:x:5:60::/usr/games:/sbin/nologin
+ -man:x:6:12::/var/cache/man:/sbin/nologin
+ -lp:x:7:7::/var/spool/lpd:/sbin/nologin
+ -mail:x:8:8::/var/mail:/sbin/nologin
+ -news:x:9:9::/var/spool/news:/sbin/nologin
+ -uucp:x:10:10::/var/spool/uucp:/sbin/nologin
+ -proxy:x:13:13::/bin:/sbin/nologin
+ -www-data:x:33:33::/var/www:/sbin/nologin
+ -backup:x:34:34::/var/backups:/sbin/nologin
+ -list:x:38:38::/var/list:/sbin/nologin
+ -irc:x:39:39::/var/run/ircd:/sbin/nologin
+ -gnats:x:41:41::/var/lib/gnats:/sbin/nologin
+ -nobody:x:65534:65534::/nonexistent:/sbin/nologin
+ +daemon:x:1:1::/usr/sbin:NOLOGIN
+ +bin:x:2:2::/bin:NOLOGIN
+ +sys:x:3:3::/dev:NOLOGIN
+ +sync:x:4:65534::/bin:NOLOGIN
+ +games:x:5:60::/usr/games:NOLOGIN
+ +man:x:6:12::/var/cache/man:NOLOGIN
+ +lp:x:7:7::/var/spool/lpd:NOLOGIN
+ +mail:x:8:8::/var/mail:NOLOGIN
+ +news:x:9:9::/var/spool/news:NOLOGIN
+ +uucp:x:10:10::/var/spool/uucp:NOLOGIN
+ +proxy:x:13:13::/bin:NOLOGIN
+ +www-data:x:33:33::/var/www:NOLOGIN
+ +backup:x:34:34::/var/backups:NOLOGIN
+ +list:x:38:38::/var/list:NOLOGIN
+ +irc:x:39:39::/var/run/ircd:NOLOGIN
+ +gnats:x:41:41::/var/lib/gnats:NOLOGIN
+ +nobody:x:65534:65534::/nonexistent:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-6.expected-passwd b/test/TEST-21-SYSUSERS/test-6.expected-passwd
+ index 5af9d11..ba55a13 100644
+ --- a/test/TEST-21-SYSUSERS/test-6.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-6.expected-passwd
+ @@ -1 +1 @@
+ -u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:/sbin/nologin
+ +u1:x:SYSTEM_UID_MAX:SYSTEM_UID_MAX::/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-7.expected-passwd b/test/TEST-21-SYSUSERS/test-7.expected-passwd
+ index 79668c0..0c5d370 100644
+ --- a/test/TEST-21-SYSUSERS/test-7.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-7.expected-passwd
+ @@ -1,5 +1,5 @@
+ -bin:x:1:1::/:/sbin/nologin
+ -daemon:x:2:2::/:/sbin/nologin
+ -mail:x:8:12::/var/spool/mail:/sbin/nologin
+ -ftp:x:14:11::/srv/ftp:/sbin/nologin
+ -http:x:33:33::/srv/http:/sbin/nologin
+ +bin:x:1:1::/:NOLOGIN
+ +daemon:x:2:2::/:NOLOGIN
+ +mail:x:8:12::/var/spool/mail:NOLOGIN
+ +ftp:x:14:11::/srv/ftp:NOLOGIN
+ +http:x:33:33::/srv/http:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-8.expected-passwd b/test/TEST-21-SYSUSERS/test-8.expected-passwd
+ index 727b819..23e99f0 100644
+ --- a/test/TEST-21-SYSUSERS/test-8.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-8.expected-passwd
+ @@ -1 +1 @@
+ -username:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
+ +username:x:SYSTEM_UID_MAX:300::/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test-9.expected-passwd b/test/TEST-21-SYSUSERS/test-9.expected-passwd
+ index a23260f..0bffbcd 100644
+ --- a/test/TEST-21-SYSUSERS/test-9.expected-passwd
+ +++ b/test/TEST-21-SYSUSERS/test-9.expected-passwd
+ @@ -1,2 +1,2 @@
+ -user1:x:300:300::/:/sbin/nologin
+ -user2:x:SYSTEM_UID_MAX:300::/:/sbin/nologin
+ +user1:x:300:300::/:NOLOGIN
+ +user2:x:SYSTEM_UID_MAX:300::/:NOLOGIN
+ diff --git a/test/TEST-21-SYSUSERS/test.sh b/test/TEST-21-SYSUSERS/test.sh
+ index b1049e7..809653c 100755
+ --- a/test/TEST-21-SYSUSERS/test.sh
+ +++ b/test/TEST-21-SYSUSERS/test.sh
+ @@ -25,7 +25,14 @@ preprocess() {
+ # get this value from config.h, however the autopkgtest fails with
+ # it
+ SYSTEM_UID_MAX=$(awk 'BEGIN { uid=999 } /^\s*SYS_UID_MAX\s+/ { uid=$2 } END { print uid }' /etc/login.defs)
+ - sed "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" "$in"
+ +
+ + # we can't rely on config.h to get the nologin path, as autopkgtest
+ + # uses pre-compiled binaries, so extract it from the systemd-sysusers
+ + # binary which we are about to execute
+ + NOLOGIN=$(strings $(type -p systemd-sysusers) | grep nologin)
+ +
+ + sed -e "s/SYSTEM_UID_MAX/${SYSTEM_UID_MAX}/g" \
+ + -e "s#NOLOGIN#${NOLOGIN}#g" "$in"
+ }
+
+ compare() {
--- /dev/null
-index 6445b94..ac76c86 100644
+ From: Yu Watanabe <watanabe.yu+github@gmail.com>
+ Date: Thu, 9 May 2019 14:39:46 +0900
+ Subject: network: do not send ipv6 token to kernel
+
+ We disabled kernel RA support. Then, we should not send
+ IFLA_INET6_TOKEN.
