Merge ~ubuntu-core-dev/ubuntu/+source/systemd:xnox/fix-v5.15-tests into ubuntu/+source/systemd:ubuntu/focal

Proposed by Dimitri John Ledkov
Status: Superseded
Proposed branch: ~ubuntu-core-dev/ubuntu/+source/systemd:xnox/fix-v5.15-tests
Merge into: ubuntu/+source/systemd:ubuntu/focal
Diff against target: 11294 lines (+10313/-0) (has conflicts)
134 files modified
debian/changelog (+489/-0)
debian/extra/dhclient-enter-resolved-hook (+12/-0)
debian/extra/initramfs-tools/hooks/udev (+6/-0)
debian/extra/rules-ubuntu/40-vm-hotadd.rules (+7/-0)
debian/patches/CVE-2020-13529.patch (+36/-0)
debian/patches/CVE-2021-33910.patch (+61/-0)
debian/patches/CVE-2021-3997-1.patch (+62/-0)
debian/patches/CVE-2021-3997-2.patch (+98/-0)
debian/patches/CVE-2021-3997-3.patch (+262/-0)
debian/patches/debian/UBUNTU-Fix-timezone-setting-on-read-only-etc.patch (+28/-0)
debian/patches/debian/timedatectl-lp1650688.patch (+53/-0)
debian/patches/hwdb-Add-mic-mute-key-mapping-for-HP-Elite-x360.patch (+26/-0)
debian/patches/hwdb-Mask-rfkill-event-from-intel-hid-on-HP-platforms.patch (+27/-0)
debian/patches/lp1664844/0001-network-add-ActivationPolicy-configuration-parameter.patch (+344/-0)
debian/patches/lp1664844/0002-test-add-ActivationPolicy-unit-tests.patch (+121/-0)
debian/patches/lp1664844/0003-save-link-activation-policy-to-state-file-and-displa.patch (+110/-0)
debian/patches/lp1785383-resolved-address-DVE-2018-0001.patch (+161/-0)
debian/patches/lp1838329/0001-blockdev-propagate-one-more-unexpected-error.patch (+28/-0)
debian/patches/lp1838329/0002-makefs-log-about-OOM-condition.patch (+33/-0)
debian/patches/lp1838329/0003-dissect-use-log_debug_errno-where-appropriate.patch (+33/-0)
debian/patches/lp1838329/0004-blockdev-add-helper-for-locking-whole-block-device.patch (+67/-0)
debian/patches/lp1838329/0005-makefs-lock-device-while-we-operate.patch (+57/-0)
debian/patches/lp1838329/0006-makefs-normalize-logging-a-bit.patch (+39/-0)
debian/patches/lp1838329/0007-cryptsetup-generator-use-systemd-makefs-for-implemen.patch (+45/-0)
debian/patches/lp1858210/0001-time-simplify-get_timezones.patch (+104/-0)
debian/patches/lp1858210/0002-time-split-get_timezone-into-main-function-and-zone1.patch (+102/-0)
debian/patches/lp1858210/0003-time-get-timezones-from-tzdata.zi.patch (+90/-0)
debian/patches/lp1860926-network-Change-IgnoreCarrierLoss-default-to-value-of.patch (+75/-0)
debian/patches/lp1861941-dont-generate-disk-byuuid-for-bcache-uuid.patch (+54/-0)
debian/patches/lp1867375/0001-network-add-a-flag-to-ignore-gateway-provided-by-DHC.patch (+97/-0)
debian/patches/lp1867375/0002-test-network-add-a-test-case-for-DHCPv4.UseGateway-n.patch (+56/-0)
debian/patches/lp1867375/0003-network-change-UseGateway-default-to-UseRoutes-setti.patch (+77/-0)
debian/patches/lp1867375/0004-test-modify-add-tests-for-UseRoutes-and-UseGateway-c.patch (+187/-0)
debian/patches/lp1867375/0005-network-honor-SetDNSRoutes-even-if-UseGateway-False.patch (+162/-0)
debian/patches/lp1867375/0006-test-verify-RoutesToDNS-is-independent-of-UseGateway.patch (+74/-0)
debian/patches/lp1873607/0001-core-some-minor-clean-ups-modernizations.patch (+56/-0)
debian/patches/lp1873607/0002-core-make-sure-to-restore-the-control-command-id-too.patch (+33/-0)
debian/patches/lp1875708/journald-Increase-stdout-buffer-size-sooner-when-almost-f.patch (+28/-0)
debian/patches/lp1875708/journald-rework-end-of-line-marker-handling-to-use-a-fiel.patch (+73/-0)
debian/patches/lp1875708/journald-rework-pid-change-handling.patch (+218/-0)
debian/patches/lp1875708/journald-use-log_warning_errno-where-appropriate.patch (+37/-0)
debian/patches/lp1875708/journald-use-the-fact-that-client_context_release-returns.patch (+23/-0)
debian/patches/lp1875708/man-document-the-new-_LINE_BREAK-type.patch (+39/-0)
debian/patches/lp1875708/socket-util-introduce-type-safe-dereferencing-wrapper-CMS.patch (+198/-0)
debian/patches/lp1875708/test-Add-a-test-case-for-15654.patch (+28/-0)
debian/patches/lp1878969-meson-initialize-time-epoch-to-reproducible-builds-compat.patch (+61/-0)
debian/patches/lp1882596-man-fix-some-manvolnum.patch (+267/-0)
debian/patches/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch (+92/-0)
debian/patches/lp1890448-hwdb-Add-EliteBook-to-use-micmute-hotkey.patch (+32/-0)
debian/patches/lp1891215/0001-fs-util-add-conservative_rename-that-suppresses-unne.patch (+184/-0)
debian/patches/lp1891215/0002-resolved-don-t-update-resolv.conf-snippets-unnecessa.patch (+46/-0)
debian/patches/lp1891215/0003-fs-util-rename-conservative_rename-conservative_rena.patch (+104/-0)
debian/patches/lp1891215/0004-fs-util-make-sure-conservative_renameat-properly-det.patch (+62/-0)
debian/patches/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch (+31/-0)
debian/patches/lp1894622-Add-systemd-resolve-backwards-compatibility-section-.patch (+54/-0)
debian/patches/lp1895418-correct-resolved-conf-cache-default.patch (+18/-0)
debian/patches/lp1897744-resolve-enable-RES_TRUSTAD-towards-the-127.0.0.53-st.patch (+36/-0)
debian/patches/lp1902236-nss-systemd-don-t-synthesize-root-nobody-when-iterat.patch (+39/-0)
debian/patches/lp1902891-core-mount-mount-command-may-fail-after-adding-the-c.patch (+32/-0)
debian/patches/lp1902960-udev-re-assign-ID_NET_DRIVER-ID_NET_LINK_FILE-ID_NET.patch (+84/-0)
debian/patches/lp1903300/0001-network-VXLan-fix-adding-Group-address.patch (+34/-0)
debian/patches/lp1903300/0002-network-VXLan-Add-support-for-remote-address.patch (+44/-0)
debian/patches/lp1903300/0003-networkctl-Add-support-to-display-VXLan-remote-addre.patch (+32/-0)
debian/patches/lp1905044-test-use-cap_last_cap-for-max-supported-cap-number-n.patch (+123/-0)
debian/patches/lp1905245/0001-basic-cap-list-parse-print-numerical-capabilities.patch (+92/-0)
debian/patches/lp1905245/0002-basic-capability-util-let-cap_last_cap-return-unsign.patch (+212/-0)
debian/patches/lp1905245/0003-basic-cap-list-reduce-scope-of-variables.patch (+68/-0)
debian/patches/lp1907306/0001-sd-dhcp-client-don-t-log-timeouts-if-already-expired.patch (+60/-0)
