[systemd/f15] Backport PassCredentials to avoid #757628 when F15 kernel is rebased to 3.2.
Michal Schmidt
michich at fedoraproject.org
Tue Jan 31 23:04:30 UTC 2012
commit 14aacafb2e5ff428d34fb46d10e8de063afc3154
Author: Michal Schmidt <mschmidt at redhat.com>
Date: Tue Jan 31 23:53:40 2012 +0100
Backport PassCredentials to avoid #757628 when F15 kernel is rebased to 3.2.
0001-socket-add-option-for-SO_PASSCRED.patch | 90 +++++++++++++++++
...me-the-PassCred-option-to-PassCredentials.patch | 105 ++++++++++++++++++++
...downd-use-PassCred-yes-in-the-socket-unit.patch | 55 ++++++++++
...g-use-PassCred-yes-for-the-dev-log-socket.patch | 51 ++++++++++
0004-man-document-the-PassCred-option.patch | 34 +++++++
systemd.spec | 11 ++-
6 files changed, 345 insertions(+), 1 deletions(-)
---
diff --git a/0001-socket-add-option-for-SO_PASSCRED.patch b/0001-socket-add-option-for-SO_PASSCRED.patch
new file mode 100644
index 0000000..8c2b238
--- /dev/null
+++ b/0001-socket-add-option-for-SO_PASSCRED.patch
@@ -0,0 +1,90 @@
+From d68af58657ce0e99594dff199fbb9b319cf6af96 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Tue, 29 Nov 2011 22:15:41 +0100
+Subject: [PATCH 1/4] socket: add option for SO_PASSCRED
+
+Add an option to enable SO_PASSCRED for unix sockets.
+---
+ src/dbus-socket.c | 2 ++
+ src/load-fragment-gperf.gperf.m4 | 1 +
+ src/socket.c | 8 ++++++++
+ src/socket.h | 1 +
+ 4 files changed, 12 insertions(+), 0 deletions(-)
+
+Index: systemd-26/src/dbus-socket.c
+===================================================================
+--- systemd-26.orig/src/dbus-socket.c
++++ systemd-26/src/dbus-socket.c
+@@ -49,6 +49,7 @@
+ " <property name=\"IPTTL\" type=\"i\" access=\"read\"/>\n" \
+ " <property name=\"PipeSize\" type=\"t\" access=\"read\"/>\n" \
+ " <property name=\"FreeBind\" type=\"b\" access=\"read\"/>\n" \
++ " <property name=\"PassCred\" type=\"b\" access=\"read\"/>\n" \
+ " <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \
+ " <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
+ " <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
+@@ -107,6 +108,7 @@ DBusHandlerResult bus_socket_message_han
+ { "org.freedesktop.systemd1.Socket", "IPTTL", bus_property_append_int, "i", &u->socket.ip_ttl },
+ { "org.freedesktop.systemd1.Socket", "PipeSize", bus_property_append_size, "t", &u->socket.pipe_size },
+ { "org.freedesktop.systemd1.Socket", "FreeBind", bus_property_append_bool, "b", &u->socket.free_bind },
++ { "org.freedesktop.systemd1.Socket", "PassCred", bus_property_append_bool, "b", &u->socket.pass_cred },
+ { "org.freedesktop.systemd1.Socket", "Mark", bus_property_append_int, "i", &u->socket.mark },
+ { "org.freedesktop.systemd1.Socket", "MaxConnections", bus_property_append_unsigned, "u", &u->socket.max_connections },
+ { "org.freedesktop.systemd1.Socket", "NConnections", bus_property_append_unsigned, "u", &u->socket.n_connections },
+Index: systemd-26/src/socket.c
+===================================================================
+--- systemd-26.orig/src/socket.c
++++ systemd-26/src/socket.c
+@@ -404,6 +404,7 @@ static void socket_dump(Unit *u, FILE *f
+ "%sDirectoryMode: %04o\n"
+ "%sKeepAlive: %s\n"
+ "%sFreeBind: %s\n"
++ "%sPassCred: %s\n"
+ "%sTCPCongestion: %s\n",
+ prefix, socket_state_to_string(s->state),
+ prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
+@@ -412,6 +413,7 @@ static void socket_dump(Unit *u, FILE *f
+ prefix, s->directory_mode,
+ prefix, yes_no(s->keep_alive),
+ prefix, yes_no(s->free_bind),
++ prefix, yes_no(s->pass_cred),
+ prefix, strna(s->tcp_congestion));
+
+ if (s->control_pid > 0)
+@@ -635,6 +637,12 @@ static void socket_apply_socket_options(
+ log_warning("SO_KEEPALIVE failed: %m");
+ }
+
++ if (s->pass_cred) {
++ int one = 1;
++ if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
++ log_warning("SO_PASSCRED failed: %m");
++ }
++
+ if (s->priority >= 0)
+ if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
+ log_warning("SO_PRIORITY failed: %m");
+Index: systemd-26/src/socket.h
+===================================================================
+--- systemd-26.orig/src/socket.h
++++ systemd-26/src/socket.h
+@@ -115,6 +115,7 @@ struct Socket {
+ /* Socket options */
+ bool keep_alive;
+ bool free_bind;
++ bool pass_cred;
+ int priority;
+ int mark;
+ size_t receive_buffer;
+Index: systemd-26/src/load-fragment.c
+===================================================================
+--- systemd-26.orig/src/load-fragment.c
++++ systemd-26/src/load-fragment.c
+@@ -1945,6 +1945,7 @@ static int load_from_path(Unit *u, const
+ { "Mark", config_parse_int, 0, &u->socket.mark, "Socket" },
+ { "PipeSize", config_parse_size, 0, &u->socket.pipe_size, "Socket" },
+ { "FreeBind", config_parse_bool, 0, &u->socket.free_bind, "Socket" },
++ { "PassCred", config_parse_bool, 0, &u->socket.pass_cred, "Socket" },
+ { "TCPCongestion", config_parse_string, 0, &u->socket.tcp_congestion, "Socket" },
+ { "Service", config_parse_socket_service, 0, &u->socket, "Socket" },
+ EXEC_CONTEXT_CONFIG_ITEMS(u->socket.exec_context, "Socket"),
diff --git a/0001-socket-rename-the-PassCred-option-to-PassCredentials.patch b/0001-socket-rename-the-PassCred-option-to-PassCredentials.patch
new file mode 100644
index 0000000..4e7a373
--- /dev/null
+++ b/0001-socket-rename-the-PassCred-option-to-PassCredentials.patch
@@ -0,0 +1,105 @@
+From 271b032a053f9d4a1be271bb052276ae27fe36c6 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart at poettering.net>
+Date: Sat, 31 Dec 2011 01:07:49 +0100
+Subject: [PATCH] socket: rename the PassCred= option to PassCredentials=,
+ since we don't want to needlessly abbreviate options unless
+ they are very well established
+
+---
+ man/systemd.socket.xml | 8 ++++----
+ src/dbus-socket.c | 4 ++--
+ src/load-fragment-gperf.gperf.m4 | 2 +-
+ src/socket.c | 2 +-
+ units/syslog.socket | 2 +-
+ units/systemd-journald.socket | 1 +
+ units/systemd-shutdownd.socket | 2 +-
+ 7 files changed, 11 insertions(+), 10 deletions(-)
+
+Index: systemd-26/man/systemd.socket.xml
+===================================================================
+--- systemd-26.orig/man/systemd.socket.xml
++++ systemd-26/man/systemd.socket.xml
+@@ -480,10 +480,10 @@
+ </varlistentry>
+
+ <varlistentry>
+- <term><varname>PassCred=</varname></term>
++ <term><varname>PassCredentials=</varname></term>
+ <listitem><para>Takes a boolean
+ value. This controls the SO_PASSCRED
+- option, which allows UNIX sockets to
++ socket option, which allows UNIX sockets to
+ receive the credentials of the sending
+ process in an ancillary message.