+ Thus, we do not need to send IFLA_INET6_ADDR_GEN_MODE twice.
+
+ Follow-up for 0e2fdb83bb5e22047e0c7cc058b415d0e93f02cf and
+ 4eb086a38712ea98faf41e075b84555b11b54362.
+
+ (cherry picked from commit 9f6e82e6eb3b6e73d66d00d1d6eee60691fb702f)
+ ---
+ src/network/networkd-link.c | 51 ++++++---------------------------------------
+ 1 file changed, 6 insertions(+), 45 deletions(-)
+
+ diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-@@ -1816,6 +1816,9 @@ static int link_configure_addrgen_mode(Link *link) {
++index fb37688..75131d8 100644
+ --- a/src/network/networkd-link.c
+ +++ b/src/network/networkd-link.c
-@@ -1917,46 +1920,6 @@ static int link_up(Link *link) {
++@@ -2000,6 +2000,9 @@ static int link_configure_addrgen_mode(Link *link) {
+ assert(link->manager);
+ assert(link->manager->rtnl);
+
+ + if (!socket_ipv6_is_supported())
+ + return 0;
+ +
+ log_link_debug(link, "Setting address genmode for link");
+
+ r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex);
-@@ -3044,11 +3007,9 @@ static int link_configure(Link *link) {
- return r;
- }
++@@ -2093,46 +2096,6 @@ static int link_up(Link *link) {
+ return log_link_error_errno(link, r, "Could not set MAC address: %m");
+ }
+
+ - if (link_ipv6_enabled(link)) {
+ - uint8_t ipv6ll_mode;
+ -
+ - r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
+ - if (r < 0)
+ - return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
+ -
+ - /* if the kernel lacks ipv6 support setting IFF_UP fails if any ipv6 options are passed */
+ - r = sd_netlink_message_open_container(req, AF_INET6);
+ - if (r < 0)
+ - return log_link_error_errno(link, r, "Could not open AF_INET6 container: %m");
+ -
+ - if (!in_addr_is_null(AF_INET6, &link->network->ipv6_token)) {
+ - r = sd_netlink_message_append_in6_addr(req, IFLA_INET6_TOKEN, &link->network->ipv6_token.in6);
+ - if (r < 0)
+ - return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
+ - }
+ -
+ - if (!link_ipv6ll_enabled(link))
+ - ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
+ - else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
+ - /* The file may not exist. And event if it exists, when stable_secret is unset,
+ - * reading the file fails with EIO. */
+ - ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
+ - else
+ - ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+ -
+ - r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
+ - if (r < 0)
+ - return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
+ -
+ - r = sd_netlink_message_close_container(req);
+ - if (r < 0)
+ - return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
+ -
+ - r = sd_netlink_message_close_container(req);
+ - if (r < 0)
+ - return log_link_error_errno(link, r, "Could not close IFLA_AF_SPEC container: %m");
+ - }
+ -
+ r = netlink_call_async(link->manager->rtnl, NULL, req, link_up_handler,
+ link_netlink_destroy_callback, link);
+ if (r < 0)
++@@ -3219,11 +3182,9 @@ static int link_configure(Link *link) {
++ if (r < 0)
++ return r;
+
+ - if (socket_ipv6_is_supported()) {
+ - r = link_configure_addrgen_mode(link);
+ - if (r < 0)
+ - return r;
+ - }
+ + r = link_configure_addrgen_mode(link);
+ + if (r < 0)
+ + return r;
+
+ return link_configure_after_setting_mtu(link);
+ }
--- /dev/null
-index 3cdbd9e..a9f65e5 100644
+ From: Yu Watanabe <watanabe.yu+github@gmail.com>
+ Date: Tue, 11 Jun 2019 23:20:56 +0900
+ Subject: network: ignore requested ipv6 addresses when ipv6 is disabled by
+ sysctl
+
+ (cherry picked from commit 54a1a535bd60f13964bbddd8f381601e33e8e56f)
+ ---
+ src/network/networkd-address.c | 7 ++++++-
+ src/network/networkd-link.c | 4 ++--
+ src/network/networkd-ndisc.c | 4 ++--
+ 3 files changed, 10 insertions(+), 5 deletions(-)