debian/patches/lp1907306/0002-sd-dhcp-client-track-dhcp4-t1-t2-expire-times.patch (+153/-0)
debian/patches/lp1907306/0003-sd-dhcp-client-add-RFC2131-retransmission-details.patch (+63/-0)
debian/patches/lp1907306/0004-sd-dhcp-client-simplify-dhcp4-t1-t2-parsing.patch (+126/-0)
debian/patches/lp1907306/0005-sd-dhcp-client-correct-dhcpv4-renew-rebind-retransmi.patch (+75/-0)
debian/patches/lp1907306/0006-sd-dhcp-client-correct-retransmission-timeout-to-mat.patch (+48/-0)
debian/patches/lp1907306/0007-test-network-increase-wait_online-timeout-to-handle-.patch (+35/-0)
debian/patches/lp1907306/0008-sd-dhcp-client-fix-renew-rebind-timeout-calculation-.patch (+27/-0)
debian/patches/lp1911187-systemctl-do-not-shutdown-immediately-on-scheduled-shutdo.patch (+43/-0)
debian/patches/lp1913189-test-accept-that-char-device-0-0-can-now-be-created-.patch (+61/-0)
debian/patches/lp1913423-hashmap-make-sure-to-initialize-shared-hash-key-atom.patch (+70/-0)
debian/patches/lp1913763-udev-rules-add-rule-to-create-dev-ptp_hyperv.patch (+22/-0)
debian/patches/lp1914740-network-enable-DHCP-broadcast-flag-if-required-by-in.patch (+148/-0)
debian/patches/lp1915887-Downgrade-a-couple-of-warnings-to-debug.patch (+60/-0)
debian/patches/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch (+24/-0)
debian/patches/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch (+71/-0)
debian/patches/lp1921696/0001-rfkill-improve-error-logging.patch (+121/-0)
debian/patches/lp1921696/0002-rfkill-use-short-writes-and-accept-long-reads.patch (+123/-0)
debian/patches/lp1926547-hwdb-60-keyboard-Update-Dell-Privacy-Micmute-Hotkey-.patch (+35/-0)
debian/patches/lp1928200/0001-shared-add-common-helper-for-unregistering-all-binfm.patch (+82/-0)
debian/patches/lp1928200/0002-shutdown-unregister-all-binfmt_misc-entries-before-e.patch (+36/-0)
debian/patches/lp1928200/0003-binfmt-modernize-code-a-bit.patch (+47/-0)
debian/patches/lp1928200/0004-binfmt-also-unregister-binfmt-entries-from-unit.patch (+120/-0)
debian/patches/lp1928200/0005-man-document-binfmt-s-new-unregister-switch.patch (+34/-0)
debian/patches/lp1929122-network-check-that-received-ifindex-is-valid.patch (+23/-0)
debian/patches/lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch (+169/-0)
debian/patches/lp1930910-hwdb-Add-ProBook-to-use-micmute-hotkey.patch (+29/-0)
debian/patches/lp1931578/0001-network-default-RequiredForOnline-false-if-Activacti.patch (+108/-0)
debian/patches/lp1931578/0002-networkctl-add-field-Required-For-Online.patch (+30/-0)
debian/patches/lp1931578/0003-test-add-test-to-verify-RequiredForOnline-setting-wi.patch (+99/-0)
debian/patches/lp1932352-hwdb-Add-mic-mute-key-mapping-for-HP-Elite-Dragonfly.patch (+25/-0)
debian/patches/lp1933402-udev-Fix-SIGSEGV-in-AlternativeNamesPolicy-handling.patch (+26/-0)
debian/patches/lp1934147/0001-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch (+63/-0)
debian/patches/lp1934147/0002-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch (+56/-0)
debian/patches/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch (+172/-0)
debian/patches/lp1934981-correct-suspend-then-sleep-string.patch (+19/-0)
debian/patches/lp1935051-shared-unit-file-make-sure-the-old-hashmaps-and-sets.patch (+153/-0)
debian/patches/lp1937117/0001-revert-lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch (+151/-0)
debian/patches/lp1937117/0002-avoid-changing-interface-master-if-interface-already-up.patch (+21/-0)
debian/patches/lp1937238-util-return-the-correct-correct-wd-from-inotify-help.patch (+54/-0)
debian/patches/lp1943561-dell-clamshell-accel-location-base-with-sku.patch (+29/-0)
debian/patches/lp1944711-login-filenames-in-run-systemd-users-are-uids.patch (+51/-0)
debian/patches/lp1946388-sd-journal-don-t-check-namespaces-if-we-have-no-name.patch (+29/-0)
debian/patches/lp1948476-pid1-target-units-can-fail-through-dependencies.patch (+51/-0)
debian/patches/lp1952599/0001-virt-Support-detection-for-ARM64-Hyper-V-guests.patch (+24/-0)
debian/patches/lp1952599/0002-virt-Fix-the-detection-for-Hyper-V-VMs.patch (+35/-0)
debian/patches/lp1952733-hwdb-60-keyboard-Update-Dell-Privacy-Micmute-Hotkey-Map.patch (+23/-0)
debian/patches/lp1952735-keymap-Add-microphone-mute-keymap-for-Dell-Machine.patch (+19/-0)
debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch (+30/-0)
debian/patches/lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch (+48/-0)
debian/patches/lp1959475-core-make-sure-we-don-t-get-confused-when-setting-TERM-fo.patch (+34/-0)
debian/patches/lp1966179-add-more-hp-dmi-to-unblock-intel-hid-event.patch (+64/-0)
debian/patches/lp1966800-shared-calendarspec-when-mktime-moves-us-backwards-jump-f.patch (+95/-0)
debian/patches/lp1978079-efi-pstore-not-cleared-on-boot.patch (+48/-0)
debian/patches/lp1979951-network-do-not-remove-localhost-address.patch (+69/-0)
debian/patches/lp1982462-units-remove-the-restart-limit-on-the-modprobe-.service.patch (+33/-0)
debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch (+91/-0)
debian/patches/rm-rf-optionally-fsync-after-removing-directory-tree.patch (+33/-0)
debian/patches/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch (+315/-0)
debian/patches/series (+134/-0)
debian/patches/test-make-test-execute-pass-on-Linux-5.15.patch (+40/-0)
debian/tests/boot-and-services (+19/-0)
debian/tests/boot-smoke (+27/-0)
debian/tests/control (+4/-0)
debian/tests/root-unittests (+11/-0)
debian/tests/systemd-fsckd (+306/-0)
debian/udev.postinst (+6/-0)
Conflict in debian/changelog
Conflict in debian/extra/dhclient-enter-resolved-hook
Conflict in debian/extra/initramfs-tools/hooks/udev
Conflict in debian/extra/rules-ubuntu/40-vm-hotadd.rules
Conflict in debian/patches/series
Conflict in debian/tests/boot-and-services
Conflict in debian/tests/boot-smoke
Conflict in debian/tests/control
Conflict in debian/tests/root-unittests
Conflict in debian/tests/systemd-fsckd
Conflict in debian/udev.postinst
Reviewer Review Type Date Requested Status
git-ubuntu import Pending
Review via email: mp+429490@code.launchpad.net

