Ubuntu
systemd package

Merge ~enr0n/ubuntu/+source/systemd:focal-lp1958284-and-lp1871538 into ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal

  1. Git
  2. lp:~enr0n/ubuntu/+source/systemd
  3. focal-lp1958284-and-lp1871538
  4. Merge into ubuntu-focal
Proposed by Nick Rosbrook
Status: Merged
Merged at revision: 420fcc5e44b1effd48dcd1c9f96672134f95b1eb
Proposed branch: ~enr0n/ubuntu/+source/systemd:focal-lp1958284-and-lp1871538
Merge into: ~ubuntu-core-dev/ubuntu/+source/systemd:ubuntu-focal
Diff against target: 185 lines (+153/-1)
4 files modified
debian/changelog (+12/-1)
debian/patches/lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch (+48/-0)
debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch (+91/-0)
debian/patches/series (+2/-0)
Reviewer Review Type Date Requested Status
Lukas Märdian Approve
Review via email: mp+417577@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Lukas Märdian (slyon) wrote :

Thank you very much. This LGTM!
Also the PPA build and PPA autopkgtests in https://autopkgtest.ubuntu.com/results/autopkgtest-focal-enr0n-systemd-245/?format=plain are all green!

Sponsoring & Merging!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index c133951..daf4f12 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -10,7 +10,18 @@ systemd (245.4-4ubuntu3.16) UNRELEASED; urgency=medium
10 File: debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch10 File: debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch
11 https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=88a859eaddb6c9a611fcbc44edab441aef4c435511 https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=88a859eaddb6c9a611fcbc44edab441aef4c4355
1212
13 -- Lukas Märdian <slyon@ubuntu.com> Tue, 08 Feb 2022 17:39:41 +010013 [ Nick Rosbrook ]
14 * Prevent arguments from being overwritten with defaults at shutdown (LP: #1958284)
15 File: debian/patches/lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch
16 https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e61052bd1f20bcc54e7417542c6d445cf5040f56
17
18 [ Lukas Märdian ]
19 * Fix deadlock between pid1 and dbus-daemon (LP: #1871538)
20 Author: Lukas Märdian
21 File: debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
22 https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e3aacfa26e3fc6df369e6f28e740389ae0020907
23
24 -- Nick Rosbrook <nick.rosbrook@canonical.com> Wed, 23 Mar 2022 09:29:33 -0400
1425
15systemd (245.4-4ubuntu3.15) focal-security; urgency=medium26systemd (245.4-4ubuntu3.15) focal-security; urgency=medium
1627
diff --git a/debian/patches/lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch b/debian/patches/lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch
17new file mode 10064428new file mode 100644
index 0000000..1ae2fb6
--- /dev/null
+++ b/debian/patches/lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch
@@ -0,0 +1,48 @@
1Description: core: move reset_arguments() to the end of main's finish
2Origin: upstream, https://github.com/systemd/systemd/commit/7d9eea2bd3d4f83668c7a78754d201b22
3Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1958284
4---
5From: Anita Zhang <the.anitazha@gmail.com>
6Date: Thu, 17 Sep 2020 01:49:17 -0700
7Subject: core: move reset_arguments() to the end of main's finish
8
9Fixes #16991
10
11fb39af4ce42d7ef9af63009f271f404038703704 replaced `free_arguments()` with
12`reset_arguments()`, which frees arg_* variables as before, but also resets all
13of them to the default values. `reset_arguments()` was positioned
14in such a way that it overrode some arg_* values still in use at shutdown.
15
16To avoid further unintentional resets, I moved `reset_arguments()`
17right before the return, when nothing else will be using the arg_* variables.
18---
19 src/core/main.c | 3 ++-
20 1 file changed, 2 insertions(+), 1 deletion(-)
21
22diff --git a/src/core/main.c b/src/core/main.c
23index e32ed02..615949b 100644
24--- a/src/core/main.c
25+++ b/src/core/main.c
26@@ -2717,7 +2717,6 @@ finish:
27 m = manager_free(m);
28 }
29
30- reset_arguments();
31 mac_selinux_finish();
32
33 if (reexecute)
34@@ -2744,6 +2743,7 @@ finish:
35 * in become_shutdown() so normally we cannot free them yet. */
36 watchdog_free_device();
37 arg_watchdog_device = mfree(arg_watchdog_device);
38+ reset_arguments();
39 return retval;
40 }
41 #endif
42@@ -2769,5 +2769,6 @@ finish:
43 freeze_or_exit_or_reboot();
44 }
45
46+ reset_arguments();
47 return retval;
48 }
diff --git a/debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch b/debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
0new file mode 10064449new file mode 100644
index 0000000..df7456a
--- /dev/null
+++ b/debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
@@ -0,0 +1,91 @@
1From: Lennart Poettering <lennart@poettering.net>
2Date: Thu, 17 Feb 2022 14:49:54 +0100
3Subject: pid1: set SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon
4MIME-Version: 1.0
5Content-Type: text/plain; charset="utf-8"
6Content-Transfer-Encoding: 8bit
7