+
+ diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
-@@ -565,6 +565,11 @@ int address_configure(
++index 42d61cc..bf8f6ab 100644
+ --- a/src/network/networkd-address.c
+ +++ b/src/network/networkd-address.c
-@@ -669,7 +674,7 @@ int address_configure(
- return log_error_errno(r, "Could not add address: %m");
++@@ -566,6 +566,11 @@ int address_configure(
+ assert(link->manager->rtnl);
+ assert(callback);
+
+ + if (address->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ + log_link_warning(link, "An IPv6 address is requested, but IPv6 is disabled by sysctl, ignoring.");
+ + return 0;
+ + }
+ +
+ /* If this is a new address, then refuse adding more than the limit */
+ if (address_get(link, address->family, &address->in_addr, address->prefixlen, NULL) <= 0 &&
+ set_size(link->addresses) >= ADDRESSES_PER_LINK_MAX)
-index 322e701..638aae0 100644
++@@ -665,7 +670,7 @@ int address_configure(
++ return log_link_error_errno(link, r, "Could not add address: %m");
+ }
+
+ - return 0;
+ + return 1;
+ }
+
+ int config_parse_broadcast(
+ diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-@@ -1123,8 +1123,8 @@ static int link_request_set_addresses(Link *link) {
++index 3e334c8..d3752b2 100644
+ --- a/src/network/networkd-link.c
+ +++ b/src/network/networkd-link.c
-index e5b8d11..78c98a0 100644
++@@ -1249,8 +1249,8 @@ static int link_request_set_addresses(Link *link) {
+ link_enter_failed(link);
+ return r;
+ }
+ -
+ - link->address_messages++;
+ + if (r > 0)
+ + link->address_messages++;
+ }
+
+ LIST_FOREACH(labels, label, link->network->address_labels) {
+ diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
++index eb470a4..05911bd 100644
+ --- a/src/network/networkd-ndisc.c
+ +++ b/src/network/networkd-ndisc.c
+ @@ -205,8 +205,8 @@ static int ndisc_router_process_autonomous_prefix(Link *link, sd_ndisc_router *r
+ link_enter_failed(link);
+ return r;
+ }
+ -
+ - link->ndisc_messages++;
+ + if (r > 0)
+ + link->ndisc_messages++;
+
+ return 0;
+ }
--- /dev/null
-index 638aae0..5a181c2 100644
+ From: Yu Watanabe <watanabe.yu+github@gmail.com>
+ Date: Tue, 11 Jun 2019 23:26:11 +0900
+ Subject: network: ignore requested ipv6 route when ipv6 is disabled by sysctl
+
+ (cherry picked from commit c442331750a2a9711036080f7590e190b9b0eb54)
+ ---
+ src/network/networkd-link.c | 4 ++--
+ src/network/networkd-ndisc.c | 12 ++++++------
+ src/network/networkd-route.c | 7 ++++++-
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+ diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-@@ -840,8 +840,8 @@ static int link_request_set_routes(Link *link) {
++index d3752b2..4de610b 100644
+ --- a/src/network/networkd-link.c
+ +++ b/src/network/networkd-link.c
-index 78c98a0..36fbe29 100644
++@@ -967,8 +967,8 @@ static int link_request_set_routes(Link *link) {
+ link_enter_failed(link);
+ return r;
+ }
+ -
+ - link->route_messages++;
+ + if (r > 0)
+ + link->route_messages++;
+ }
+
+ if (link->route_messages == 0) {
+ diff --git a/src/network/networkd-ndisc.c b/src/network/networkd-ndisc.c
-index 5553a7e..5b7e019 100644
++index 05911bd..fd4f8df 100644
+ --- a/src/network/networkd-ndisc.c
+ +++ b/src/network/networkd-ndisc.c
+ @@ -117,8 +117,8 @@ static int ndisc_router_process_default(Link *link, sd_ndisc_router *rt) {
+ link_enter_failed(link);
+ return r;
+ }
+ -
+ - link->ndisc_messages++;
+ + if (r > 0)
+ + link->ndisc_messages++;
+
+ return 0;
+ }
+ @@ -255,8 +255,8 @@ static int ndisc_router_process_onlink_prefix(Link *link, sd_ndisc_router *rt) {
+ link_enter_failed(link);
+ return r;
+ }
+ -
+ - link->ndisc_messages++;
+ + if (r > 0)
+ + link->ndisc_messages++;
+
+ return 0;
+ }