+ Defaults to
+Index: systemd-26/src/dbus-socket.c
+===================================================================
+--- systemd-26.orig/src/dbus-socket.c
++++ systemd-26/src/dbus-socket.c
+@@ -49,7 +49,7 @@
+ " <property name=\"IPTTL\" type=\"i\" access=\"read\"/>\n" \
+ " <property name=\"PipeSize\" type=\"t\" access=\"read\"/>\n" \
+ " <property name=\"FreeBind\" type=\"b\" access=\"read\"/>\n" \
+- " <property name=\"PassCred\" type=\"b\" access=\"read\"/>\n" \
++ " <property name=\"PassCredentials\" type=\"b\" access=\"read\"/>\n" \
+ " <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \
+ " <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
+ " <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
+@@ -108,7 +108,7 @@ DBusHandlerResult bus_socket_message_han
+ { "org.freedesktop.systemd1.Socket", "IPTTL", bus_property_append_int, "i", &u->socket.ip_ttl },
+ { "org.freedesktop.systemd1.Socket", "PipeSize", bus_property_append_size, "t", &u->socket.pipe_size },
+ { "org.freedesktop.systemd1.Socket", "FreeBind", bus_property_append_bool, "b", &u->socket.free_bind },
+- { "org.freedesktop.systemd1.Socket", "PassCred", bus_property_append_bool, "b", &u->socket.pass_cred },
++ { "org.freedesktop.systemd1.Socket", "PassCredentials",bus_property_append_bool, "b", &u->socket.pass_cred },
+ { "org.freedesktop.systemd1.Socket", "Mark", bus_property_append_int, "i", &u->socket.mark },
+ { "org.freedesktop.systemd1.Socket", "MaxConnections", bus_property_append_unsigned, "u", &u->socket.max_connections },
+ { "org.freedesktop.systemd1.Socket", "NConnections", bus_property_append_unsigned, "u", &u->socket.n_connections },
+Index: systemd-26/src/socket.c
+===================================================================
+--- systemd-26.orig/src/socket.c
++++ systemd-26/src/socket.c
+@@ -404,7 +404,7 @@ static void socket_dump(Unit *u, FILE *f
+ "%sDirectoryMode: %04o\n"
+ "%sKeepAlive: %s\n"
+ "%sFreeBind: %s\n"
+- "%sPassCred: %s\n"
++ "%sPassCredentials: %s\n"
+ "%sTCPCongestion: %s\n",
+ prefix, socket_state_to_string(s->state),
+ prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
+Index: systemd-26/units/syslog.socket
+===================================================================
+--- systemd-26.orig/units/syslog.socket
++++ systemd-26/units/syslog.socket
+@@ -18,7 +18,7 @@ Wants=syslog.target
+ [Socket]
+ ListenDatagram=/dev/log
+ SocketMode=0666
+-PassCred=yes
++PassCredentials=yes
+
+ # The service we activate on incoming traffic is
+ # systemd-kmsg-syslogd.service. That doesn't mean however, that this
+Index: systemd-26/units/systemd-shutdownd.socket
+===================================================================
+--- systemd-26.orig/units/systemd-shutdownd.socket
++++ systemd-26/units/systemd-shutdownd.socket
+@@ -15,4 +15,4 @@ Before=sockets.target
+ [Socket]
+ ListenDatagram=/run/systemd/shutdownd
+ SocketMode=0600
+-PassCred=yes
++PassCredentials=yes
+Index: systemd-26/src/load-fragment.c
+===================================================================
+--- systemd-26.orig/src/load-fragment.c
++++ systemd-26/src/load-fragment.c
+@@ -1945,7 +1945,7 @@ static int load_from_path(Unit *u, const
+ { "Mark", config_parse_int, 0, &u->socket.mark, "Socket" },
+ { "PipeSize", config_parse_size, 0, &u->socket.pipe_size, "Socket" },
+ { "FreeBind", config_parse_bool, 0, &u->socket.free_bind, "Socket" },
+- { "PassCred", config_parse_bool, 0, &u->socket.pass_cred, "Socket" },
++ { "PassCredentials", config_parse_bool, 0, &u->socket.pass_cred, "Socket" },
+ { "TCPCongestion", config_parse_string, 0, &u->socket.tcp_congestion, "Socket" },
+ { "Service", config_parse_socket_service, 0, &u->socket, "Socket" },
+ EXEC_CONTEXT_CONFIG_ITEMS(u->socket.exec_context, "Socket"),
diff --git a/0002-shutdownd-use-PassCred-yes-in-the-socket-unit.patch b/0002-shutdownd-use-PassCred-yes-in-the-socket-unit.patch
new file mode 100644
index 0000000..f0eee77
--- /dev/null
+++ b/0002-shutdownd-use-PassCred-yes-in-the-socket-unit.patch
@@ -0,0 +1,55 @@
+From 75d3fc60f88e08bf953063819a8a04b881d6db23 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Tue, 29 Nov 2011 23:14:36 +0100
+Subject: [PATCH 2/4] shutdownd: use PassCred=yes in the socket unit
+
+Since Linux 3.2 in order to receive SCM_CREDENTIALS it is not sufficient
+to set SO_PASSCRED just before recvmsg(). The option has to be already
+set when the sender sends the message.
