diff -Nru systemd-232/debian/changelog systemd-232/debian/changelog --- systemd-232/debian/changelog 2017-03-28 15:59:14.000000000 +0000 +++ systemd-232/debian/changelog 2017-06-21 15:33:22.000000000 +0000 @@ -1,3 +1,61 @@ +systemd (232-21ubuntu5) zesty-security; urgency=medium + + * SECURITY UPDATE: Out-of-bounds write in systemd-resolved (LP: #1695546) + - debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch: + Add a simple allocation test + - debian/patches/resolved-simplify-alloc-size-calculation.patch: Simply + allocation size calculation + - CVE-2017-9445 + + -- Chris Coulson Wed, 21 Jun 2017 16:33:22 +0100 + +systemd (232-21ubuntu4) zesty; urgency=medium + + * Cherrypick upstream commit to enable system use kernel maximum limit for + RLIMIT_NOFILE isntead of hard-coded (low) limit of 65536. (LP: #1686361) + * debian/tests/root-unittests: disable execute and seccomp tests on arm + test-seccomp and test-execute fail on arm64 kernels. Marking both tests as + expected failures. An upstream bug report is filed to resolve these. + (LP: #1672499) + * Cherrypick upstream patch for platform predictable interface names. + (LP: #1686784) + * resolved: fix null pointer dereference crash (LP: #1621396) + * Cherrypick core/timer downgrade message about random time addition + (LP: #1692136) + + -- Dimitri John Ledkov Wed, 24 May 2017 16:26:16 +0100 + +systemd (232-21ubuntu3) zesty; urgency=medium + + [ Martin Pitt ] + * resolved: Disable DNSSEC by default on stretch and zesty. + Both Debian stretch and Ubuntu zesty are close to releasing, switch to + DNSSEC=off by default for those. Users can still turn it back on with + DNSSEC=allow-downgrade (or even "yes"). (LP: #1682499) + + [ Michael Biebl ] + * journal: fix up syslog facility when forwarding native messages. + Native journal messages (_TRANSPORT=journal) typically don't have a + syslog facility attached to it. As a result when forwarding the + messages to syslog they ended up with facility 0 (LOG_KERN). + Apply syslog_fixup_facility() so we use LOG_USER instead. (Closes: #837893) + (LP: #1682484) + + [ Dimitri John Ledkov ] + * networkd: cherry-pick support for setting bridge port's priority. + This is a useful feature/bugfix to improve feature parity of networkd with + ifupdown. This matches netplan's expectations to be able to set bridge port's + priorities via networked. This featue is to be used by netplan/MAAS/OpenStack. + (LP: #1668347) + * TEST-12: cherry-pick upstream fix for compat with new netcat-openbsd. + (LP: #1672542) + * udev.postinst: preserve virtio interfaces names on upgrades, on s390x. + New udev generates stable interface names on s390x kvm instances, however, upon + upgrades existing ethX names should be preserved to prevent breaking networking + and software configurations. (Closes: #860246) (LP: #1682437) + + -- Dimitri John Ledkov Thu, 13 Apr 2017 18:10:33 +0100 + systemd (232-21ubuntu2) zesty; urgency=medium * pkgconfig: Cherrypick upstream fix to libdir locations in .pc files diff -Nru systemd-232/debian/extra/write_persistent_net_s390x_virtio systemd-232/debian/extra/write_persistent_net_s390x_virtio --- systemd-232/debian/extra/write_persistent_net_s390x_virtio 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/extra/write_persistent_net_s390x_virtio 2017-05-22 14:54:38.000000000 +0000 @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +# +# udevd since 232-20 learned to generate stable interface names for network +# interfaces in kvm/qemu. However, existing machines upgrading will be using +# the ethX names instead. The most risk-averse action is to encode +# "persistent-net-rules" like rules to keep the ethX names on upgrades, since +# the interface names (ethX) may be in use not only in /etc/network/interfaces +# but in other configurations too (daemons, firewalls, etc). +# +# This is a one time action, and can be removed after the next stable & LTS +# releases. (~ May 2018) +# + +rulesfile=/etc/udev/rules.d/70-persistent-net.rules + +if [ `uname -m` != 's390x' ] +then + exit 0 +fi + +if [ `systemd-detect-virt` != 'kvm' ] +then + exit 0 +fi + +if [ -f $rulesfile ] +then + exit 0 +fi + +for interface in /sys/class/net/eth* +do + name=$(basename $interface) + address=$(cat $interface/address) + cat <>$rulesfile +SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="$address", KERNEL=="eth*", NAME="$name" +EOF +done diff -Nru systemd-232/debian/gbp.conf systemd-232/debian/gbp.conf --- systemd-232/debian/gbp.conf 2017-03-28 13:18:56.000000000 +0000 +++ systemd-232/debian/gbp.conf 2017-05-22 14:54:38.000000000 +0000 @@ -1,7 +1,7 @@ [DEFAULT] pristine-tar = True patch-numbers = False -debian-branch = stretch +debian-branch = ubuntu-zesty [dch] full = True diff -Nru systemd-232/debian/patches/core-timer-downgrade-message-about-random-time-addition-5.patch systemd-232/debian/patches/core-timer-downgrade-message-about-random-time-addition-5.patch --- systemd-232/debian/patches/core-timer-downgrade-message-about-random-time-addition-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/core-timer-downgrade-message-about-random-time-addition-5.patch 2017-05-24 15:24:44.000000000 +0000 @@ -0,0 +1,26 @@ +From: =?utf-8?q?Zbigniew_J=C4=99drzejewski-Szmek?