Commit message

fix tests with v5.15 kernels

To post a comment you must log in.

Unmerged commits

41adb75... by Dimitri John Ledkov

releasing package systemd version 245.4-4ubuntu3.19

7b3140a... by Dimitri John Ledkov

test: fix test-execute autotest failure with kernel 5.15 (LP: #1975587)

7382329... by Nick Rosbrook

Release systemd 245.4-4ubuntu3.18

c3c3199... by Nick Rosbrook

Update changelog

68353ff... by Nick Rosbrook

units: remove the restart limit on the modprobe@.service (LP: #1982462)

c2da3a5... by Nick Rosbrook

Update changelog

87f872b... by Nick Rosbrook

network: do not remove localhost address (LP: #1979951)

2cddd05... by Nick Rosbrook

pstore: do not try to load mtdpstore (LP: #1981622)

systemd has not been released to focal with the offending commit yet, so
modify the pstore change before it becomes an issue.

Gbp-Dch: ignore

b6fe6f3... by Lukas Märdian

Update changelog

6e60756... by Mustafa Kemal Gilor

d/p/lp1978079-efi-pstore-not-cleared-on-boot.patch: pstore: Run after

modules are loaded. Thanks to Alexander Graf <email address hidden>.
(LP: #1978079)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 0fcaba3..f29d65a 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,492 @@
6+<<<<<<< debian/changelog
7+=======
8+systemd (245.4-4ubuntu3.19) focal; urgency=medium
9+
10+ * test: fix test-execute autotest failure with kernel 5.15 (LP: #1975587)
11+ File: debian/patches/test-make-test-execute-pass-on-Linux-5.15.patch
12+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=7b3140ab5916269c020978ce678f06869a769f5c
13+
14+ -- Dimitri John Ledkov <dimitri.ledkov@canonical.com> Tue, 06 Sep 2022 11:17:21 +0100
15+
16+systemd (245.4-4ubuntu3.18) focal; urgency=medium
17+
18+ [ Nick Rosbrook ]
19+ * core: make sure we don't get confused when setting TERM for a tty fd
20+ (LP: #1959475)
21+ File: debian/patches/lp1959475-core-make-sure-we-don-t-get-confused-when-setting-TERM-fo.patch
22+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b10c6853050dde26665caf3b15444d768d2bc498
23+ * shared/calendarspec: when mktime() moves us backwards, jump forward
24+ (LP: #1966800)
25+ File: debian/patches/lp1966800-shared-calendarspec-when-mktime-moves-us-backwards-jump-f.patch
26+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=1f063541e44f6ff1a6904676d4264a2e49a09594
27+ * network: do not remove localhost address (LP: #1979951)
28+ File: debian/patches/lp1979951-network-do-not-remove-localhost-address.patch
29+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=87f872b8c5451f353601fb606e7fd7a479217cef
30+ * units: remove the restart limit on the modprobe@.service (LP: #1982462)
31+ File: debian/patches/lp1982462-units-remove-the-restart-limit-on-the-modprobe-.service.patch
32+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=68353ffaf3539e6a58ef62a8b50850f56eae29ea
33+
34+ [ Mustafa Kemal Gilor ]
35+ * d/p/lp1978079-efi-pstore-not-cleared-on-boot.patch: pstore: Run after
36+ modules are loaded. Thanks to Alexander Graf <graf@amazon.com>.
37+ (LP: #1978079)
38+ Author: Mustafa Kemal Gilor
39+ File: debian/patches/lp1978079-efi-pstore-not-cleared-on-boot.patch
40+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6e60756f2079d6408abdb967127a1d9b9a0eba8c
41+
42+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Wed, 31 Aug 2022 11:27:33 -0400
43+
44+systemd (245.4-4ubuntu3.17) focal; urgency=medium
45+
46+ [ Andy Chi ]
47+ * Add mic mute key support for HP Elite x360 series (LP: #1967038)
48+ Author: Andy Chi
49+ File: debian/patches/hwdb-Add-mic-mute-key-mapping-for-HP-Elite-x360.patch
50+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=09cd12b399725d9c766f5a3c979ff6983812c783
51+
52+ [ Jeremy Szu ]
53+ * Add more hp dmi to unblock intel-hid event (LP: #1966179)
54+ Also, add HP EliteBook 630/830 13 inch dmi string to intel-hid allowlist
55+ Author: Jeremy Szu
56+ File: debian/patches/lp1966179-add-more-hp-dmi-to-unblock-intel-hid-event.patch
57+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=7e05409f3f812086c530f5eb49fa381413df6065
58+
59+ -- Lukas Märdian <slyon@ubuntu.com> Thu, 21 Apr 2022 14:54:39 +0200
60+
61+systemd (245.4-4ubuntu3.16) focal; urgency=medium
62+
63+ [ Dan Streetman ]
64+ * d/p/lp1946388-sd-journal-don-t-check-namespaces-if-we-have-no-name.patch:
65+ Avoid journalctl segfault (LP: #1946388)
66+
67+ [ Jeremy Szu ]
68+ * Add a allowlist to unblock intel-hid on new HP machines (LP: #1955997)
69+ Author: Jeremy Szu
70+ File: debian/patches/lp1955997-add-a-allowlist-to-unblock-intel-hid-on-HP-mach.patch
71+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=88a859eaddb6c9a611fcbc44edab441aef4c4355
72+
73+ [ Nick Rosbrook ]
74+ * Prevent arguments from being overwritten with defaults at shutdown (LP: #1958284)
75+ File: debian/patches/lp1958284-core-move-reset_arguments-to-the-end-of-main-s-finish.patch
76+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e61052bd1f20bcc54e7417542c6d445cf5040f56
77+
78+ [ Lukas Märdian ]
79+ * Fix deadlock between pid1 and dbus-daemon (LP: #1871538)
80+ Author: Lukas Märdian
81+ File: debian/patches/pid1-set-SYSTEMD_NSS_DYNAMIC_BYPASS-1-env-var-for-dbus-da.patch
82+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=e3aacfa26e3fc6df369e6f28e740389ae0020907
83+
84+ -- Nick Rosbrook <nick.rosbrook@canonical.com> Wed, 23 Mar 2022 09:29:33 -0400
85+
86+systemd (245.4-4ubuntu3.15) focal-security; urgency=medium
87+
88+ * SECURITY UPDATE: systemd-tmpfiles could be made to crash.
89+ - d/p/rm-rf-refactor-rm-rf-children-split-out-body-of-directory.patch:
90+ Backport upstream patch from PR#20173
91+ - d/p/rm-rf-optionally-fsync-after-removing-directory-tree.patch:
92+ Backport upstream patch required for CVE-2021-3997 patches
93+ - d/p/CVE-2021-3997-1.patch: Backport upstream patch to refactor
94+ rm_rf_children_inner()
95+ - d/p/CVE-2021-3997-2.patch: Backport upstream patch to refactor
96+ rm_rf()
97+ - d/p/CVE-2021-3997-3.patch: Backport upstream patch to loop over
98+ nested directories instead of using recursion
99+ - CVE-2021-3997
100+
101+ -- Alex Murray <alex.murray@canonical.com> Mon, 10 Jan 2022 15:26:38 +1030
102+
103+systemd (245.4-4ubuntu3.14) focal; urgency=medium
104+
105+ [ Lukas Märdian ]
106+ * Allow target units to fail (LP: #1948476)
107+ File: d/p/lp1948476-pid1-target-units-can-fail-through-dependencies.patch
108+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=fe0cb0bd66baea89d8bbe47cb47d88540f46d470
109+ * Fix whitespace in lp1926547-hwdb-60-keyboard-Update-Dell-Privacy-Micmute-Hotkey-.patch to match upstream
110+ File: debian/patches/lp1926547-hwdb-60-keyboard-Update-Dell-Privacy-Micmute-Hotkey-.patch
111+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=80fef80a1b018556939011707c4ce00cebc58806
112+ * Support detection for ARM64 Hyper-V guests (LP: #1952599)
113+ Files:
114+ - debian/patches/lp1952599/0001-virt-Support-detection-for-ARM64-Hyper-V-guests.patch
115+ - debian/patches/lp1952599/0002-virt-Fix-the-detection-for-Hyper-V-VMs.patch
116+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=caf3aff933cc7bf21565faba05f78ce78b3196cd
117+
118+ [ Andy Chi ]
119+ * Add privacy micmute hotkey for Dell machine. (LP: #1952733)
120+ File: debian/patches/lp1952733-hwdb-60-keyboard-Update-Dell-Privacy-Micmute-Hotkey-Map.patch
121+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ff8dc41f55baa418076e42509ddbf3212a8c1353
122+ * Add microphone mute key for Dell machine. (LP: #1952735)
123+ File: debian/patches/lp1952735-keymap-Add-microphone-mute-keymap-for-Dell-Machine.patch
124+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=175fb4e209fba889b4bcd81cb2ed262923943a3f
125+
126+ [ Yao Wei ]
127+ * Add ACCEL_LOCATION=base property for 6 Dell clamshell models (LP: #1943561)
128+ File: debian/patches/lp1943561-dell-clamshell-accel-location-base-with-sku.patch
129+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=246195d68b2bb0473f4a3f1c2ebe54dfd37f068b