+ @@ -316,8 +316,8 @@ static int ndisc_router_process_route(Link *link, sd_ndisc_router *rt) {
+ link_enter_failed(link);
+ return r;
+ }
+ -
+ - link->ndisc_messages++;
+ + if (r > 0)
+ + link->ndisc_messages++;
+
+ return 0;
+ }
+ diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
-@@ -509,6 +509,11 @@ int route_configure(
++index 379077c..56a9c82 100644
+ --- a/src/network/networkd-route.c
+ +++ b/src/network/networkd-route.c
- return -E2BIG;
-@@ -675,7 +680,7 @@ int route_configure(
++@@ -498,6 +498,11 @@ int route_configure(
+ assert(IN_SET(route->family, AF_INET, AF_INET6));
+ assert(callback);
+
+ + if (route->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ + log_link_warning(link, "An IPv6 route is requested, but IPv6 is disabled by sysctl, ignoring.");
+ + return 0;
+ + }
+ +
+ if (route_get(link, route->family, &route->dst, route->dst_prefixlen, route->tos, route->priority, route->table, NULL) <= 0 &&
+ set_size(link->routes) >= routes_max())
- int config_parse_gateway(
++ return log_link_error_errno(link, SYNTHETIC_ERRNO(E2BIG),
++@@ -674,7 +679,7 @@ int route_configure(
+ sd_event_source_unref(route->expire);
+ route->expire = TAKE_PTR(expire);
+
+ - return 0;
+ + return 1;
+ }
+
++ int network_add_ipv4ll_route(Network *network) {
--- /dev/null
-index 5a181c2..13852af 100644
+ From: Yu Watanabe <watanabe.yu+github@gmail.com>
+ Date: Tue, 11 Jun 2019 23:29:57 +0900
+ Subject: network: ignore requested ipv6 routing policy rule when ipv6 is
+ disabled by sysctl
+
+ (cherry picked from commit 7ef7e5509b637e660e89ba8a938930ec01de6e54)
+ ---
+ src/network/networkd-link.c | 4 ++--
+ src/network/networkd-routing-policy-rule.c | 7 ++++++-
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+ diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-@@ -765,8 +765,8 @@ static int link_request_set_routing_policy_rule(Link *link) {
++index 4de610b..91c828e 100644
+ --- a/src/network/networkd-link.c
+ +++ b/src/network/networkd-link.c
-index 65a9af2..0b62a0e 100644
++@@ -892,8 +892,8 @@ static int link_request_set_routing_policy_rule(Link *link) {
+ link_enter_failed(link);
+ return r;
+ }
+ -
+ - link->routing_policy_rule_messages++;
+ + if (r > 0)
+ + link->routing_policy_rule_messages++;
+ }
+
+ routing_policy_rule_purge(link->manager, link);
+ diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
-@@ -492,6 +492,11 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
++index f625321..d2b6f10 100644
+ --- a/src/network/networkd-routing-policy-rule.c
+ +++ b/src/network/networkd-routing-policy-rule.c
-@@ -609,7 +614,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
++@@ -484,6 +484,11 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
+ assert(link->manager);
+ assert(link->manager->rtnl);
+
+ + if (rule->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ + log_link_warning(link, "An IPv6 routing policy rule is requested, but IPv6 is disabled by sysctl, ignoring.");
+ + return 0;
+ + }
+ +
+ r = sd_rtnl_message_new_routing_policy_rule(link->manager->rtnl, &m, RTM_NEWRULE, rule->family);
+ if (r < 0)
+ return log_error_errno(r, "Could not allocate RTM_NEWRULE message: %m");
++@@ -593,7 +598,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
+ if (r < 0)
+ return log_error_errno(r, "Could not add rule: %m");
+
+ - return 0;
+ + return 1;
+ }
+
+ static int parse_fwmark_fwmask(const char *s, uint32_t *fwmark, uint32_t *fwmask) {
--- /dev/null
- src/network/networkd-link.c | 24 ++++++++++++++++++++----
+ From: Yu Watanabe <watanabe.yu+github@gmail.com>
+ Date: Fri, 14 Jun 2019 09:42:51 +0900
+ Subject: network: read link specific sysctl value
+
+ This introduce link_sysctl_ipv6_enabled() and replaces
+ manager_sysctl_ipv6_enabled() with it.