= +Date: Sun, 5 Feb 2017 03:37:46 -0500 +Subject: core/timer: downgrade message about random time addition (#5229) + +This seems like something that shouldn't be higher then debug level, even +if it does not get emitted too often. + +Fixes #5228. +(cherry picked from commit 382852fd581efe3cc0ae11154102ab9f435adea1) +--- + src/core/timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/core/timer.c b/src/core/timer.c +index c6b28dd..45d8aaf 100644 +--- a/src/core/timer.c ++++ b/src/core/timer.c +@@ -350,7 +350,7 @@ static void add_random(Timer *t, usec_t *v) { + else + *v += add; + +- log_unit_info(UNIT(t), "Adding %s random time.", format_timespan(s, sizeof(s), add, 0)); ++ log_unit_debug(UNIT(t), "Adding %s random time.", format_timespan(s, sizeof(s), add, 0)); + } + + static void timer_enter_waiting(Timer *t, bool initial) { diff -Nru systemd-232/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch systemd-232/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch --- systemd-232/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch 2017-03-28 13:18:56.000000000 +0000 +++ systemd-232/debian/patches/debian/fsckd-daemon-for-inter-fsckd-communication.patch 2017-05-22 14:54:38.000000000 +0000 @@ -109,7 +109,7 @@ man/systemd-getty-generator.xml \ man/systemd-gpt-auto-generator.xml \ diff --git a/Makefile.am b/Makefile.am -index 41c7cfc..66106a6 100644 +index ecd8bc1..882f8b2 100644 --- a/Makefile.am +++ b/Makefile.am @@ -394,6 +394,7 @@ rootlibexec_PROGRAMS = \ diff -Nru systemd-232/debian/patches/journal-fix-up-syslog-facility-when-forwarding-native-mes.patch systemd-232/debian/patches/journal-fix-up-syslog-facility-when-forwarding-native-mes.patch --- systemd-232/debian/patches/journal-fix-up-syslog-facility-when-forwarding-native-mes.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/journal-fix-up-syslog-facility-when-forwarding-native-mes.patch 2017-05-22 14:54:38.000000000 +0000 @@ -0,0 +1,29 @@ +From: Michael Biebl +Date: Thu, 30 Mar 2017 11:56:25 +0200 +Subject: journal: fix up syslog facility when forwarding native messages + (#5667) + +Native journal messages (_TRANSPORT=journal) typically don't have a +syslog facility attached to it. As a result when forwarding the messages +to syslog they ended up with facility 0 (LOG_KERN). +Apply syslog_fixup_facility() so we use LOG_USER instead. + +Fixes: #5640 +(cherry picked from commit b6a20306fa5dbb8129dd09e07efeacfcfc57363f) +--- + src/journal/journald-native.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c +index 0a1ce20..bba75b6 100644 +--- a/src/journal/journald-native.c ++++ b/src/journal/journald-native.c +@@ -278,7 +278,7 @@ void server_process_native_message( + + if (message) { + if (s->forward_to_syslog) +- server_forward_syslog(s, priority, identifier, message, ucred, tv); ++ server_forward_syslog(s, syslog_fixup_facility(priority), identifier, message, ucred, tv); + + if (s->forward_to_kmsg) + server_forward_kmsg(s, priority, identifier, message, ucred); diff -Nru systemd-232/debian/patches/main-improve-RLIMIT_NOFILE-handling-5795.patch systemd-232/debian/patches/main-improve-RLIMIT_NOFILE-handling-5795.patch --- systemd-232/debian/patches/main-improve-RLIMIT_NOFILE-handling-5795.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/main-improve-RLIMIT_NOFILE-handling-5795.patch 2017-05-24 15:24:44.000000000 +0000 @@ -0,0 +1,50 @@ +From: Christian Brauner +Date: Wed, 26 Apr 2017 06:18:10 +0200 +Subject: main: improve RLIMIT_NOFILE handling (#5795) + +This has systemd look at /proc/sys/fs/nr_open to find the current maximum of +open files compiled into the kernel and tries to set the RLIMIT_NOFILE max to +it. This has the advantage the value chosen as limit is less arbitrary and also +improves the behavior of systemd in containers that have an rlimit set: When +systemd currently starts in a container that has RLIMIT_NOFILE set to e.g. +100000 systemd will lower it to 65536. With this patch systemd will try to set +the nofile limit to the allowed kernel maximum. If this fails, it will compute +the minimum of the current set value (the limit that is set on the container) +and the maximum value as soft limit and the currently set maximum value as the +maximum value. This way it retains the limit set on the container. +(cherry picked from commit 6385cb31ef443be3e0d6da5ea62a267a49174688) +--- + src/core/main.