130+
131+ [ Dan Streetman ]
132+ * d/p/lp1944711-login-filenames-in-run-systemd-users-are-uids.patch:
133+ Fix systemd-logind restart loading of existing sessions
134+ (LP: #1944711)
135+
136+ [ Ratchanan Srirattanamet ]
137+ * d/p/debian/timedatectl-lp1650688.patch,
138+ d/p/debian/UBUNTU-Fix-timezone-setting-on-read-only-etc.patch:
139+ Fix timedated unable to retrieve & properly set timezone on
140+ read-only /etc (e.g. Ubuntu Core and system-image-based systems)
141+ (LP: #1650688)
142+
143+ -- Lukas Märdian <slyon@ubuntu.com> Fri, 10 Dec 2021 10:04:02 +0100
144+
145+systemd (245.4-4ubuntu3.13) focal; urgency=medium
146+
147+ * d/p/dell-clamshell-accel-location-base-with-sku.patch:
148+ Revert incorrect patch (LP: #1942899)
149+
150+ -- Dan Streetman <ddstreet@canonical.com> Tue, 07 Sep 2021 14:37:22 -0400
151+
152+systemd (245.4-4ubuntu3.12) focal; urgency=medium
153+
154+ [ Yao Wei ]
155+ * d/p/dell-clamshell-accel-location-base.patch:
156+ Add ACCEL_LOCATION=base property for Dell clamshell models (LP: #1938259)
157+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5c1be33900edee94da0dc9a4ade8edcd079b4c85
158+
159+ [ Lukas Märdian ]
160+ * Add d/p/lp1934221-resolved-disable-event-sources-before-unreffing-them.patch
161+ - Fix segfault in systemd-resolve (LP: #1934221)
162+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6c401900c70962052f56c7108fdc02fe7f84c9bf
163+
164+ [ Simon Chopin ]
165+ * d/p/lp1914740-network-enable-DHCP-broadcast-flag-if-required-by-in.patch:
166+ - Apply upstream patch to fix Hipersocket DHCP mode (LP: #1914740)
167+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=326ae43b7966d9e7c5f7124027185a79a07fa276
168+
169+ [ Dan Streetman ]
170+ * d/p/lp1934981-correct-suspend-then-sleep-string.patch:
171+ Fix sleep verb used by logind during suspend-then-hibernate
172+ (LP: #1934981)
173+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=997f3a7da3d5db22e3c63626c3f7dc3dff0830b0
174+ * d/p/lp1937238-util-return-the-correct-correct-wd-from-inotify-help.patch:
175+ Fix watch for time sync (LP: #1937238)
176+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=dbabff8a03eb232c19174eff1335cd7cb7d7860c
177+ * d/extra/dhclient-enter-resolved-hook:
178+ Reset start limit counter for systemd-resolved in dhclient hook
179+ (LP: #1939255)
180+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9d3a91a0b70a4b2bcc166f366cd0a880fd494812
181+ * d/p/lp1935051-shared-unit-file-make-sure-the-old-hashmaps-and-sets.patch:
182+ Fix memory leak in path cache (LP: #1935051)
183+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=12d6bdeb35f309158fe8d4242c6dd9be4d067604
184+ * d/p/lp1934147/0001-cgroup-do-catchup-for-unit-cgroup-inotify-watch-file.patch,
185+ d/p/lp1934147/0002-core-Make-sure-cgroup_oom_queue-is-flushed-on-manage.patch:
186+ Catchup cgroup inotify watch after reexec/reload (LP: #1934147)
187+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=63eabc88b8e0005eb40b15b543538ce35377bdbd
188+
189+ -- Dan Streetman <ddstreet@canonical.com> Thu, 26 Aug 2021 10:18:02 -0400
190+
191+systemd (245.4-4ubuntu3.11) focal-security; urgency=medium
192+
193+ * d/p/lp1937117/0001-revert-lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch,
194+ d/p/lp1937117/0002-avoid-changing-interface-master-if-interface-already-up.patch:
195+ - Don't change interface master if interface is already up,
196+ due to users expecting previous buggy behavior (LP: #1937117)
197+
198+ -- Dan Streetman <ddstreet@canonical.com> Wed, 21 Jul 2021 15:00:21 -0400
199+
200+systemd (245.4-4ubuntu3.10) focal-security; urgency=medium
201+
202+ * SECURITY UPDATE: DoS via DHCP FORCERENEW
203+ - debian/patches/CVE-2020-13529.patch: tentatively ignore FORCERENEW
204+ command in src/libsystemd-network/sd-dhcp-client.c.
205+ - CVE-2020-13529
206+ * SECURITY UPDATE: denial of service via stack exhaustion
207+ - debian/patches/CVE-2021-33910.patch: do not use strdupa() on a path
208+ in src/basic/unit-name.c.
209+ - CVE-2021-33910
210+
211+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 20 Jul 2021 07:39:51 -0400
212+
213+systemd (245.4-4ubuntu3.8) focal; urgency=medium
214+
215+ [ dann frazier ]
216+ * d/p/lp1933402-udev-Fix-SIGSEGV-in-AlternativeNamesPolicy-handling.patch:
217+ - Fix uninitialized variable that can lead to corrupt network altnames
218+ and/or segmentation faults. (LP: #1933402)
219+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=8276cde551b31840b4fc10a2905cda20f7148522
220+
221+ [ Kai-Heng Feng ]
222+ * d/p/hwdb-Add-ProBook-to-use-micmute-hotkey.patch:
223+ - Add ProBook to use micmute hotkey (LP: #1930910)
224+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ab932a977b74aef1351532ab70effb761508b9be
225+
226+ [ Jeremy Szu ]
227+ * d/p/lp1932352-hwdb-Add-mic-mute-key-mapping-for-HP-Elite-Dragonfly.patch:
228+ - Fix micmute hotkeys on HP Elite Dragonfly (LP: #1932352)
229+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6e2b7f998a026235d6551d43548d226c50c8056a
230+
231+ [ Dan Streetman ]
232+ * d/p/lp1931578/0001-network-default-RequiredForOnline-false-if-Activacti.patch,
233+ d/p/lp1931578/0002-networkctl-add-field-Required-For-Online.patch,
234+ d/p/lp1931578/0003-test-add-test-to-verify-RequiredForOnline-setting-wi.patch:
235+ Adjust default for RequiredForOnline when using ActivationPolicy
236+ (LP: #1931578)
237+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=aa2b5015d91037e476ee67d684d7e2d30e616199
238+ * d/extra/dhclient-enter-resolved-hook:
239+ Check is-enabled systemd-resolved in dhclient hook (LP: #1853164)
240+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=52ec2eb2a991cd406d1a94e8301e1b31d2bdb53c
241+ * d/p/lp1928200/0001-shared-add-common-helper-for-unregistering-all-binfm.patch,
242+ d/p/lp1928200/0002-shutdown-unregister-all-binfmt_misc-entries-before-e.patch,
243+ d/p/lp1928200/0003-binfmt-modernize-code-a-bit.patch,
244+ d/p/lp1928200/0004-binfmt-also-unregister-binfmt-entries-from-unit.patch,
245+ d/p/lp1928200/0005-man-document-binfmt-s-new-unregister-switch.patch:
246+ Unregister all binfmts before shutdown (LP: #1928200)
247+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=bc605ba3f0c9d585ef834b35e9bbfc547a6f9eb5
248+ * d/p/lp1894622-Add-systemd-resolve-backwards-compatibility-section-.patch:
249+ Add man page symlink and deprecation notice for systemd-resolve
250+ (LP: #1894622)
251+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=823d20d2c3f78fbb0e68c4fee8cbcdb84e94dcde
252+ * d/p/lp1858210/0001-time-simplify-get_timezones.patch,
253+ d/p/lp1858210/0002-time-split-get_timezone-into-main-function-and-zone1.patch,
254+ d/p/lp1858210/0003-time-get-timezones-from-tzdata.zi.patch:
255+ Parse tzdata.zi so timedatectl list-timezones also lists aliases
256+ (LP: #1858210)
257+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=58a4c698e18f0a7fc0315a0394326e157a2e8479
258+ * d/p/lp1891215/0001-fs-util-add-conservative_rename-that-suppresses-unne.patch,
259+ d/p/lp1891215/0002-resolved-don-t-update-resolv.conf-snippets-unnecessa.patch,
260+ d/p/lp1891215/0003-fs-util-rename-conservative_rename-conservative_rena.patch,
261+ d/p/lp1891215/0004-fs-util-make-sure-conservative_renameat-properly-det.patch:
262+ Don't rewrite resolv.conf is content unchanged (LP: #1891215)
263+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=563e24f303462dfefd85b77051e742eb712a520c
264+
265+ -- Dan Streetman <ddstreet@canonical.com> Tue, 06 Jul 2021 14:33:09 -0400
266+
267+systemd (245.4-4ubuntu3.7) focal; urgency=medium
268+
269+ [ Andy Chi ]
270+ * debian/patches/lp1926547-hwdb-60-keyboard-Update-Dell-Privacy-Local-Mic-Mute-.patch
271+ - Apply upstream patch to correct key and device mapping.
272+ (LP: #1926547)
273+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=62c3ce6d6b2cab762b24aa610d6d135a67bdd76a
274+
275+ [ Dan Streetman ]
