diff --git a/backport-revert-units-add-ProtectClock-yes.patch b/backport-revert-units-add-ProtectClock-yes.patch new file mode 100644 index 0000000..2612b28 --- /dev/null +++ b/backport-revert-units-add-ProtectClock-yes.patch @@ -0,0 +1,46 @@ +From cabc1c6d7adae658a2966a4b02a6faabb803e92b Mon Sep 17 00:00:00 2001 +From: Topi Miettinen +Date: Thu, 2 Apr 2020 21:18:11 +0300 +Subject: [PATCH] units: add ProtectClock=yes + +Add `ProtectClock=yes` to systemd units. Since it implies certain +`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so +they are still able to access other devices. Exclude timesyncd and timedated. + +=== +Conflict:this only revert systemd-udevd.service.in +Reference:https://github.com/systemd/systemd/commit/cabc1c6d7adae658a2966a4b02a6faabb803e92b + +When DeviceAllow is configured, devices.deny will first be set to "a", and +then devices.allow be set based on DeviceAllow, which makes devices.list +between these two steps is not reliable. Only revert systemd-udevd.service.in +because udevd can fork subprocess to execute udev rules, which may affect user +process. +--- + units/systemd-udevd.service.in | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in +index 7b6354a..30746c1 100644 +--- a/units/systemd-udevd.service.in ++++ b/units/systemd-udevd.service.in +@@ -17,8 +17,6 @@ ConditionPathIsReadWrite=/sys + + [Service] + Delegate=pids +-DeviceAllow=block-* rwm +-DeviceAllow=char-* rwm + Type=notify + # Note that udev will reset the value internally for its workers + OOMScoreAdjust=-1000 +@@ -30,7 +28,6 @@ ExecReload=udevadm control --reload --timeout 0 + KillMode=mixed + TasksMax=infinity + PrivateMounts=yes +-ProtectClock=yes + ProtectHostname=yes + MemoryDenyWriteExecute=yes + RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +-- +2.23.0 + diff --git a/systemd.spec b/systemd.spec index ea88f6b..12479dc 100644 --- a/systemd.spec +++ b/systemd.spec @@ -20,7 +20,7 @@ Name: systemd Url: https://www.freedesktop.org/wiki/Software/systemd Version: 249 -Release: 34 +Release: 35 License: MIT and LGPLv2+ and GPLv2+ Summary: System and Service Manager @@ -110,6 +110,7 @@ Patch6029: backport-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.pa Patch6030: backport-core-replace-slice-dependencies-as-they-get-added.patch Patch6031: backport-journal-Only-move-to-objects-when-necessary.patch Patch6032: backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch +Patch6033: backport-revert-units-add-ProtectClock-yes.patch BuildRequires: gcc, gcc-c++ BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel @@ -1513,6 +1514,9 @@ fi %{_libdir}/security/pam_systemd.so %changelog +* Wed Sep 14 2022 xujing -249-35 +- revert add ProtectClock=yes + * Fri Sep 2 2022 Wenchao Hao -249-34 - scsi_id: retry inquiry ioctl if host_byte is DID_TRANSPORT_DISRUPTED