+
+ (cherry picked from commit bafa9641446852f7fa15ca12d08a223d345c78ea)
+ ---
+ src/network/networkd-address.c | 2 +-
- 7 files changed, 27 insertions(+), 28 deletions(-)
++ src/network/networkd-link.c | 23 +++++++++++++++++++----
+ src/network/networkd-link.h | 4 ++++
+ src/network/networkd-manager.c | 17 -----------------
+ src/network/networkd-manager.h | 4 ----
+ src/network/networkd-route.c | 2 +-
+ src/network/networkd-routing-policy-rule.c | 2 +-
-index a9f65e5..e0ee896 100644
++ 7 files changed, 26 insertions(+), 28 deletions(-)
+
+ diff --git a/src/network/networkd-address.c b/src/network/networkd-address.c
-@@ -565,7 +565,7 @@ int address_configure(
++index bf8f6ab..40da62f 100644
+ --- a/src/network/networkd-address.c
+ +++ b/src/network/networkd-address.c
-index 13852af..3cfdf4a 100644
++@@ -566,7 +566,7 @@ int address_configure(
+ assert(link->manager->rtnl);
+ assert(callback);
+
+ - if (address->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ + if (address->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
+ log_link_warning(link, "An IPv6 address is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
+ diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-@@ -28,6 +28,7 @@
- #include "stdio-util.h"
- #include "string-table.h"
- #include "strv.h"
-+#include "sysctl-util.h"
- #include "tmpfile-util.h"
- #include "util.h"
- #include "virt.h"
-@@ -39,6 +40,20 @@ DUID* link_get_duid(Link *link) {
++index 91c828e..e3d4efb 100644
+ --- a/src/network/networkd-link.c
+ +++ b/src/network/networkd-link.c
-@@ -51,7 +66,7 @@ static bool link_dhcp6_enabled(Link *link) {
- if (!link->network)
++@@ -60,6 +60,20 @@ DUID* link_get_duid(Link *link) {
+ return &link->manager->duid;
+ }
+
+ +int link_sysctl_ipv6_enabled(Link *link) {
+ + _cleanup_free_ char *value = NULL;
+ + int r;
+ +
+ + r = sysctl_read_ip_property(AF_INET6, link->ifname, "disable_ipv6", &value);
+ + if (r < 0)
+ + return log_link_warning_errno(link, r,
+ + "Failed to read net.ipv6.conf.%s.disable_ipv6 sysctl property: %m",
+ + link->ifname);
+ +
+ + link->sysctl_ipv6_enabled = value[0] == '0';
+ + return link->sysctl_ipv6_enabled;
+ +}
+ +
+ static bool link_dhcp6_enabled(Link *link) {
+ assert(link);
+
-@@ -111,7 +126,7 @@ static bool link_ipv6ll_enabled(Link *link) {
- if (streq_ptr(link->kind, "wireguard"))
++@@ -75,7 +89,7 @@ static bool link_dhcp6_enabled(Link *link) {
++ if (link->network->bond)
+ return false;
+
+ - if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ + if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ return link->network->dhcp & ADDRESS_FAMILY_IPV6;
-@@ -126,7 +141,7 @@ static bool link_ipv6_enabled(Link *link) {
- if (link->network->bridge)
++@@ -147,7 +161,7 @@ static bool link_ipv6ll_enabled(Link *link) {
++ if (link->network->bond)
+ return false;
+
+ - if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ + if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ return link->network->link_local & ADDRESS_FAMILY_IPV6;
-@@ -208,7 +223,7 @@ static bool link_ipv6_forward_enabled(Link *link) {
++@@ -162,7 +176,7 @@ static bool link_ipv6_enabled(Link *link) {
++ if (link->network->bond)
+ return false;
+
+ - if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ + if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ /* DHCPv6 client will not be started if no IPv6 link-local address is configured. */
-@@ -476,6 +491,7 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
++@@ -244,7 +258,7 @@ static bool link_ipv6_forward_enabled(Link *link) {
+ if (link->network->ip_forward == _ADDRESS_FAMILY_BOOLEAN_INVALID)
+ return false;
+
+ - if (manager_sysctl_ipv6_enabled(link->manager) == 0)
+ + if (link_sysctl_ipv6_enabled(link) == 0)