8There's currently a deadlock between PID 1 and dbus-daemon: in some
9cases dbus-daemon will do NSS lookups (which are blocking) at the same
10time PID 1 synchronously blocks on some call to dbus-daemon. Let's break
11that by setting SYSTEMD_NSS_DYNAMIC_BYPASS=1 env var for dbus-daemon,
12which will disable synchronously blocking varlink calls from nss-systemd
13to PID 1.
14
15In the long run we should fix this differently: remove all synchronous
16calls to dbus-daemon from PID 1. This is not trivial however: so far we
17had the rule that synchronous calls from PID 1 to the dbus broker are OK
18as long as they only go to interfaces implemented by the broke itself
19rather than services reachable through it. Given that the relationship
20between PID 1 and dbus is kinda special anyway, this was considered
21acceptable for the sake of simplicity, since we quite often need
22metadata about bus peers from the broker, and the asynchronous logic
23would substantially complicate even the simplest method handlers.
24
25This mostly reworks the existing code that sets SYSTEMD_NSS_BYPASS_BUS=
26(which is a similar hack to deal with deadlocks between nss-systemd and
27dbus-daemon itself) to set SYSTEMD_NSS_DYNAMIC_BYPASS=1 instead. No code
28was checking SYSTEMD_NSS_BYPASS_BUS= anymore anyway, and it used to
29solve a similar problem, hence it's an obvious piece of code to rework
30like this.
31
32Issue originally tracked down by Lukas Märdian. This patch is inspired
33and closely based on his patch:
34
35 https://github.com/systemd/systemd/pull/22038
36
37Fixes: #15316
38Co-authored-by: Lukas Märdian <slyon@ubuntu.com>
39---
40 src/core/execute.c | 10 +++++-----
41 src/core/execute.h | 2 +-
42 src/core/service.c | 2 +-
43 3 files changed, 7 insertions(+), 7 deletions(-)
44
45diff --git a/src/core/execute.c b/src/core/execute.c
46index ca40874..b8d1ae4 100644
47--- a/src/core/execute.c
48+++ b/src/core/execute.c
49@@ -1829,11 +1829,11 @@ static int build_environment(
50 our_env[n_env++] = x;
51 }
52
53- /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use D-Bus look up dynamic
54- * users via PID 1, possibly dead-locking the dbus daemon. This way it will not use D-Bus to resolve names, but
55- * check the database directly. */
56- if (p->flags & EXEC_NSS_BYPASS_BUS) {
57- x = strdup("SYSTEMD_NSS_BYPASS_BUS=1");
58+ /* If this is D-Bus, tell the nss-systemd module, since it relies on being able to use blocking
59+ * Varlink calls back to us for look up dynamic users in PID 1. Break the deadlock between D-Bus and
60+ * PID 1 by disabling use of PID1' NSS interface for looking up dynamic users. */
61+ if (p->flags & EXEC_NSS_DYNAMIC_BYPASS) {
62+ x = strdup("SYSTEMD_NSS_DYNAMIC_BYPASS=1");
63 if (!x)
64 return -ENOMEM;
65 our_env[n_env++] = x;
66diff --git a/src/core/execute.h b/src/core/execute.h
67index 4c7a5b8..2a261f3 100644
68--- a/src/core/execute.h
69+++ b/src/core/execute.h
70@@ -348,7 +348,7 @@ typedef enum ExecFlags {
71 EXEC_APPLY_TTY_STDIN = 1 << 2,
72 EXEC_PASS_LOG_UNIT = 1 << 3, /* Whether to pass the unit name to the service's journal stream connection */
73 EXEC_CHOWN_DIRECTORIES = 1 << 4, /* chown() the runtime/state/cache/log directories to the user we run as, under all conditions */
74- EXEC_NSS_BYPASS_BUS = 1 << 5, /* Set the SYSTEMD_NSS_BYPASS_BUS environment variable, to disable nss-systemd for dbus */
75+ EXEC_NSS_DYNAMIC_BYPASS = 1 << 5, /* Set the SYSTEMD_NSS_DYNAMIC_BYPASS environment variable, to disable nss-systemd blocking on PID 1, for use by dbus-daemon */
76 EXEC_CGROUP_DELEGATE = 1 << 6,
77 EXEC_IS_CONTROL = 1 << 7,
78 EXEC_CONTROL_CGROUP = 1 << 8, /* Place the process not in the indicated cgroup but in a subcgroup '/.control', but only EXEC_CGROUP_DELEGATE and EXEC_IS_CONTROL is set, too */
79diff --git a/src/core/service.c b/src/core/service.c
80index 7b90822..debd9d6 100644
81--- a/src/core/service.c
82+++ b/src/core/service.c
83@@ -1569,7 +1569,7 @@ static int service_spawn(
84 return -ENOMEM;
85
86 /* System D-Bus needs nss-systemd disabled, so that we don't deadlock */
87- SET_FLAG(exec_params.flags, EXEC_NSS_BYPASS_BUS,
88+ SET_FLAG(exec_params.flags, EXEC_NSS_DYNAMIC_BYPASS,
89 MANAGER_IS_SYSTEM(UNIT(s)->manager) && unit_has_name(UNIT(s), SPECIAL_DBUS_SERVICE));
90
91 strv_free_and_replace(exec_params.environment, final_env);
diff --git a/debian/patches/series b/debian/patches/series
index deef92d..e0a85c5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -171,3 +171,5 @@ CVE-2021-3997-2.patch
171CVE-2021-3997-3.patch171CVE-2021-3997-3.patch
172lp1946388-sd-journal-don-t-check-namespaces-if-we-have-no-name.patch172lp1946388-sd-journal-don-t-check-namespaces-if-we-have-no-name.patch
173lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch173lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch
174lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch
175pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch

Subscribers

People subscribed via source and target branches