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/src/core/main.c b/src/core/main.c +index bcf9ea5..e6ae0be 100644 +--- a/src/core/main.c ++++ b/src/core/main.c +@@ -1162,6 +1162,8 @@ static int prepare_reexecute(Manager *m, FILE **_f, FDSet **_fds, bool switching + static int bump_rlimit_nofile(struct rlimit *saved_rlimit) { + struct rlimit nl; + int r; ++ int min_max; ++ _cleanup_free_ char *nr_open = NULL; + + assert(saved_rlimit); + +@@ -1182,8 +1184,16 @@ static int bump_rlimit_nofile(struct rlimit *saved_rlimit) { + arg_default_rlimit[RLIMIT_NOFILE] = rl; + } + ++ /* Get current RLIMIT_NOFILE maximum compiled into the kernel. */ ++ r = read_one_line_file("/proc/sys/fs/nr_open", &nr_open); ++ if (r == 0) ++ r = safe_atoi(nr_open, &min_max); ++ /* If we fail, fallback to the hard-coded kernel limit of 1024 * 1024. */ ++ if (r < 0) ++ min_max = 1024 * 1024; ++ + /* Bump up the resource limit for ourselves substantially */ +- nl.rlim_cur = nl.rlim_max = 64*1024; ++ nl.rlim_cur = nl.rlim_max = min_max; + r = setrlimit_closest(RLIMIT_NOFILE, &nl); + if (r < 0) + return log_warning_errno(r, "Setting RLIMIT_NOFILE failed, ignoring: %m"); diff -Nru systemd-232/debian/patches/networkd-Add-bridge-port-priority-setting-5545.patch systemd-232/debian/patches/networkd-Add-bridge-port-priority-setting-5545.patch --- systemd-232/debian/patches/networkd-Add-bridge-port-priority-setting-5545.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/networkd-Add-bridge-port-priority-setting-5545.patch 2017-05-22 14:54:38.000000000 +0000 @@ -0,0 +1,336 @@ +From: Dimitri John Ledkov +Date: Thu, 13 Apr 2017 17:23:32 +0100 +Subject: networkd: Add bridge port priority setting (#5545) + +Allow setting bridge port priority in the Bridge section of the network file, +similar to e.g. port path cost setting. + +Set the default to an invalid value of 128, and only set the port priority when +it's not 128. Unlike e.g. path cost, zero is a valid priority value. + +Add a networkd-test.py to check that bridge port priority is correctly set. + +Incidently, fix bridge port cost type and document valid ranges. +(cherry picked from commit b56be2966a8a8bcc2432e37370bad5381498a819) + +LP: #1668347 +--- + man/systemd.network.xml | 13 ++- + src/network/networkd-link.c | 5 + + src/network/networkd-link.h | 2 + + src/network/networkd-network-gperf.gperf | 3 +- + src/network/networkd-network.c | 1 + + src/network/networkd-network.h | 3 +- + test/networkd-test.py | 191 ++++++++++++++++++++++++++++++- + 7 files changed, 212 insertions(+), 6 deletions(-) + +diff --git a/man/systemd.network.xml b/man/systemd.network.xml +index 2fb4907..3e3119b 100644 +--- a/man/systemd.network.xml ++++ b/man/systemd.network.xml +@@ -1203,7 +1203,18 @@ + Sets the "cost" of sending packets of this interface. + Each port in a bridge may have a different speed and the cost + is used to decide which link to use. Faster interfaces +- should have lower costs. ++ should have lower costs. It is an interger value between 1 and ++ 65535. ++ ++ ++ ++ Priority= ++ ++ Sets the "priority" of sending packets on this interface. ++ Each port in a bridge may have a different priority which is used ++ to decide which link to use. Lower value means higher priority. ++ It is an interger value between 0 to 63. Networkd does not set any ++ default, meaning the kernel default value of 32 is used. + + + +diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c +index 4dfbe0b..e3d28e8 100644 +--- a/src/network/networkd-link.c ++++ b/src/network/networkd-link.c +@@ -1418,6 +1418,11 @@ static int link_set_bridge(Link *link) { + if (r < 0) + return log_link_error_errno(link, r, "Could not append IFLA_BRPORT_COST attribute: %m"); + } ++ if (link->network->priority != LINK_BRIDGE_PORT_PRIORITY_INVALID) { ++ r = sd_netlink_message_append_u16(req, IFLA_BRPORT_PRIORITY, link->network->priority); ++ if (r < 0) ++ return log_link_error_errno(link, r, "Could not append IFLA_BRPORT_PRIORITY attribute: %m"); ++ } + + r = sd_netlink_message_close_container(req); + if (r < 0) +diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h +index 77f72d0..7fa1ebc 100644 +--- a/src/network/networkd-link.h ++++ b/src/network/networkd-link.h +@@ -33,6 +33,8 @@ + #include "list.h" + #include "set.h" + ++#define LINK_BRIDGE_PORT_PRIORITY_INVALID 128 ++ + typedef enum LinkState { + LINK_STATE_PENDING, + LINK_STATE_ENSLAVING, +diff --git a/src/network/networkd-network-gperf.gperf b/src/network/networkd-network-gperf.gperf +index bcf8186..4c21827 100644 +--- a/src/network/networkd-network-gperf.gperf ++++ b/src/network/networkd-network-gperf.gperf +@@ -114,12 +114,13 @@ DHCPServer.EmitTimezone, config_parse_bool, + DHCPServer.Timezone, config_parse_timezone, 0, offsetof(Network, dhcp_server_timezone) + DHCPServer.PoolOffset, config_parse_uint32, 0, offsetof(Network, dhcp_server_pool_offset) + DHCPServer.PoolSize, config_parse_uint32, 0, offsetof(Network, dhcp_server_pool_size) +-Bridge.Cost, config_parse_unsigned, 0, offsetof(Network, cost) ++Bridge.Cost, config_parse_uint32, 0, offsetof(Network, cost) + Bridge.UseBPDU, config_parse_bool, 0, offsetof(Network, use_bpdu) + Bridge.HairPin, config_parse_bool, 