+ return false;
+
+ return link->network->ip_forward & ADDRESS_FAMILY_IPV6;
-index dcb1ea6..6adea64 100644
++@@ -560,6 +574,7 @@ static int link_new(Manager *manager, sd_netlink_message *message, Link **ret) {
+ .rtnl_extended_attrs = true,
+ .ifindex = ifindex,
+ .iftype = iftype,
+ + .sysctl_ipv6_enabled = -1,
+ };
+
+ link->ifname = strdup(ifname);
+ diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h
-@@ -128,6 +128,8 @@ typedef struct Link {
-
++index e65246c..f2e53cc 100644
+ --- a/src/network/networkd-link.h
+ +++ b/src/network/networkd-link.h
-@@ -209,6 +211,8 @@ int link_send_changed(Link *link, const char *property, ...) _sentinel_;
- #define LOG_LINK_MESSAGE(link, fmt, ...) "MESSAGE=%s: " fmt, (link)->ifname, ##__VA_ARGS__
- #define LOG_LINK_INTERFACE(link) "INTERFACE=%s", (link)->ifname
++@@ -122,6 +122,8 @@ typedef struct Link {
+ Hashmap *bound_by_links;
+ Hashmap *bound_to_links;
++ Hashmap *slaves;
+ +
+ + int sysctl_ipv6_enabled;
+ } Link;
+
+ typedef int (*link_netlink_message_handler_t)(sd_netlink*, sd_netlink_message*, Link*);
-index f32bc7f..acb9a75 100644
++@@ -180,6 +182,8 @@ uint32_t link_get_vrf_table(Link *link);
++ uint32_t link_get_dhcp_route_table(Link *link);
++ uint32_t link_get_ipv6_accept_ra_route_table(Link *link);
+
+ +int link_sysctl_ipv6_enabled(Link *link);
+ +
+ #define ADDRESS_FMT_VAL(address) \
+ be32toh((address).s_addr) >> 24, \
+ (be32toh((address).s_addr) >> 16) & 0xFFu, \
+ diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
-@@ -1361,8 +1361,6 @@ int manager_new(Manager **ret) {
++index 9075b0a..05107da 100644
+ --- a/src/network/networkd-manager.c
+ +++ b/src/network/networkd-manager.c
-@@ -1861,18 +1859,3 @@ int manager_request_product_uuid(Manager *m, Link *link) {
++@@ -1378,8 +1378,6 @@ int manager_new(Manager **ret) {
+ if (!m->state_file)
+ return -ENOMEM;
+
+ - m->sysctl_ipv6_enabled = -1;
+ -
+ r = sd_event_default(&m->event);
+ if (r < 0)
+ return r;
-index d292d76..289ca96 100644
++@@ -1878,18 +1876,3 @@ int manager_request_product_uuid(Manager *m, Link *link) {
+
+ return 0;
+ }
+ -
+ -int manager_sysctl_ipv6_enabled(Manager *manager) {
+ - _cleanup_free_ char *value = NULL;
+ - int r;
+ -
+ - if (manager->sysctl_ipv6_enabled >= 0)
+ - return manager->sysctl_ipv6_enabled;
+ -
+ - r = sysctl_read_ip_property(AF_INET6, "all", "disable_ipv6", &value);
+ - if (r < 0)
+ - return log_warning_errno(r, "Failed to read net.ipv6.conf.all.disable_ipv6 sysctl property: %m");
+ -
+ - manager->sysctl_ipv6_enabled = value[0] == '0';
+ - return manager->sysctl_ipv6_enabled;
+ -}
+ diff --git a/src/network/networkd-manager.h b/src/network/networkd-manager.h
-@@ -58,8 +58,6 @@ struct Manager {
++index 35ab6be..33f80bf 100644
+ --- a/src/network/networkd-manager.h
+ +++ b/src/network/networkd-manager.h
-@@ -97,6 +95,4 @@ Link *manager_dhcp6_prefix_get(Manager *m, struct in6_addr *addr);
++@@ -56,8 +56,6 @@ struct Manager {
+ Set *rules;
+ Set *rules_foreign;
+ Set *rules_saved;
+ -
+ - int sysctl_ipv6_enabled;
+ };
+
+ extern const sd_bus_vtable manager_vtable[];
-index 5b7e019..67b0ab4 100644
++@@ -95,6 +93,4 @@ Link *manager_dhcp6_prefix_get(Manager *m, struct in6_addr *addr);
+ int manager_dhcp6_prefix_add(Manager *m, struct in6_addr *addr, Link *link);
+ int manager_dhcp6_prefix_remove_all(Manager *m, Link *link);
+
+ -int manager_sysctl_ipv6_enabled(Manager *manager);
+ -
+ DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
+ diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
-@@ -509,7 +509,7 @@ int route_configure(
++index 56a9c82..ae56402 100644
+ --- a/src/network/networkd-route.c
+ +++ b/src/network/networkd-route.c
-index 0b62a0e..2378ed2 100644