276+ * d/p/lp1921696/0001-rfkill-improve-error-logging.patch,
277+ d/p/lp1921696/0002-rfkill-use-short-writes-and-accept-long-reads.patch:
278+ Handle rfkill api change in kernel 5.10 (LP: #1921696)
279+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ff0c23ba4fbcfa7f68e98adb6d62798ce54ca1da
280+ * d/p/lp1929122-network-check-that-received-ifindex-is-valid.patch:
281+ Check if ifindex is valid (LP: #1929122)
282+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=6378191818bc7d169b657e6f7a2b50cfddb4275e
283+ * d/p/lp1929560-network-move-set-MAC-and-set-nomaster-operations-out.patch:
284+ Move link mac and master config out of link_up() (LP: #1929560)
285+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=28cff7ee02a9ebd4ab93026af9fceaa2283725b3
286+ * d/p/lp1902891-core-mount-mount-command-may-fail-after-adding-the-c.patch:
287+ Handle failed mount command (LP: #1902891)
288+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b425189a483d7455db870b0ec5b2443c0eea7d76
289+ * d/p/resolved-Mitigate-DVE-2018-0001-by-retrying-NXDOMAIN-with.patch,
290+ d/p/lp1880258-log-nxdomain-as-debug.patch,
291+ d/p/lp1785383-resolved-address-DVE-2018-0001.patch:
292+ - Use upstream patch for DVE-2018-0001 handling (LP: #1785383)
293+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ec45ebfee362ad3e429642f7519e8b88f16dc221
294+
295+ [ Łukasz 'sil2100' Zemczak ]
296+ * d/p/lp1664844/0001-network-add-ActivationPolicy-configuration-parameter.patch,
297+ d/p/lp1664844/0002-test-add-ActivationPolicy-unit-tests.patch,
298+ d/p/lp1664844/0003-save-link-activation-policy-to-state-file-and-displa.patch:
299+ - add support for configuring the activation policy for an interface
300+ (LP: #1664844)
301+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=94f7b72d8128c743f35b308101a87d2c53a4074c
302+
303+ -- Dan Streetman <ddstreet@canonical.com> Thu, 27 May 2021 11:16:17 -0400
304+
305+systemd (245.4-4ubuntu3.6) focal; urgency=medium
306+
307+ * debian/patches/lp1916485-Newer-Glibc-use-faccessat2-to-implement-faccessat.patch:
308+ Add support for faccessat2 (LP: #1916485)
309+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=affb2c6507dccfeed02820a2267639648e2a2260
310+ * d/p/lp1918696-shared-seccomp-util-address-family-filtering-is-brok.patch:
311+ Stop attempting to restrict address families on ppc archs
312+ (LP: #1918696)
313+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=daff4b6604362fcb5d305682216d5ca15a4c5738
314+ * d/p/lp1891810-seccomp-util-add-new-syscalls-from-kernel-5.6-to-sys.patch:
315+ Add openat2() syscall to seccomp filter list
316+ (LP: #1891810)
317+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=69c8a684e2513b2f6530e5a5cf15c83abfb7bc74
318+ * d/p/lp1915887-Downgrade-a-couple-of-warnings-to-debug.patch:
319+ Downgrade some log messages so they stop spamming logs
320+ (LP: #1915887)
321+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3c2c4731b90ed430ca1790270e69cd125643b94b
322+ * d/p/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch:
323+ Use src name, not dst name, of symlinked unit files (LP: #1887744)
324+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=03770601097cfdc09adeadf5593083da69345409
325+
326+ -- Dan Streetman <ddstreet@canonical.com> Wed, 17 Mar 2021 17:36:08 -0400
327+
328+systemd (245.4-4ubuntu3.5) focal; urgency=medium
329+
330+ [ Ioanna Alifieraki ]
331+ * d/p/lp1911187-systemctl-do-not-shutdown-immediately-on-scheduled-shutdo.patch:
332+ Do not shutdown immediately when scheduled shutdown fails (LP: #1911187)
333+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3899c9d5c171e84fc503c6ab46aea7cc9def7235
334+
335+ [ Dimitri John Ledkov ]
336+ * d/p/lp1878969-meson-initialize-time-epoch-to-reproducible-builds-compat.patch:
337+ meson: initialize time-epoch to reproducible builds compatible value
338+ (LP: #1878969)
339+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=84212797d21ed08031e1d71fe5e118bdd9873c0f
340+
341+ [ Dan Streetman ]
342+ * d/p/lp1913189-test-accept-that-char-device-0-0-can-now-be-created-.patch:
343+ - Fix failing test case under 5.8 kernel (LP: #1913189)
344+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=782a382017ce188dbf9a40adabd265943d7db119
345+ * d/p/lp1913423-hashmap-make-sure-to-initialize-shared-hash-key-atom.patch:
346+ Thread-safe init of hashmap shared key (LP: #1913423)
347+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=fc8dde7c4b1944d1583866f61c2314174b4dd06a
348+ * d/p/lp1902236-nss-systemd-don-t-synthesize-root-nobody-when-iterat.patch:
349+ Don't synthesize root/nobody when iterating (LP: #1902236)
350+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=4d20e415ecd5b0fd032b4cf45bd9fd344cc434ac
351+ * d/p/debian/patches/lp1880258-log-nxdomain-as-debug.patch:
352+ Change NXDOMAIN 'errors' to log level debug (LP: #1880258)
353+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=80163a2097aa876fe73b6071495ae4ad8749d04e
354+ * d/p/lp1913763-udev-rules-add-rule-to-create-dev-ptp_hyperv.patch:
355+ Create symlink for hyperv-provided ptp device (LP: #1913763)
356+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=b02053da2ff3fee6221bd8310488af0f52b140f1
357+
358+ -- Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com> Tue, 23 Feb 2021 00:18:57 +0000
359+
360+systemd (245.4-4ubuntu3.4) focal; urgency=medium
361+
362+ * d/p/lp1905245/0001-basic-cap-list-parse-print-numerical-capabilities.patch,
363+ d/p/lp1905245/0002-basic-capability-util-let-cap_last_cap-return-unsign.patch,
364+ d/p/lp1905245/0003-basic-cap-list-reduce-scope-of-variables.patch:
365+ - print number of unknown capabilities instead of failing
366+ (LP: #1905245)
367+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5cd98102e16a6e4acc1444b10db3308d87930933
368+ * d/p/lp1890448-hwdb-Add-EliteBook-to-use-micmute-hotkey.patch:
369+ Add EliteBook to use micmute hotkey (LP: #1890448)
370+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=238c8c1a7b9d75f69bdeafb1d55f1faf00acb063
371+ * d/extra/dhclient-enter-resolved-hook:
372+ suppress output of cmp command in dhclient hook (LP: #1878955)
373+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=83df4fc182f8ffe87256f5d7c4b49cee5192529a
374+ * d/p/lp1905044-test-use-cap_last_cap-for-max-supported-cap-number-n.patch:
375+ test: use cap_last_cap() instead of capability_list_length()
376+ (LP: #1905044)
377+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ff21f41e624d9e603f3be463846ce981a433842a
378+ * d/p/lp1903300/0001-network-VXLan-fix-adding-Group-address.patch,
379+ d/p/lp1903300/0002-network-VXLan-Add-support-for-remote-address.patch,
380+ d/p/lp1903300/0003-networkctl-Add-support-to-display-VXLan-remote-addre.patch:
381+ set vxlan multicast group when specified (LP: #1903300)
382+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9deff4b7c5495dbe738561ca47daf3756df9fcde
383+ * d/p/lp1907306/0001-sd-dhcp-client-don-t-log-timeouts-if-already-expired.patch,
384+ d/p/lp1907306/0002-sd-dhcp-client-track-dhcp4-t1-t2-expire-times.patch,
385+ d/p/lp1907306/0003-sd-dhcp-client-add-RFC2131-retransmission-details.patch,
386+ d/p/lp1907306/0004-sd-dhcp-client-simplify-dhcp4-t1-t2-parsing.patch,
387+ d/p/lp1907306/0005-sd-dhcp-client-correct-dhcpv4-renew-rebind-retransmi.patch,
388+ d/p/lp1907306/0006-sd-dhcp-client-correct-retransmission-timeout-to-mat.patch,
389+ d/p/lp1907306/0007-test-network-increase-wait_online-timeout-to-handle-.patch,
390+ d/p/lp1907306/0008-sd-dhcp-client-fix-renew-rebind-timeout-calculation-.patch:
391+ Send correct number of dhcpv4 renew and rebind requests
392+ (LP: #1907306)
393+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a73c51d0df284dcc38e6924d40eed810554bab2e
394+ * d/p/lp1902960-udev-re-assign-ID_NET_DRIVER-ID_NET_LINK_FILE-ID_NET.patch:
395+ Run net_setup_link on 'change' uevents (LP: #1902960)
396+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ec7ba2358aa68d8d6276ed56ef91caafc287cecf