0, offsetof(Network, hairpin) + Bridge.FastLeave, config_parse_bool, 0, offsetof(Network, fast_leave) + Bridge.AllowPortToBeRoot, config_parse_bool, 0, offsetof(Network, allow_port_to_be_root) + Bridge.UnicastFlood, config_parse_bool, 0, offsetof(Network, unicast_flood) ++Bridge.Priority, config_parse_uint16, 0, offsetof(Network, priority) + BridgeFDB.MACAddress, config_parse_fdb_hwaddr, 0, 0 + BridgeFDB.VLANId, config_parse_fdb_vlan_id, 0, 0 + BridgeVLAN.PVID, config_parse_brvlan_pvid, 0, 0 +diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c +index 042232f..a765f93 100644 +--- a/src/network/networkd-network.c ++++ b/src/network/networkd-network.c +@@ -121,6 +121,7 @@ static int network_load_one(Manager *manager, const char *filename) { + network->use_bpdu = true; + network->allow_port_to_be_root = true; + network->unicast_flood = true; ++ network->priority = LINK_BRIDGE_PORT_PRIORITY_INVALID; + + network->lldp_mode = LLDP_MODE_ROUTERS_ONLY; + +diff --git a/src/network/networkd-network.h b/src/network/networkd-network.h +index 11ff34b..9e6efa0 100644 +--- a/src/network/networkd-network.h ++++ b/src/network/networkd-network.h +@@ -150,7 +150,8 @@ struct Network { + bool fast_leave; + bool allow_port_to_be_root; + bool unicast_flood; +- unsigned cost; ++ uint32_t cost; ++ uint16_t priority; + + bool use_br_vlan; + uint16_t pvid; +diff --git a/test/networkd-test.py b/test/networkd-test.py +index 3091722..618d107 100755 +--- a/test/networkd-test.py ++++ b/test/networkd-test.py +@@ -30,6 +30,7 @@ + # You should have received a copy of the GNU Lesser General Public License + # along with systemd; If not, see . + ++import errno + import os + import sys + import time +@@ -42,12 +43,196 @@ networkd_active = subprocess.call(['systemctl', 'is-active', '--quiet', + 'systemd-networkd']) == 0 + have_dnsmasq = shutil.which('dnsmasq') + ++NETWORK_UNITDIR = '/run/systemd/network' ++ ++NETWORKD_WAIT_ONLINE = shutil.which('systemd-networkd-wait-online', ++ path='/usr/lib/systemd:/lib/systemd') ++ + RESOLV_CONF = '/run/systemd/resolve/resolv.conf' + + +-@unittest.skipIf(networkd_active, +- 'networkd is already active') +-class ClientTestBase: ++def setUpModule(): ++ """Initialize the environment, and perform sanity checks on it.""" ++ if NETWORKD_WAIT_ONLINE is None: ++ raise OSError(errno.ENOENT, 'systemd-networkd-wait-online not found') ++ ++ # Do not run any tests if the system is using networkd already. ++ if subprocess.call(['systemctl', 'is-active', '--quiet', ++ 'systemd-networkd.service']) == 0: ++ raise unittest.SkipTest('networkd is already active') ++ ++ # Avoid "Failed to open /dev/tty" errors in containers. ++ os.environ['SYSTEMD_LOG_TARGET'] = 'journal' ++ ++ # Ensure the unit directory exists so tests can dump files into it. ++ os.makedirs(NETWORK_UNITDIR, exist_ok=True) ++ ++ ++class NetworkdTestingUtilities: ++ """Provide a set of utility functions to facilitate networkd tests. ++ ++ This class must be inherited along with unittest.TestCase to define ++ some required methods. ++ """ ++ ++ def add_veth_pair(self, veth, peer, veth_options=(), peer_options=()): ++ """Add a veth interface pair, and queue them to be removed.""" ++ subprocess.check_call(['ip', 'link', 'add', 'name', veth] + ++ list(veth_options) + ++ ['type', 'veth', 'peer', 'name', peer] + ++ list(peer_options)) ++ self.addCleanup(subprocess.call, ['ip', 'link', 'del', 'dev', peer]) ++ ++ def write_network(self, unit_name, contents): ++ """Write a network unit file, and queue it to be removed.""" ++ unit_path = os.path.join(NETWORK_UNITDIR, unit_name) ++ ++ with open(unit_path, 'w') as unit: ++ unit.write(contents) ++ self.addCleanup(os.remove, unit_path) ++ ++ def write_network_dropin(self, unit_name, dropin_name, contents): ++ """Write a network unit drop-in, and queue it to be removed.""" ++ dropin_dir = os.path.join(NETWORK_UNITDIR, "%s.d" % unit_name) ++ dropin_path = os.path.join(dropin_dir, "%s.conf" % dropin_name) ++ ++ os.makedirs(dropin_dir, exist_ok=True) ++ self.addCleanup(os.rmdir, dropin_dir) ++ with open(dropin_path, 'w') as dropin: ++ dropin.write(contents) ++ self.addCleanup(os.remove, dropin_path) ++ ++ def read_attr(self, link, attribute): ++ """Read a link attributed from the sysfs.""" ++ # Note we we don't want to check if interface `link' is managed, we ++ # want to evaluate link variable and pass the value of the link to ++ # assert_link_states e.g. eth0=managed. ++ self.assert_link_states(**{link:'managed'}) ++ with open(os.path.join('/sys/class/net', link, attribute)) as f: ++ return f.readline().strip() ++ ++ def assert_link_states(self, **kwargs): ++ """Match networkctl link states to the given ones. ++ ++ Each keyword argument should be the name of a network interface ++ with its expected value of the "SETUP" column in output from ++ networkctl. The interfaces have five seconds to come online ++ before the check is