+
+With socket activation it is too late to set the option in the service.
+It must be set on the socket right from the start.
+
+See the kernel commit:
+16e57262 af_unix: dont send SCM_CREDENTIALS by default
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=757628
+---
+ src/shutdownd.c | 6 ------
+ units/systemd-shutdownd.socket | 1 +
+ 2 files changed, 1 insertions(+), 6 deletions(-)
+
+Index: systemd-26/src/shutdownd.c
+===================================================================
+--- systemd-26.orig/src/shutdownd.c
++++ systemd-26/src/shutdownd.c
+@@ -173,7 +173,6 @@ int main(int argc, char *argv[]) {
+ };
+
+ int r = EXIT_FAILURE, n_fds;
+- int one = 1;
+ struct shutdownd_command c;
+ struct pollfd pollfd[_FD_MAX];
+ bool exec_shutdown = false, unlink_nologin = false, failed = false;
+@@ -203,11 +202,6 @@ int main(int argc, char *argv[]) {
+ return EXIT_FAILURE;
+ }
+
+- if (setsockopt(SD_LISTEN_FDS_START, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0) {
+- log_error("SO_PASSCRED failed: %m");
+- return EXIT_FAILURE;
+- }
+-
+ zero(c);
+ zero(pollfd);
+
+Index: systemd-26/units/systemd-shutdownd.socket
+===================================================================
+--- systemd-26.orig/units/systemd-shutdownd.socket
++++ systemd-26/units/systemd-shutdownd.socket
+@@ -14,3 +14,5 @@ Before=sockets.target
+
+ [Socket]
+ ListenDatagram=/run/systemd/shutdownd
++SocketMode=0600
++PassCred=yes
diff --git a/0003-syslog-use-PassCred-yes-for-the-dev-log-socket.patch b/0003-syslog-use-PassCred-yes-for-the-dev-log-socket.patch
new file mode 100644
index 0000000..e68fc98
--- /dev/null
+++ b/0003-syslog-use-PassCred-yes-for-the-dev-log-socket.patch
@@ -0,0 +1,51 @@
+From 1a2801529e916ec31d2a8cc66cd5c3b8d9ad9caa Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Wed, 30 Nov 2011 09:37:13 +0100
+Subject: [PATCH 3/4] syslog: use PassCred=yes for the /dev/log socket
+
+Both kmsg-syslogd and the real syslog service want to receive
+SCM_CREDENTIALS. With socket activation it is too late to set
+SO_PASSCRED in the services.