++@@ -498,7 +498,7 @@ int route_configure(
+ assert(IN_SET(route->family, AF_INET, AF_INET6));
+ assert(callback);
+
+ - if (route->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ + if (route->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
+ log_link_warning(link, "An IPv6 route is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
+ diff --git a/src/network/networkd-routing-policy-rule.c b/src/network/networkd-routing-policy-rule.c
-@@ -492,7 +492,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
++index d2b6f10..5ac8718 100644
+ --- a/src/network/networkd-routing-policy-rule.c
+ +++ b/src/network/networkd-routing-policy-rule.c
++@@ -484,7 +484,7 @@ int routing_policy_rule_configure(RoutingPolicyRule *rule, Link *link, link_netl
+ assert(link->manager);
+ assert(link->manager->rtnl);
+
+ - if (rule->family == AF_INET6 && manager_sysctl_ipv6_enabled(link->manager) == 0) {
+ + if (rule->family == AF_INET6 && link_sysctl_ipv6_enabled(link) == 0) {
+ log_link_warning(link, "An IPv6 routing policy rule is requested, but IPv6 is disabled by sysctl, ignoring.");
+ return 0;
+ }
--- /dev/null
-index 3cfdf4a..6445b94 100644
+ From: Susant Sahani <ssahani@gmail.com>
+ Date: Thu, 9 May 2019 07:35:35 +0530
+ Subject: networkd: fix link_up() (#12505)
+
+ Fillup IFLA_INET6_ADDR_GEN_MODE while we do link_up.
+
+ Fixes the following error:
+ ```
+ dummy-test: Could not bring up interface: Invalid argument
+ ```
+
+ After reading the kernel code when we do a link up
+ ```
+ net/core/rtnetlink.c
+ IFLA_AF_SPEC
+ af_ops->set_link_af(dev, af);
+ inet6_set_link_af
+ if (tb[IFLA_INET6_ADDR_GEN_MODE])
+ Here it looks for IFLA_INET6_ADDR_GEN_MODE
+ ```
+ Since link up we didn't filling up that it's failing.
+
+ Closes #12504.
+
+ (cherry picked from commit 4eb086a38712ea98faf41e075b84555b11b54362)
+ ---
+ src/network/networkd-link.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+ diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-@@ -1918,6 +1918,8 @@ static int link_up(Link *link) {
++index e3d4efb..fb37688 100644
+ --- a/src/network/networkd-link.c
+ +++ b/src/network/networkd-link.c
-@@ -1933,6 +1935,19 @@ static int link_up(Link *link) {
++@@ -2094,6 +2094,8 @@ static int link_up(Link *link) {
+ }
+
+ if (link_ipv6_enabled(link)) {
+ + uint8_t ipv6ll_mode;
+ +
+ r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
+ if (r < 0)
+ return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
++@@ -2109,6 +2111,19 @@ static int link_up(Link *link) {
+ return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
+ }
+
+ + if (!link_ipv6ll_enabled(link))
+ + ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
+ + else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
+ + /* The file may not exist. And event if it exists, when stable_secret is unset,
+ + * reading the file fails with EIO. */
+ + ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
+ + else
+ + ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+ +
+ + r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
+ + if (r < 0)
+ + return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
+ +
+ r = sd_netlink_message_close_container(req);
+ if (r < 0)
+ return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
--- /dev/null
-From: Michael Biebl <biebl@debian.org>
-Date: Tue, 14 May 2019 13:12:35 +0200
++From: Lennart Poettering <lennart@poettering.net>
++Date: Fri, 10 May 2019 15:16:16 -0400
+ Subject: random-util: eat up bad RDRAND values seen on AMD CPUs
+
+ An ugly, ugly work-around for #11810. And no, we shouldn't have to do
+ this. This is something for AMD, the firmware or the kernel to
+ fix/work-around, not us. But nonetheless, this should do it for now.