performed. Every specified interface must ++ be present in the output, and any other interfaces found in the ++ output are ignored. ++ ++ A special interface state "managed" is supported, which matches ++ any value in the "SETUP" column other than "unmanaged". ++ """ ++ if not kwargs: ++ return ++ interfaces = set(kwargs) ++ ++ # Wait for the requested interfaces, but don't fail for them. ++ subprocess.call([NETWORKD_WAIT_ONLINE, '--timeout=5'] + ++ ['--interface=%s' % iface for iface in kwargs]) ++ ++ # Validate each link state found in the networkctl output. ++ out = subprocess.check_output(['networkctl', '--no-legend']).rstrip() ++ for line in out.decode('utf-8').split('\n'): ++ fields = line.split() ++ if len(fields) >= 5 and fields[1] in kwargs: ++ iface = fields[1] ++ expected = kwargs[iface] ++ actual = fields[-1] ++ if (actual != expected and ++ not (expected == 'managed' and actual != 'unmanaged')): ++ self.fail("Link %s expects state %s, found %s" % ++ (iface, expected, actual)) ++ interfaces.remove(iface) ++ ++ # Ensure that all requested interfaces have been covered. ++ if interfaces: ++ self.fail("Missing links in status output: %s" % interfaces) ++ ++ ++class BridgeTest(NetworkdTestingUtilities, unittest.TestCase): ++ """Provide common methods for testing networkd against servers.""" ++ ++ def setUp(self): ++ self.write_network('port1.netdev', '''\ ++[NetDev] ++Name=port1 ++Kind=dummy ++MACAddress=12:34:56:78:9a:bc''') ++ self.write_network('port2.netdev', '''\ ++[NetDev] ++Name=port2 ++Kind=dummy ++MACAddress=12:34:56:78:9a:bd''') ++ self.write_network('mybridge.netdev', '''\ ++[NetDev] ++Name=mybridge ++Kind=bridge''') ++ self.write_network('port1.network', '''\ ++[Match] ++Name=port1 ++[Network] ++Bridge=mybridge''') ++ self.write_network('port2.network', '''\ ++[Match] ++Name=port2 ++[Network] ++Bridge=mybridge''') ++ self.write_network('mybridge.network', '''\ ++[Match] ++Name=mybridge ++[Network] ++DNS=192.168.250.1 ++Address=192.168.250.33/24 ++Gateway=192.168.250.1''') ++ subprocess.check_call(['systemctl', 'start', 'systemd-networkd']) ++ ++ def tearDown(self): ++ subprocess.check_call(['systemctl', 'stop', 'systemd-networkd']) ++ subprocess.check_call(['ip', 'link', 'del', 'mybridge']) ++ subprocess.check_call(['ip', 'link', 'del', 'port1']) ++ subprocess.check_call(['ip', 'link', 'del', 'port2']) ++ ++ def test_bridge_init(self): ++ self.assert_link_states( ++ port1='managed', ++ port2='managed', ++ mybridge='managed') ++ ++ def test_bridge_port_priority(self): ++ self.assertEqual(self.read_attr('port1', 'brport/priority'), '32') ++ self.write_network_dropin('port1.network', 'priority', '''\ ++[Bridge] ++Priority=28 ++''') ++ subprocess.check_call(['systemctl', 'restart', 'systemd-networkd']) ++ self.assertEqual(self.read_attr('port1', 'brport/priority'), '28') ++ ++ def test_bridge_port_priority_set_zero(self): ++ """It should be possible to set the bridge port priority to 0""" ++ self.assertEqual(self.read_attr('port2', 'brport/priority'), '32') ++ self.write_network_dropin('port2.network', 'priority', '''\ ++[Bridge] ++Priority=0 ++''') ++ subprocess.check_call(['systemctl', 'restart', 'systemd-networkd']) ++ self.assertEqual(self.read_attr('port2', 'brport/priority'), '0') ++ ++class ClientTestBase(NetworkdTestingUtilities): ++ """Provide common methods for testing networkd against servers.""" ++ ++ @classmethod ++ def setUpClass(klass): ++ klass.orig_log_level = subprocess.check_output( ++ ['systemctl', 'show', '--value', '--property', 'LogLevel'], ++ universal_newlines=True).strip() ++ subprocess.check_call(['systemd-analyze', 'set-log-level', 'debug']) ++ ++ @classmethod ++ def tearDownClass(klass): ++ subprocess.check_call(['systemd-analyze', 'set-log-level', klass.orig_log_level]) ++ + def setUp(self): + self.iface = 'test_eth42' + self.if_router = 'router_eth42' diff -Nru systemd-232/debian/patches/resolved-fix-null-pointer-dereference-crash.patch systemd-232/debian/patches/resolved-fix-null-pointer-dereference-crash.patch --- systemd-232/debian/patches/resolved-fix-null-pointer-dereference-crash.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/resolved-fix-null-pointer-dereference-crash.patch 2017-05-22 14:57:00.000000000 +0000 @@ -0,0 +1,25 @@ +From: Dimitri John Ledkov +Date: Mon, 22 May 2017 09:18:21 +0100 +Subject: resolved: fix null pointer dereference crash. + +Bug-Upstream: https://github.com/systemd/systemd/pull/5998 +LP: #1621396 +(cherry picked from commit 4875d605c8ec6ee0d78026410a93ed03d1780cfa) +--- + src/resolve/resolved-dns-packet.