+---
+ src/kmsg-syslogd.c | 5 +----
+ units/syslog.socket | 1 +
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/src/kmsg-syslogd.c b/src/kmsg-syslogd.c
+index 0901a0e..7fd69f8 100644
+--- a/src/kmsg-syslogd.c
++++ b/src/kmsg-syslogd.c
+@@ -91,7 +91,7 @@ static int server_init(Server *s, unsigned n_sockets) {
+ }
+
+ for (i = 0; i < n_sockets; i++) {
+- int fd, one = 1;
++ int fd;
+
+ fd = SD_LISTEN_FDS_START+i;
+
+@@ -106,9 +106,6 @@ static int server_init(Server *s, unsigned n_sockets) {
+ goto fail;
+ }
+
+- if (setsockopt(fd, SOL_SOCKET, SO_PASSCRED, &one, sizeof(one)) < 0)
+- log_error("SO_PASSCRED failed: %m");
+-
+ zero(ev);
+ ev.events = EPOLLIN;
+ ev.data.fd = fd;
+diff --git a/units/syslog.socket b/units/syslog.socket
+index 500bb7c..e74b559 100644
+--- a/units/syslog.socket
++++ b/units/syslog.socket
+@@ -18,6 +18,7 @@ Wants=syslog.target
+ [Socket]
+ ListenDatagram=/dev/log
+ SocketMode=0666
++PassCred=yes
+
+ # The service we activate on incoming traffic is
+ # systemd-kmsg-syslogd.service. That doesn't mean however, that this
+--
+1.7.7.6
+
diff --git a/0004-man-document-the-PassCred-option.patch b/0004-man-document-the-PassCred-option.patch
new file mode 100644
index 0000000..9f17e81
--- /dev/null
+++ b/0004-man-document-the-PassCred-option.patch
@@ -0,0 +1,34 @@
+From 42e87475cfe20a5e79da882012629f9d3ae63648 Mon Sep 17 00:00:00 2001
+From: Michal Schmidt <mschmidt at redhat.com>
+Date: Wed, 30 Nov 2011 11:06:35 +0100
+Subject: [PATCH 4/4] man: document the PassCred option
+
+---
+ man/systemd.socket.xml | 11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
+index 28c8dc4..2f31242 100644
+--- a/man/systemd.socket.xml
++++ b/man/systemd.socket.xml
+@@ -525,6 +525,17 @@
+ </varlistentry>
+
+ <varlistentry>
++ <term><varname>PassCred=</varname></term>
++ <listitem><para>Takes a boolean
++ value. This controls the SO_PASSCRED
++ option, which allows UNIX sockets to
++ receive the credentials of the sending
++ process in an ancillary message.
++ Defaults to
++ <option>false</option>.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term><varname>TCPCongestion=</varname></term>
+ <listitem><para>Takes a string
+ value. Controls the TCP congestion
+--
+1.7.7.6
+
diff --git a/systemd.spec b/systemd.spec
index d8ddb18..6853fec 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -2,7 +2,7 @@ Name: systemd
Url: http://www.freedesktop.org/wiki/Software/systemd
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Version: 26
-Release: 15%{?dist}
+Release: 16%{?dist}
License: GPLv2+
Group: System Environment/Base
Summary: A System and Service Manager
@@ -125,6 +125,12 @@ Patch82: 0004-utmp-for-DEAD_PROCESS-write-the-current-time-to-wtmp.patch
Patch83: 0001-unit-garbage-collect-units-with-load-error.patch
Patch84: 0001-mount-fix-quota.patch
Patch85: 0001-mount-fix-automount-regression.patch
+Patch86: 0001-socket-add-option-for-SO_PASSCRED.patch
+Patch87: 0002-shutdownd-use-PassCred-yes-in-the-socket-unit.patch
+Patch88: 0003-syslog-use-PassCred-yes-for-the-dev-log-socket.patch
+Patch89: 0004-man-document-the-PassCred-option.patch
+Patch90: 0001-socket-rename-the-PassCred-option-to-PassCredentials.patch
+
Patch100: fedora-storage-detect-encrypted-PVs.patch
# For sysvinit tools
@@ -387,6 +393,9 @@ fi
%{_bindir}/systemd-sysv-convert
%changelog
+* Tue Jan 31 2012 Michal Schmidt <mschmidt at redhat.com> - 26-16
+- Backport PassCredentials to avoid #757628 when F15 kernel is rebased to 3.2.
+
* Tue Jan 31 2012 Michal Schmidt <mschmidt at redhat.com> - 26-15
- Fix quota (#773431).
More information about the scm-commits
mailing list