+
+ Fixes: #11810
+ (cherry picked from commit 1c53d4a070edbec8ad2d384ba0014d0eb6bae077)
+ ---
+ src/basic/random-util.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+ diff --git a/src/basic/random-util.c b/src/basic/random-util.c
-index f7decf6..38f8180 100644
++index ca25fd2..b678900 100644
+ --- a/src/basic/random-util.c
+ +++ b/src/basic/random-util.c
-@@ -37,6 +37,7 @@ int rdrand(unsigned long *ret) {
++@@ -34,6 +34,7 @@ int rdrand(unsigned long *ret) {
+
+ #if defined(__i386__) || defined(__x86_64__)
+ static int have_rdrand = -1;
+ + unsigned long v;
+ unsigned char err;
+
+ if (have_rdrand < 0) {
-@@ -56,7 +57,7 @@ int rdrand(unsigned long *ret) {
++@@ -53,12 +54,24 @@ int rdrand(unsigned long *ret) {
+
+ asm volatile("rdrand %0;"
+ "setc %1"
+ - : "=r" (*ret),
+ + : "=r" (v),
+ "=qm" (err));
-
- #if HAS_FEATURE_MEMORY_SANITIZER
-@@ -66,6 +67,18 @@ int rdrand(unsigned long *ret) {
++ msan_unpoison(&err, sizeof(err));
+ if (!err)
+ return -EAGAIN;
+
+ + /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
+ + * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
+ + * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
+ + * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
+ + * only however and something AMD really should fix properly. The Linux kernel should probably work
+ + * around this issue by turning off RDRAND altogether on those CPUs. See:
+ + * https://github.com/systemd/systemd/issues/11810 */
+ + if (v == 0 || v == ULONG_MAX)
+ + return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
+ + "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v);
+ +
+ + *ret = v;
+ return 0;
+ #else
+ return -EOPNOTSUPP;
-sd-bus-enforce-a-size-limit-on-D-Bus-object-paths.patch
-udev-network-drop-unused-parent_driver-argument-from-net_.patch
-sd-device-also-store-properties-read-from-udev-database-t.patch
-networkd-test-disable-DNSSEC-in-domain-restricted-DNS-tes.patch
-networkd-test-use-a-complete-domain-name-in-test_route_on.patch
-networkd-test-fix-test_dropin.patch
-networkd-test-ignore-failures-of-test_route_only_dns-in-c.patch
-timedate-fix-emitted-value-when-ntp-client-is-enabled-dis.patch
-cgtop-Fix-processing-of-controllers-other-than-CPU.patch
-udev-restore-debug-level-when-logging-a-failure-in-the-ex.patch
-remove-.-path-components-from-required-mount-paths.patch
-Re-add-uaccess-tag-for-dev-dri-renderD.patch
-udev-run-programs-in-the-specified-order.patch
-bash-completion-use-default-completion-for-redirect-opera.patch
-networkd-clarify-that-IPv6-RA-uses-our-own-stack-no-the-k.patch
-network-remove-routing-policy-rule-from-foreign-rule-data.patch
-network-do-not-remove-rule-when-it-is-requested-by-existi.patch
-pam-systemd-use-secure_getenv-rather-than-getenv.patch
-journal-remote-do-not-request-Content-Length-if-Transfer-.patch
-systemctl-restore-systemctl-reboot-ARG-functionality.patch
+socket-util-make-sure-flush_accept-doesn-t-hang-on-unexpe.patch
+test-add-test-for-flush_accept.patch
+meson-stop-creating-.wants-directories-for-multi-user-get.patch
+Drop-support-for-usr-sbin-halt.local.patch
+ random-util-eat-up-bad-RDRAND-values-seen-on-AMD-CPUs.patch
+ ask-password-prevent-buffer-overflow-when-reading-from-ke.patch
+ core-unset-HOME-that-the-kernel-gives-us.patch
+ man-add-note-that-h-u-U-are-mostly-useless.patch
-sysctl-util-add-sysctl_read_ip_property.patch
-network-check-whether-ipv6-is-enabled-in-sysctl.patch
+ network-ignore-requested-ipv6-addresses-when-ipv6-is-disa.patch
+ network-ignore-requested-ipv6-route-when-ipv6-is-disabled.patch
+ network-ignore-requested-ipv6-routing-policy-rule-when-ip.patch
+ network-read-link-specific-sysctl-value.patch
+ networkd-fix-link_up-12505.patch
+ network-do-not-send-ipv6-token-to-kernel.patch
+ meson-make-nologin-path-build-time-configurable.patch
debian/Use-Debian-specific-config-files.patch
debian/Bring-tmpfiles.d-tmp.conf-in-line-with-Debian-defaul.patch
debian/Make-run-lock-tmpfs-an-API-fs.patch