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 6529702..7ff6d1f 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -2269,6 +2269,9 @@ int dns_packet_is_reply_for(DnsPacket *p, const DnsResourceKey *key) { + if (r < 0) + return r; + ++ if (p->question == NULL) ++ return 0; ++ + if (p->question->n_keys != 1) + return 0; + diff -Nru systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch --- systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/resolved-simplify-alloc-size-calculation.patch 2017-06-21 15:32:56.000000000 +0000 @@ -0,0 +1,49 @@ +From 8587c3351003b1613ad2e439cebbb20fbae07e70 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 18 Jun 2017 16:07:57 -0400 +Subject: [PATCH 2/2] resolved: simplify alloc size calculation + +The allocation size was calculated in a complicated way, and for values +close to the page size we would actually allocate less than requested. + +Reported by Chris Coulson . +--- + src/resolve/resolved-dns-packet.c | 8 +------- + src/resolve/resolved-dns-packet.h | 2 -- + 2 files changed, 1 insertion(+), 9 deletions(-) + +diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c +index 240ee448f4..821b66e266 100644 +--- a/src/resolve/resolved-dns-packet.c ++++ b/src/resolve/resolved-dns-packet.c +@@ -47,13 +47,7 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) { + + assert(ret); + +- if (mtu <= UDP_PACKET_HEADER_SIZE) +- a = DNS_PACKET_SIZE_START; +- else +- a = mtu - UDP_PACKET_HEADER_SIZE; +- +- if (a < DNS_PACKET_HEADER_SIZE) +- a = DNS_PACKET_HEADER_SIZE; ++ a = MAX(mtu, DNS_PACKET_HEADER_SIZE); + + /* round up to next page size */ + a = PAGE_ALIGN(ALIGN(sizeof(DnsPacket)) + a) - ALIGN(sizeof(DnsPacket)); +diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h +index 2c92392e4d..3abcaf8cf3 100644 +--- a/src/resolve/resolved-dns-packet.h ++++ b/src/resolve/resolved-dns-packet.h +@@ -66,8 +66,6 @@ struct DnsPacketHeader { + /* With EDNS0 we can use larger packets, default to 4096, which is what is commonly used */ + #define DNS_PACKET_UNICAST_SIZE_LARGE_MAX 4096 + +-#define DNS_PACKET_SIZE_START 512 +- + struct DnsPacket { + int n_ref; + DnsProtocol protocol; +-- +2.13.0 + diff -Nru systemd-232/debian/patches/series systemd-232/debian/patches/series --- systemd-232/debian/patches/series 2017-03-28 13:18:56.000000000 +0000 +++ systemd-232/debian/patches/series 2017-06-21 15:33:14.000000000 +0000 @@ -59,6 +59,13 @@ units-apply-plymouth-warning-fix-to-in-rescue-mode-as-wel.patch rules-allow-SPARC-vdisk-devices-when-identifying-CD-drive.patch Adjust-pkgconfig-files-to-point-at-rootlibdir-4584.patch +journal-fix-up-syslog-facility-when-forwarding-native-mes.patch +networkd-Add-bridge-port-priority-setting-5545.patch +test-TEST-12-ISSUE-3171-specify-w1-option-to-netcat-due-t.patch +main-improve-RLIMIT_NOFILE-handling-5795.patch +udev-net_id-add-support-for-platform-bus-ACPI-mostly-arm6.patch +resolved-fix-null-pointer-dereference-crash.patch +core-timer-downgrade-message-about-random-time-addition-5.patch debian/Use-Debian-specific-config-files.patch debian/don-t-try-to-start-autovt-units-when-not-running-wit.patch debian/Make-logind-hostnamed-localed-timedated-D-Bus-activa.patch @@ -83,3 +90,5 @@ debian/Let-graphical-session-pre.target-be-manually-started.patch debian/Add-env-variable-for-machine-ID-path.patch cryptsetup-generator-run-cryptsetup-service-before-swap-u.patch +test-resolved-packet-add-a-simple-test-for-our-alloc.patch +resolved-simplify-alloc-size-calculation.patch diff -Nru systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch --- systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/test-resolved-packet-add-a-simple-test-for-our-alloc.patch 2017-06-21 15:32:50.000000000 +0000 @@ -0,0 +1,112 @@ +From c67ed7b00f62b3ea6f9476b491fd5db590d04cf4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 18 Jun 2017 15:53:15 -0400 +Subject: [PATCH 1/2] test-resolved-packet: add a simple test for our + allocation functions + +--- + .gitignore | 1 + + Makefile.am | 14 ++++++++++++ + src/resolve/meson.build | 9 ++++++++ + src/resolve/test-resolved-packet.c | 45 ++++++++++++++++++++++++++++++++++++++ + 4 files changed, 69 insertions(+) + create mode 100644 src/resolve/test-resolved-packet.c + +diff --git a/.gitignore b/.gitignore +index 60eda2b8ce..bc47db6481 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -271,6 +271,7 @@ + /test-replace-var + /test-resolve + /test-resolve-tables ++/test-resolved-packet + /test-ring + /test-rlimit-util + /test-sched-prio +diff --git a/Makefile.am b/Makefile.am +index 3b9ed874e5..59899c65cc 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -5748,6 +5748,7 @@ dist_zshcompletion_data += \ + tests += \ + test-dns-packet \ + test-resolve-tables \ ++ test-resolved-packet \ + test-dnssec + + manual_tests += \ +@@ -5769,6 +5770,19 @@ test_resolve_tables_LDADD = \ + $(GCRYPT_LIBS) \ + -lm + ++test_resolved_packet_SOURCES = \ ++ src/resolve/test-resolved-packet.c \ ++ $(basic_dns_sources) ++ ++test_resolved_packet_CFLAGS = \ ++ $(AM_CFLAGS) \ ++ $(GCRYPT_CFLAGS) ++ ++test_resolved_packet_LDADD = \ ++ libsystemd-shared.la \ ++ $(GCRYPT_LIBS) \ ++ -lm ++ + test_dns_packet_SOURCES = \ + src/resolve/test-dns-packet.c \ + $(basic_dns_sources) +diff --git a/src/resolve/test-resolved-packet.c