397+ * d/t/root-unittests:
398+ Remove any corrupt journal files (LP: #1881947)
399+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=5481fececdb3cb35ca7118598cad537681b5ff14
400+
401+ -- Dan Streetman <ddstreet@canonical.com> Wed, 06 Jan 2021 15:47:39 -0500
402+
403+systemd (245.4-4ubuntu3.3) focal; urgency=medium
404+
405+ [ Rafael David Tinoco ]
406+ * d/p/lp1861941-dont-generate-disk-byuuid-for-bcache-uuid.patch:
407+ Reworded and reintroduced patch to fully explain delta is NOT a fix to
408+ LP: #1861941 if the bcache-tools patch exists, but should be kept anyway
409+ as the change makes sense for a better experience to end user.
410+ (LP: #1861941)
411+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f8f64b3b58a04a83b1c426818b9affc41e0bff6c
412+
413+ [ Dan Streetman ]
414+ * d/p/lp1882596-man-fix-some-manvolnum.patch:
415+ - fix some man section references (LP: #1882596)
416+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3959ec95eff78d38ec4409807f151572afe83fe9
417+ * d/p/lp1895418-correct-resolved-conf-cache-default.patch:
418+ - fix resolved.conf default Cache= value (LP: #1895418)
419+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ebe274a2b01658ee39b372d7033c35209510b028
420+ * d/p/lp1897744-resolve-enable-RES_TRUSTAD-towards-the-127.0.0.53-st.patch:
421+ - add resolv.conf 'trust-ad' option (LP: #1897744)
422+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f6acc8c620b80adab7b048352d85e722b5ba8214
423+ * d/t/*:
424+ - Update tests to fix false negatives (LP: #1892358)
425+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cee6c31a6caec7888270c9fa8757105ab950ed0c
426+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a1c1a2bb0ff27faf84fe94583631dfd0f1f4ed8f
427+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9417ce996766c133c2a33d4102ce1494f3166774
428+
429+ -- Dan Streetman <ddstreet@canonical.com> Thu, 08 Oct 2020 16:14:56 -0400
430+
431+systemd (245.4-4ubuntu3.2) focal; urgency=medium
432+
433+ [ Dan Streetman ]
434+ * Hotadd only offline memory and CPUs (LP: #1876018)
435+ File: debian/extra/rules-ubuntu/40-vm-hotadd.rules
436+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=72d815471596056b7727be5b10f87513ff1d5757
437+ * Lock swap blockdevice while calling mkswap (LP: #1838329)
438+ Files:
439+ - d/p/lp1838329/0001-blockdev-propagate-one-more-unexpected-error.patch
440+ - d/p/lp1838329/0002-makefs-log-about-OOM-condition.patch
441+ - d/p/lp1838329/0003-dissect-use-log_debug_errno-where-appropriate.patch
442+ - d/p/lp1838329/0004-blockdev-add-helper-for-locking-whole-block-device.patch
443+ - d/p/lp1838329/0005-makefs-lock-device-while-we-operate.patch
444+ - d/p/lp1838329/0006-makefs-normalize-logging-a-bit.patch
445+ - d/p/lp1838329/0007-cryptsetup-generator-use-systemd-makefs-for-implemen.patch
446+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=c81b75c4297cbb04554488b070b6f79996b8cceb
447+
448+ [ Balint Reczey ]
449+ * debian/udev.postinst: Allow kvm to be an already present non-system group
450+ (LP: #1880541)
451+ File: debian/udev.postinst
452+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=8b5c31828d4323ddb719326b1316c179b7cdbdef
453+ * d/p/hwdb-Mask-rfkill-event-from-intel-hid-on-HP-platforms.patch:
454+ hwdb: Mask rfkill event from intel-hid on HP platforms
455+ (LP: #1883846)
456+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=164c016b466210c7d6d05963fd753eccf4679844
457+ * journald: stream pid change newline fix (LP: #1875708)
458+ Files:
459+ - debian/patches/lp1875708/journald-Increase-stdout-buffer-size-sooner-when-almost-f.patch
460+ - debian/patches/lp1875708/journald-rework-end-of-line-marker-handling-to-use-a-fiel.patch
461+ - debian/patches/lp1875708/journald-rework-pid-change-handling.patch
462+ - debian/patches/lp1875708/journald-use-log_warning_errno-where-appropriate.patch
463+ - debian/patches/lp1875708/journald-use-the-fact-that-client_context_release-returns.patch
464+ - debian/patches/lp1875708/man-document-the-new-_LINE_BREAK-type.patch
465+ - debian/patches/lp1875708/socket-util-introduce-type-safe-dereferencing-wrapper-CMS.patch
466+ - debian/patches/lp1875708/test-Add-a-test-case-for-15654.patch
467+ https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=2dc19f7ae4aad7277e9d89849182453ff1d046dc
468+
469+ -- Dan Streetman <ddstreet@canonical.com> Mon, 06 Jul 2020 17:38:31 -0400
470+
471+systemd (245.4-4ubuntu3.1) focal; urgency=medium
472+
473+ * d/p/lp1867375/0001-network-add-a-flag-to-ignore-gateway-provided-by-DHC.patch,
474+ d/p/lp1867375/0002-test-network-add-a-test-case-for-DHCPv4.UseGateway-n.patch,
475+ d/p/lp1867375/0003-network-change-UseGateway-default-to-UseRoutes-setti.patch,
476+ d/p/lp1867375/0004-test-modify-add-tests-for-UseRoutes-and-UseGateway-c.patch,
477+ d/p/lp1867375/0005-network-honor-SetDNSRoutes-even-if-UseGateway-False.patch,
478+ d/p/lp1867375/0006-test-verify-RoutesToDNS-is-independent-of-UseGateway.patch:
479+ - Add UseGateway= parameter and default to value of UseRoutes, to restore
480+ backwards compatibility with old UseRoutes= behavior (LP: #1867375)
481+ * d/p/lp1860926-network-Change-IgnoreCarrierLoss-default-to-value-of.patch:
482+ - default ignore_carrier_loss to value of configure_without_carrier,
483+ so carrier drop during configuration doesn't break networking
484+ (LP: #1860926)
485+ * d/e/initramfs-tools/hooks/udev:
486+ - Follow symlinks when finding link files to copy into initramfs
487+ (LP: #1868892)
488+ * d/p/lp1873607/0001-core-some-minor-clean-ups-modernizations.patch,
489+ d/p/lp1873607/0002-core-make-sure-to-restore-the-control-command-id-too.patch:
490+ - Avoid segfault during serialization (LP: #1873607)
491+
492+ -- Dan Streetman <ddstreet@canonical.com> Thu, 07 May 2020 09:21:22 -0400
493+
494+>>>>>>> debian/changelog
495 systemd (245.4-4ubuntu3) focal; urgency=medium
496
497 * dhcp: Allow setting request options again
498diff --git a/debian/extra/dhclient-enter-resolved-hook b/debian/extra/dhclient-enter-resolved-hook
499index ebbb31f..a0578bf 100755
500--- a/debian/extra/dhclient-enter-resolved-hook
501+++ b/debian/extra/dhclient-enter-resolved-hook
502@@ -14,7 +14,11 @@
503 # (D) = master script downs interface
504 # (-) = master script does nothing with this
505
506+<<<<<<< debian/extra/dhclient-enter-resolved-hook
507 if [ -x /lib/systemd/systemd-resolved ] ; then
508+=======
509+if systemctl is-enabled systemd-resolved > /dev/null 2>&1; then
510+>>>>>>> debian/extra/dhclient-enter-resolved-hook
511 # For safety, first undefine the nasty default make_resolv_conf()
512 make_resolv_conf() { : ; }
513 case "$reason" in
514@@ -56,7 +60,15 @@ EOF
515
516 newstate="$(mktemp)"
517 md5sum $statedir/isc-dhcp-v4-$interface.conf $statedir/isc-dhcp-v6-$interface.conf > $newstate 2> /dev/null
518+<<<<<<< debian/extra/dhclient-enter-resolved-hook
519 if ! cmp $oldstate $newstate; then
520+=======
521+ if ! cmp --quiet $oldstate $newstate; then
522+ # We need to reset-failed to reset the start limit counter,
523+ # in case we're processing more than StartLimitBurst interfaces
524+ # LP: #1939255
525+ systemctl reset-failed systemd-resolved.service
526+>>>>>>> debian/extra/dhclient-enter-resolved-hook
527 systemctl try-reload-or-restart systemd-resolved.service
528 fi
529
530diff --git a/debian/extra/initramfs-tools/hooks/udev b/debian/extra/initramfs-tools/hooks/udev
531index 854a216..2152f2d 100755
532--- a/debian/extra/initramfs-tools/hooks/udev
533+++ b/debian/extra/initramfs-tools/hooks/udev
534@@ -22,9 +22,15 @@ cp -p /etc/udev/udev.conf "$DESTDIR/etc/udev/"
535
536 # copy .link files containing interface naming definitions
537 mkdir -p "$DESTDIR/lib/systemd/network/"
538+<<<<<<< debian/extra/initramfs-tools/hooks/udev
539 find /lib/systemd/network -name '*.link' -execdir cp -pt "$DESTDIR/lib/systemd/network/" '{}' +
540 if [ -d /etc/systemd/network ]; then
