packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

revert units: add ProtectClock=yes

Browse Source
This commit is contained in:
xujing 2022-09-14 15:23:20 +08:00
parent f0d4b5aaa0
commit 9c793a2df9
2 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
backport-revert-units-add-ProtectClock-yes.patch Normal file
View File

@ -0,0 +1,46 @@
From cabc1c6d7adae658a2966a4b02a6faabb803e92b Mon Sep 17 00:00:00 2001
From: Topi Miettinen <toiwoton@gmail.com>
Date: Thu, 2 Apr 2020 21:18:11 +0300
Subject: [PATCH] units: add ProtectClock=yes
Add `ProtectClock=yes` to systemd units. Since it implies certain
`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so
they are still able to access other devices. Exclude timesyncd and timedated.
===
Conflict:this only revert systemd-udevd.service.in
Reference:https://github.com/systemd/systemd/commit/cabc1c6d7adae658a2966a4b02a6faabb803e92b
When DeviceAllow is configured, devices.deny will first be set to "a", and
then devices.allow be set based on DeviceAllow, which makes devices.list
between these two steps is not reliable. Only revert systemd-udevd.service.in
because udevd can fork subprocess to execute udev rules, which may affect user
process.
---
units/systemd-udevd.service.in | 3 ---
1 file changed, 3 deletions(-)
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 7b6354a..30746c1 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -17,8 +17,6 @@ ConditionPathIsReadWrite=/sys
[Service]
Delegate=pids
-DeviceAllow=block-* rwm
-DeviceAllow=char-* rwm
Type=notify
# Note that udev will reset the value internally for its workers
OOMScoreAdjust=-1000
@@ -30,7 +28,6 @@ ExecReload=udevadm control --reload --timeout 0
KillMode=mixed
TasksMax=infinity
PrivateMounts=yes
-ProtectClock=yes
ProtectHostname=yes
MemoryDenyWriteExecute=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
--
2.23.0

6
systemd.spec
View File

@ -20,7 +20,7 @@
Name: systemd Name: systemd
Url: https://www.freedesktop.org/wiki/Software/systemd Url: https://www.freedesktop.org/wiki/Software/systemd
Version: 249 Version: 249
Release: 34 Release: 35
License: MIT and LGPLv2+ and GPLv2+ License: MIT and LGPLv2+ and GPLv2+
Summary: System and Service Manager Summary: System and Service Manager
@ -110,6 +110,7 @@ Patch6029: backport-Avoid-tmp-being-mounted-as-tmpfs-without-the-user-s-.pa
Patch6030: backport-core-replace-slice-dependencies-as-they-get-added.patch Patch6030: backport-core-replace-slice-dependencies-as-they-get-added.patch
Patch6031: backport-journal-Only-move-to-objects-when-necessary.patch Patch6031: backport-journal-Only-move-to-objects-when-necessary.patch
Patch6032: backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch Patch6032: backport-scsi_id-retry-inquiry-ioctl-if-host_byte-is-DID_TRAN.patch
Patch6033: backport-revert-units-add-ProtectClock-yes.patch
BuildRequires: gcc, gcc-c++ BuildRequires: gcc, gcc-c++
BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel BuildRequires: libcap-devel, libmount-devel, pam-devel, libselinux-devel
@ -1513,6 +1514,9 @@ fi
%{_libdir}/security/pam_systemd.so %{_libdir}/security/pam_systemd.so
%changelog %changelog
* Wed Sep 14 2022 xujing <xujing125@huawei.com> -249-35
- revert add ProtectClock=yes
* Fri Sep 2 2022 Wenchao Hao <haowenchao@huawei.com> -249-34 * Fri Sep 2 2022 Wenchao Hao <haowenchao@huawei.com> -249-34
- scsi_id: retry inquiry ioctl if host_byte is DID_TRANSPORT_DISRUPTED - scsi_id: retry inquiry ioctl if host_byte is DID_TRANSPORT_DISRUPTED