b/src/resolve/test-resolved-packet.c +new file mode 100644 +index 0000000000..8b7da1408d +--- /dev/null ++++ b/src/resolve/test-resolved-packet.c +@@ -0,0 +1,45 @@ ++/*** ++ This file is part of systemd ++ ++ Copyright 2017 Zbigniew Jędrzejewski-Szmek ++ ++ systemd is free software; you can redistribute it and/or modify it ++ under the terms of the GNU Lesser General Public License as published by ++ the Free Software Foundation; either version 2.1 of the License, or ++ (at your option) any later version. ++ ++ systemd is distributed in the hope that it will be useful, but ++ WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public License ++ along with systemd; If not, see . ++***/ ++ ++#include "log.h" ++#include "resolved-dns-packet.h" ++ ++static void test_dns_packet_new(void) { ++ size_t i; ++ ++ for (i = 0; i < DNS_PACKET_SIZE_MAX + 2; i++) { ++ _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL; ++ ++ assert_se(dns_packet_new(&p, DNS_PROTOCOL_DNS, i) == 0); ++ ++ log_debug("dns_packet_new: %zu → %zu", i, p->allocated); ++ assert_se(p->allocated >= MIN(DNS_PACKET_SIZE_MAX, i)); ++ } ++} ++ ++int main(int argc, char **argv) { ++ ++ log_set_max_level(LOG_DEBUG); ++ log_parse_environment(); ++ log_open(); ++ ++ test_dns_packet_new(); ++ ++ return 0; ++} +-- +2.13.0 + diff -Nru systemd-232/debian/patches/test-TEST-12-ISSUE-3171-specify-w1-option-to-netcat-due-t.patch systemd-232/debian/patches/test-TEST-12-ISSUE-3171-specify-w1-option-to-netcat-due-t.patch --- systemd-232/debian/patches/test-TEST-12-ISSUE-3171-specify-w1-option-to-netcat-due-t.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/test-TEST-12-ISSUE-3171-specify-w1-option-to-netcat-due-t.patch 2017-05-22 14:54:38.000000000 +0000 @@ -0,0 +1,48 @@ +From: Dimitri John Ledkov +Date: Tue, 11 Apr 2017 20:34:29 +0100 +Subject: test/TEST-12-ISSUE-3171: specify -w1 option to netcat due to default + change. (#5722) + +On Ubuntu 17.04 (zesty zapus) netcat-openbsd was upgraded from 1.105-7ubuntu1 +to 1.130-3, at the same time the defaults got changed from -q0 to -q-1 +(infinity) the net result is that `echo A | nc -U' call now hangs, preventing +the testcase to complete. One could use the old default of -q0, but that option +is not available in some netcat implementations. Thus settle to specify -w1 +instead to mitigate the testcase hang. +(cherry picked from commit c618423a5aacb0378985f6d49d31be65866ab79a) +--- + test/TEST-12-ISSUE-3171/test.sh | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/test/TEST-12-ISSUE-3171/test.sh b/test/TEST-12-ISSUE-3171/test.sh +index e20f470..c252bdf 100755 +--- a/test/TEST-12-ISSUE-3171/test.sh ++++ b/test/TEST-12-ISSUE-3171/test.sh +@@ -67,23 +67,23 @@ EOL + systemctl start test.socket + systemctl is-active test.socket + [[ "$(stat --format='%G' /run/test.socket)" == adm ]] +-echo A | nc -U /run/test.socket ++echo A | nc -w1 -U /run/test.socket + + mv $U ${U}.disabled + systemctl daemon-reload + systemctl is-active test.socket + [[ "$(stat --format='%G' /run/test.socket)" == adm ]] +-echo B | nc -U /run/test.socket && exit 1 ++echo B | nc -w1 -U /run/test.socket && exit 1 + + mv ${U}.disabled $U + systemctl daemon-reload + systemctl is-active test.socket +-echo C | nc -U /run/test.socket && exit 1 ++echo C | nc -w1 -U /run/test.socket && exit 1 + [[ "$(stat --format='%G' /run/test.socket)" == adm ]] + + systemctl restart test.socket + systemctl is-active test.socket +-echo D | nc -U /run/test.socket ++echo D | nc -w1 -U /run/test.socket + [[ "$(stat --format='%G' /run/test.socket)" == adm ]] + + diff -Nru systemd-232/debian/patches/udev-net_id-add-support-for-platform-bus-ACPI-mostly-arm6.patch systemd-232/debian/patches/udev-net_id-add-support-for-platform-bus-ACPI-mostly-arm6.patch --- systemd-232/debian/patches/udev-net_id-add-support-for-platform-bus-ACPI-mostly-arm6.patch 1970-01-01 00:00:00.000000000 +0000 +++ systemd-232/debian/patches/udev-net_id-add-support-for-platform-bus-ACPI-mostly-arm6.patch 2017-05-24 15:24:44.000000000 +0000 @@ -0,0 +1,111 @@ +From: Dimitri John Ledkov +Date: Wed, 17 May 2017 14:28:35 +0100 +Subject: udev: net_id add support for platform bus (ACPI, + mostly arm64) devices (#5933) + +Fixes: #5894 +(cherry picked from commit c20e6de897b2378bc3f936e1e265d2d2e2450a73) +--- + src/udev/udev-builtin-net_id.c | 63 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 63 insertions(+) + +--- a/src/udev/udev-builtin-net_id.c ++++ b/src/udev/udev-builtin-net_id.c +@@ -45,6 +45,7 @@ + * — PCI geographical location + * [P]ps[f][u][..][c][i] + * — USB port number chain ++ * ai — Platform bus ACPI instance id + * + * All multi-function PCI devices will carry the [f] number in the + * device name, including the function 0 device. +@@ -121,6 +122,7 @@ + NET_BCMA, + NET_VIRTIO, + NET_CCW, ++ NET_PLATFORM, + }; + + struct netnames { +@@ -138,6 +140,7 @@ + char usb_ports[IFNAMSIZ]; + char bcma_core[IFNAMSIZ]; + char