541 find /etc/systemd/network -name '*.link' -execdir cp -pt "$DESTDIR/lib/systemd/network/" '{}' +
542+=======
543+find -L /lib/systemd/network -name '*.link' -execdir cp -pt "$DESTDIR/lib/systemd/network/" '{}' +
544+if [ -d /etc/systemd/network ]; then
545+ find -L /etc/systemd/network -name '*.link' -execdir cp -pt "$DESTDIR/lib/systemd/network/" '{}' +
546+>>>>>>> debian/extra/initramfs-tools/hooks/udev
547 fi
548
549 mkdir -p "$DESTDIR/lib/udev/rules.d/"
550diff --git a/debian/extra/rules-ubuntu/40-vm-hotadd.rules b/debian/extra/rules-ubuntu/40-vm-hotadd.rules
551index 62a5a62..04cbf05 100644
552--- a/debian/extra/rules-ubuntu/40-vm-hotadd.rules
553+++ b/debian/extra/rules-ubuntu/40-vm-hotadd.rules
554@@ -6,9 +6,16 @@ GOTO="vm_hotadd_end"
555 LABEL="vm_hotadd_apply"
556
557 # Memory hotadd request
558+<<<<<<< debian/extra/rules-ubuntu/40-vm-hotadd.rules
559 SUBSYSTEM=="memory", ACTION=="add", DEVPATH=="/devices/system/memory/memory[0-9]*", TEST=="state", ATTR{state}="online"
560
561 # CPU hotadd request
562 SUBSYSTEM=="cpu", ACTION=="add", DEVPATH=="/devices/system/cpu/cpu[0-9]*", TEST=="online", ATTR{online}="1"
563+=======
564+SUBSYSTEM=="memory", ACTION=="add", DEVPATH=="/devices/system/memory/memory[0-9]*", TEST=="state", ATTR{state}!="online", ATTR{state}="online"
565+
566+# CPU hotadd request
567+SUBSYSTEM=="cpu", ACTION=="add", DEVPATH=="/devices/system/cpu/cpu[0-9]*", TEST=="online", ATTR{online}!="1", ATTR{online}="1"
568+>>>>>>> debian/extra/rules-ubuntu/40-vm-hotadd.rules
569
570 LABEL="vm_hotadd_end"
571diff --git a/debian/patches/CVE-2020-13529.patch b/debian/patches/CVE-2020-13529.patch
572new file mode 100644
573index 0000000..655490d
574--- /dev/null
575+++ b/debian/patches/CVE-2020-13529.patch
576@@ -0,0 +1,36 @@
577+From 38e980a6a5a3442c2f48b1f827284388096d8ca5 Mon Sep 17 00:00:00 2001
578+From: Yu Watanabe <watanabe.yu+github@gmail.com>
579+Date: Thu, 24 Jun 2021 01:22:07 +0900
580+Subject: [PATCH] sd-dhcp-client: tentatively ignore FORCERENEW command
581+
582+This makes DHCP client ignore FORCERENEW requests, as unauthenticated
583+FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).
584+
585+Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
586+and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.
587+
588+Fixes #16774.
589+---
590+ src/libsystemd-network/sd-dhcp-client.c | 8 ++++++++
591+ 1 file changed, 8 insertions(+)
592+
593+--- a/src/libsystemd-network/sd-dhcp-client.c
594++++ b/src/libsystemd-network/sd-dhcp-client.c
595+@@ -1414,9 +1414,17 @@ static int client_handle_forcerenew(sd_d
596+ if (r != DHCP_FORCERENEW)
597+ return -ENOMSG;
598+
599++#if 0
600+ log_dhcp_client(client, "FORCERENEW");
601+
602+ return 0;
603++#else
604++ /* FIXME: Ignore FORCERENEW requests until we implement RFC3118 (Authentication for DHCP
605++ * Messages) and/or RFC6704 (Forcerenew Nonce Authentication), as unauthenticated FORCERENEW
606++ * requests causes a security issue (TALOS-2020-1142, CVE-2020-13529). */
607++ log_dhcp_client(client, "Received FORCERENEW, ignoring.");
608++ return -ENOMSG;
609++#endif
610+ }
611+
612+ static bool lease_equal(const sd_dhcp_lease *a, const sd_dhcp_lease *b) {
613diff --git a/debian/patches/CVE-2021-33910.patch b/debian/patches/CVE-2021-33910.patch
614new file mode 100644
615index 0000000..619ae4d
616--- /dev/null
617+++ b/debian/patches/CVE-2021-33910.patch
618@@ -0,0 +1,61 @@
619+Backport of:
620+
621+From 441e0115646d54f080e5c3bb0ba477c892861ab9 Mon Sep 17 00:00:00 2001
622+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
623+Date: Wed, 23 Jun 2021 11:46:41 +0200
624+Subject: [PATCH 1/2] basic/unit-name: do not use strdupa() on a path
625+
626+The path may have unbounded length, for example through a fuse mount.
627+
628+CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
629+ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
630+and each mountpoint is passed to mount_setup_unit(), which calls
631+unit_name_path_escape() underneath. A local attacker who is able to mount a
632+filesystem with a very long path can crash systemd and the whole system.
633+
634+https://bugzilla.redhat.com/show_bug.cgi?id=1970887
635+
636+The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
637+can't easily check the length after simplification before doing the
638+simplification, which in turns uses a copy of the string we can write to.
639+So we can't reject paths that are too long before doing the duplication.
640+Hence the most obvious solution is to switch back to strdup(), as before
641+7410616cd9dbbec97cf98d75324da5cda2b2f7a2.
642+---
643+ src/basic/unit-name.c | 13 +++++--------
644+ 1 file changed, 5 insertions(+), 8 deletions(-)
645+
646+--- a/src/basic/unit-name.c
647++++ b/src/basic/unit-name.c
648+@@ -369,12 +369,13 @@ int unit_name_unescape(const char *f, ch
649+ }
650+
651+ int unit_name_path_escape(const char *f, char **ret) {
652+- char *p, *s;
653++ _cleanup_free_ char *p = NULL;
654++ char *s;
655+
656+ assert(f);
657+ assert(ret);
658+
659+- p = strdupa(f);
660++ p = strdup(f);
661+ if (!p)
662+ return -ENOMEM;
663+
664+@@ -386,13 +387,9 @@ int unit_name_path_escape(const char *f,
665+ if (!path_is_normalized(p))
666+ return -EINVAL;
667+
668+- /* Truncate trailing slashes */
669++ /* Truncate trailing slashes and skip leading slashes */
670+ delete_trailing_chars(p, "/");
671+-
672+- /* Truncate leading slashes */
673+- p = skip_leading_chars(p, "/");
674+-
675+- s = unit_name_escape(p);
676++ s = unit_name_escape(skip_leading_chars(p, "/"));
677+ }
678+ if (!s)
679+ return -ENOMEM;
680diff --git a/debian/patches/CVE-2021-3997-1.patch b/debian/patches/CVE-2021-3997-1.patch
681new file mode 100644
682index 0000000..cafd86a
683--- /dev/null
684+++ b/debian/patches/CVE-2021-3997-1.patch
685@@ -0,0 +1,62 @@
686+Backport of the following upstream commit:
687+From fbb77e1e55866633c9f064e2b3bcf2b6402d962d Mon Sep 17 00:00:00 2001
688+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
689+Date: Tue, 23 Nov 2021 15:55:45 +0100
690+Subject: [PATCH 1/3] shared/rm_rf: refactor rm_rf_children_inner() to shorten
691+ code a bit
692+
693+---
694+ src/basic/rm-rf.c | 27 +++++++++------------------
695+ 1 file changed, 9 insertions(+), 18 deletions(-)
696+
697+--- a/src/basic/rm-rf.c
698++++ b/src/basic/rm-rf.c
699+@@ -34,7 +34,7 @@
700+ const struct stat *root_dev) {
701+
702+ struct stat st;
703+- int r;
704++ int r, q = 0;
705+
706+ assert(fd >= 0);
707+ assert(fname);
708+@@ -50,7 +50,6 @@
709+
710+ if (is_dir) {
711+ _cleanup_close_ int subdir_fd = -1;
712+- int q;
713+
714+ /* if root_dev is set, remove subdirectories only if device is same */
715+ if (root_dev && st.st_dev != root_dev->st_dev)
716+@@ -86,23 +85,15 @@
717+ * again for each directory */
718+ q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
719+
720+- r = unlinkat(fd, fname, AT_REMOVEDIR);
721+- if (r < 0)
722+- return r;
723+- if (q < 0)
724+- return q;
725+-
726+- return 1;
727+-
728+- } else if (!(flags & REMOVE_ONLY_DIRECTORIES)) {
729+- r = unlinkat(fd, fname, 0);
730+- if (r < 0)
731+- return r;
732+-
733+- return 1;
734+- }
735++ } else if (flags & REMOVE_ONLY_DIRECTORIES)
736++ return 0;
737+
738+- return 0;
739++ r = unlinkat(fd, fname, is_dir ? AT_REMOVEDIR : 0);
740++ if (r < 0)
741++ return r;
742++ if (q < 0)
743++ return q;
744++ return 1;
745+ }
746+
747+ int rm_rf_children(
748diff --git a/debian/patches/CVE-2021-3997-2.patch b/debian/patches/CVE-2021-3997-2.patch
749new file mode 100644
750index 0000000..dc81539
751--- /dev/null
752+++ b/debian/patches/CVE-2021-3997-2.patch
753@@ -0,0 +1,98 @@
754+Backport of the following upstream commit:
755+From bd0127daaaae009ade053718f7d2f297aee4acaf Mon Sep 17 00:00:00 2001
756+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
757+Date: Tue, 23 Nov 2021 16:56:42 +0100
758+Subject: [PATCH 2/3] shared/rm_rf: refactor rm_rf() to shorten code a bit
