!316 revert units: add ProtectClock=yes

From: @xujing99 Reviewed-by: @licunlong Signed-off-by: @licunlong
2022-09-14 08:50:50 +00:00 · 2022-09-14 08:50:50 +00:00 · 98c74861f2
commit 98c74861f2
parent f0d4b5aaa0 9c793a2df9
2 changed files with 51 additions and 1 deletions
--- a/backport-revert-units-add-ProtectClock-yes.patch
+++ b/backport-revert-units-add-ProtectClock-yes.patch
@ -0,0 +1,46 @@
+From cabc1c6d7adae658a2966a4b02a6faabb803e92b Mon Sep 17 00:00:00 2001
+From: Topi Miettinen <toiwoton@gmail.com>
+Date: Thu, 2 Apr 2020 21:18:11 +0300
+Subject: [PATCH] units: add ProtectClock=yes
+
+Add `ProtectClock=yes` to systemd units. Since it implies certain
+`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so
+they are still able to access other devices. Exclude timesyncd and timedated.
+
+===
+Conflict:this only revert systemd-udevd.service.in
+Reference:https://github.com/systemd/systemd/commit/cabc1c6d7adae658a2966a4b02a6faabb803e92b
+
+When DeviceAllow is configured, devices.deny will first be set to "a", and
+then devices.allow be set based on DeviceAllow, which makes devices.list
+between these two steps is not reliable. Only revert systemd-udevd.service.in
+because udevd can fork subprocess to execute udev rules, which may affect user
+process.
+---
+ units/systemd-udevd.service.in | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
+index 7b6354a..30746c1 100644
+--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
+@@ -17,8 +17,6 @@ ConditionPathIsReadWrite=/sys
+ 
+ [Service]
+ Delegate=pids
+-DeviceAllow=block-* rwm
+-DeviceAllow=char-* rwm
+ Type=notify
+ # Note that udev will reset the value internally for its workers
+ OOMScoreAdjust=-1000
+@@ -30,7 +28,6 @@ ExecReload=udevadm control --reload --timeout 0
+ KillMode=mixed
+ TasksMax=infinity
+ PrivateMounts=yes
+-ProtectClock=yes
+ ProtectHostname=yes
+ MemoryDenyWriteExecute=yes
+ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+-- 
+2.23.0
+
--- a/systemd.spec
+++ b/systemd.spec
@ -20,7 +20,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        249
-Release:        34
+Release:        35
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager

@ -110,6 +110,7 @@ Patch6029:      backport-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.pa
 Patch6030:      backport-core-replace-slice-dependencies-as-they-get-added.patch
 Patch6031:      backport-journal-Only-move-to-objects-when-necessary.patch
 Patch6032:      backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch
+Patch6033:      backport-revert-units-add-ProtectClock-yes.patch

 BuildRequires:  gcc, gcc-c++
 BuildRequires:  libcap-devel, libmount-devel, pam-devel, libselinux-devel
@ -1513,6 +1514,9 @@ fi
 %{_libdir}/security/pam_systemd.so

 %changelog
+* Wed Sep 14 2022 xujing <xujing125@huawei.com> -249-35
+- revert add ProtectClock=yes
+
 * Fri Sep 2 2022 Wenchao Hao <haowenchao@huawei.com> -249-34
 - scsi_id: retry inquiry ioctl if host_byte is DID_TRANSPORT_DISRUPTED