ccw_busid[IFNAMSIZ]; ++ char platform_path[IFNAMSIZ]; + }; + + /* skip intermediate virtio devices */ +@@ -318,6 +321,56 @@ + return err; + } + ++#define _PLATFORM_TEST "/sys/devices/platform/vvvvPPPP" ++#define _PLATFORM_PATTERN4 "/sys/devices/platform/%4s%4x:%2x/net/eth%u" ++#define _PLATFORM_PATTERN3 "/sys/devices/platform/%3s%4x:%2x/net/eth%u" ++ ++static int names_platform(struct udev_device *dev, struct netnames *names, bool test) { ++ struct udev_device *parent; ++ char vendor[5]; ++ unsigned model, instance, ethid; ++ const char *syspath, *pattern, *validchars; ++ ++ /* check if our direct parent is a platform device with no other bus in-between */ ++ parent = udev_device_get_parent(dev); ++ if (!parent) ++ return -ENOENT; ++ ++ if (!streq_ptr("platform", udev_device_get_subsystem(parent))) ++ return -ENOENT; ++ ++ syspath = udev_device_get_syspath(dev); ++ ++ /* syspath is too short, to have a valid ACPI instance */ ++ if (strlen(syspath) < sizeof _PLATFORM_TEST) ++ return -EINVAL; ++ ++ /* Vendor ID can be either PNP ID (3 chars A-Z) or ACPI ID (4 chars A-Z and numerals) */ ++ if (syspath[sizeof _PLATFORM_TEST - 1] == ':') { ++ pattern = _PLATFORM_PATTERN4; ++ validchars = UPPERCASE_LETTERS DIGITS; ++ } else { ++ pattern = _PLATFORM_PATTERN3; ++ validchars = UPPERCASE_LETTERS; ++ } ++ ++ /* Platform devices are named after ACPI table match, and instance id ++ * eg. "/sys/devices/platform/HISI00C2:00"); ++ * The Vendor (3 or 4 char), followed by hexdecimal model number : instance id. ++ */ ++ if (sscanf(syspath, pattern, vendor, &model, &instance, ðid) != 4) ++ return -EINVAL; ++ ++ if (!in_charset(vendor, validchars)) ++ return -ENOENT; ++ ++ ascii_strlower(vendor); ++ ++ xsprintf(names->platform_path, "a%s%xi%u", vendor, model, instance); ++ names->type = NET_PLATFORM; ++ return 0; ++} ++ + static int names_pci(struct udev_device *dev, struct netnames *names) { + struct udev_device *parent; + +@@ -590,6 +643,16 @@ + udev_builtin_add_property(dev, test, "ID_NET_NAME_PATH", str); + goto out; + } ++ ++ /* get ACPI path names for ARM64 platform devices */ ++ err = names_platform(dev, &names, test); ++ if (err >= 0 && names.type == NET_PLATFORM) { ++ char str[IFNAMSIZ]; ++ ++ if (snprintf(str, sizeof(str), "%s%s", prefix, names.platform_path) < (int)sizeof(str)) ++ udev_builtin_add_property(dev, test, "ID_NET_NAME_PATH", str); ++ goto out; ++ } + + /* get PCI based path names, we compose only PCI based paths */ + err = names_pci(dev, &names); diff -Nru systemd-232/debian/rules systemd-232/debian/rules --- systemd-232/debian/rules 2017-03-28 13:18:56.000000000 +0000 +++ systemd-232/debian/rules 2017-05-22 14:54:38.000000000 +0000 @@ -128,9 +128,9 @@ --with-system-uid-max=999 \ --with-system-gid-max=999 -# resolved's DNSSEC support is still not mature enough, disable for stable -# Debian/Ubuntu releases -CONFFLAGS += $(shell grep -q yakkety /etc/os-release && echo --with-default-dnssec=no) +# resolved's DNSSEC support is still not mature enough, don't enable it by +# default on stable Debian/Ubuntu releases +CONFFLAGS += $(shell grep -qE 'stretch|yakkety|zesty' /etc/os-release && echo --with-default-dnssec=no) CONFFLAGS_deb = \ --enable-selinux \ diff -Nru systemd-232/debian/tests/root-unittests systemd-232/debian/tests/root-unittests --- systemd-232/debian/tests/root-unittests 2017-03-28 13:18:56.000000000 +0000 +++ systemd-232/debian/tests/root-unittests 2017-05-24 15:24:44.000000000 +0000 @@ -17,6 +17,17 @@ test-catalog " +# test-seccomp and test-execute fail on arm64, and by extension armhf as the +# two are related, and are currently executed on arm64 kernels. +# https://github.com/systemd/systemd/issues/5851 +arch=$(dpkg --print-architecture) +if [ "$arch" = "armhf" ] || [ $arch = "arm64" ]; then + EXFAIL="$EXFAIL +test-seccomp +test-execute +" +fi + res=0 for t in $(cat /usr/lib/*/systemd-tests/unittests.txt); do echo "====== $t =======" diff -Nru systemd-232/debian/udev.install systemd-232/debian/udev.install --- systemd-232/debian/udev.install 2017-03-28 13:18:56.000000000 +0000 +++ systemd-232/debian/udev.install 2017-05-22 14:54:38.000000000 +0000 @@ -22,3 +22,4 @@ ../../extra/rules/*.rules lib/udev/rules.d/ #../../extra/*.hwdb lib/udev/hwdb.d/ ../../extra/fbdev-blacklist.conf lib/modprobe.d/ +../../extra/write_persistent_net_s390x_virtio usr/share/systemd/ diff -Nru systemd-232/debian/udev.postinst systemd-232/debian/udev.postinst --- systemd-232/debian/udev.postinst 2017-03-28 13:18:56.000000000 +0000 +++ systemd-232/debian/udev.postinst 2017-05-22 14:54:38.000000000 +0000 @@ -90,6 +90,12 @@ NamePolicy=onboard kernel EOF fi + + # 232-20 (232-21ubuntu3 in ubuntu) introduced predicable interface names on + # s390x for virtio However, we should preserve ethX names on upgrade. + if dpkg --compare-versions "$2" lt-nl "232-21ubuntu3~"; then + /usr/share/systemd/write_persistent_net_s390x_virtio + fi } update_hwdb() {