759+
760+---
761+ src/basic/rm-rf.c | 53 ++++++++++++++++++++--------------------------
762+ 1 file changed, 23 insertions(+), 30 deletions(-)
763+
764+--- a/src/basic/rm-rf.c
765++++ b/src/basic/rm-rf.c
766+@@ -159,7 +159,7 @@
767+ }
768+
769+ int rm_rf(const char *path, RemoveFlags flags) {
770+- int fd, r;
771++ int fd, r, q = 0;
772+
773+ assert(path);
774+
775+@@ -191,49 +191,47 @@
776+ }
777+
778+ fd = open(path, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
779+- if (fd < 0) {
780++ if (fd >= 0) {
781++ /* We have a dir */
782++ r = rm_rf_children(fd, flags, NULL);
783++
784++ if (FLAGS_SET(flags, REMOVE_ROOT)) {
785++ q = rmdir(path);
786++ if (q < 0)
787++ q = -errno;
788++ }
789++ } else {
790+ if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
791+ return 0;
792+
793+ if (!IN_SET(errno, ENOTDIR, ELOOP))
794+ return -errno;
795+
796+- if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES))
797++ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES) || !FLAGS_SET(flags, REMOVE_ROOT))
798+ return 0;
799+
800+- if (FLAGS_SET(flags, REMOVE_ROOT)) {
801+-
802+- if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
803+- struct statfs s;
804+-
805+- if (statfs(path, &s) < 0)
806+- return -errno;
807+- if (is_physical_fs(&s))
808+- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
809+- "Attempted to remove files from a disk file system under \"%s\", refusing.",
810+- path);
811+- }
812+-
813+- if (unlink(path) < 0) {
814+- if (FLAGS_SET(flags, REMOVE_MISSING_OK) && errno == ENOENT)
815+- return 0;
816++ if (!FLAGS_SET(flags, REMOVE_PHYSICAL)) {
817++ struct statfs s;
818+
819++ if (statfs(path, &s) < 0)
820+ return -errno;
821+- }
822++ if (is_physical_fs(&s))
823++ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
824++ "Attempted to remove files from a disk file system under \"%s\", refusing.",
825++ path);
826+ }
827+
828+- return 0;
829++ r = 0;
830++ q = unlink(path);
831++ if (q < 0)
832++ q = -errno;
833+ }
834+
835+- r = rm_rf_children(fd, flags, NULL);
836+-
837+- if (FLAGS_SET(flags, REMOVE_ROOT) &&
838+- rmdir(path) < 0 &&
839+- r >= 0 &&
840+- (!FLAGS_SET(flags, REMOVE_MISSING_OK) || errno != ENOENT))
841+- r = -errno;
842+-
843+- return r;
844++ if (r < 0)
845++ return r;
846++ if (q < 0 && (q != -ENOENT || !FLAGS_SET(flags, REMOVE_MISSING_OK)))
847++ return q;
848++ return 0;
849+ }
850+
851+ int rm_rf_child(int fd, const char *name, RemoveFlags flags) {
852diff --git a/debian/patches/CVE-2021-3997-3.patch b/debian/patches/CVE-2021-3997-3.patch
853new file mode 100644
854index 0000000..c4e1efd
855--- /dev/null
856+++ b/debian/patches/CVE-2021-3997-3.patch
857@@ -0,0 +1,262 @@
858+Backport of the following upstream commit:
859+From bef8e8e577368697b2e6f85183b1dbc99e0e520f Mon Sep 17 00:00:00 2001
860+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
861+Date: Tue, 30 Nov 2021 22:29:05 +0100
862+Subject: [PATCH 3/3] shared/rm-rf: loop over nested directories instead of
863+ instead of recursing
864+
865+To remove directory structures, we need to remove the innermost items first,
866+and then recursively remove higher-level directories. We would recursively
867+descend into directories and invoke rm_rf_children and rm_rm_children_inner.
868+This is problematic when too many directories are nested.
869+
870+Instead, let's create a "TODO" queue. In the the queue, for each level we
871+hold the DIR* object we were working on, and the name of the directory. This
872+allows us to leave a partially-processed directory, and restart the removal
873+loop one level down. When done with the inner directory, we use the name to
874+unlinkat() it from the parent, and proceed with the removal of other items.
875+
876+Because the nesting is increased by one level, it is best to view this patch
877+with -b/--ignore-space-change.
878+
879+This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639.
880+The issue was reported and patches reviewed by Qualys Team.
881+Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure.
882+---
883+ src/basic/rm-rf.c | 161 +++++++++++++++++++++++++++++++--------------
884+ 1 file changed, 113 insertions(+), 48 deletions(-)
885+
886+--- a/src/basic/rm-rf.c
887++++ b/src/basic/rm-rf.c
888+@@ -26,12 +26,13 @@
889+ return !is_temporary_fs(sfs) && !is_cgroup_fs(sfs);
890+ }
891+
892+-static int rm_rf_children_inner(
893++static int rm_rf_inner_child(
894+ int fd,
895+ const char *fname,
896+ int is_dir,
897+ RemoveFlags flags,
898+- const struct stat *root_dev) {
899++ const struct stat *root_dev,
900++ bool allow_recursion) {
901+
902+ struct stat st;
903+ int r, q = 0;
904+@@ -49,9 +50,7 @@
905+ }
906+
907+ if (is_dir) {
908+- _cleanup_close_ int subdir_fd = -1;
909+-
910+- /* if root_dev is set, remove subdirectories only if device is same */
911++ /* If root_dev is set, remove subdirectories only if device is same */
912+ if (root_dev && st.st_dev != root_dev->st_dev)
913+ return 0;
914+
915+@@ -63,7 +62,6 @@
916+ return 0;
917+
918+ if ((flags & REMOVE_SUBVOLUME) && st.st_ino == 256) {
919+-
920+ /* This could be a subvolume, try to remove it */
921+
922+ r = btrfs_subvol_remove_fd(fd, fname, BTRFS_REMOVE_RECURSIVE|BTRFS_REMOVE_QUOTA);
923+@@ -77,13 +75,16 @@
924+ return 1;
925+ }
926+
927+- subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
928++ if (!allow_recursion)
929++ return -EISDIR;
930++
931++ int subdir_fd = openat(fd, fname, O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
932+ if (subdir_fd < 0)
933+ return -errno;
934+
935+ /* We pass REMOVE_PHYSICAL here, to avoid doing the fstatfs() to check the file system type
936+ * again for each directory */
937+- q = rm_rf_children(TAKE_FD(subdir_fd), flags | REMOVE_PHYSICAL, root_dev);
938++ q = rm_rf_children(subdir_fd, flags | REMOVE_PHYSICAL, root_dev);
939+
940+ } else if (flags & REMOVE_ONLY_DIRECTORIES)
941+ return 0;
942+@@ -96,64 +97,128 @@
943+ return 1;
944+ }
945+
946++typedef struct TodoEntry {
947++ DIR *dir; /* A directory that we were operating on. */
948++ char *dirname; /* The filename of that directory itself. */
949++} TodoEntry;
950++
951++static void free_todo_entries(TodoEntry **todos) {
952++ for (TodoEntry *x = *todos; x && x->dir; x++) {
953++ closedir(x->dir);
954++ free(x->dirname);
955++ }
956++
957++ freep(todos);
958++}
959++
960+ int rm_rf_children(
961+ int fd,
962+ RemoveFlags flags,
963+ const struct stat *root_dev) {
964+
965+- _cleanup_closedir_ DIR *d = NULL;
966+- struct dirent *de;
967++ _cleanup_(free_todo_entries) TodoEntry *todos = NULL;
968++ size_t n_todo = 0, allocated = 0;
969++ _cleanup_free_ char *dirname = NULL; /* Set when we are recursing and want to delete ourselves */
970+ int ret = 0, r;
971+
972+- assert(fd >= 0);
973++ /* Return the first error we run into, but nevertheless try to go on.
974++ * The passed fd is closed in all cases, including on failure. */
975+
976+- /* This returns the first error we run into, but nevertheless tries to go on. This closes the passed
977+- * fd, in all cases, including on failure. */
978++ for (;;) { /* This loop corresponds to the directory nesting level. */
979++ _cleanup_closedir_ DIR *d = NULL;
980++ struct dirent *de;
981++
982++ if (n_todo > 0) {
983++ /* We know that we are in recursion here, because n_todo is set.
984++ * We need to remove the inner directory we were operating on. */
985++ assert(dirname);
986++ r = unlinkat(dirfd(todos[n_todo-1].dir), dirname, AT_REMOVEDIR);
987++ if (r < 0 && r != -ENOENT && ret == 0)
988++ ret = r;
989++ dirname = mfree(dirname);
990++
991++ /* And now let's back out one level up */
992++ n_todo --;
993++ d = TAKE_PTR(todos[n_todo].dir);
994++ dirname = TAKE_PTR(todos[n_todo].dirname);
995++
996++ assert(d);
997++ fd = dirfd(d); /* Retrieve the file descriptor from the DIR object */
998++ assert(fd >= 0);
999++ } else {
1000++ next_fd:
1001++ assert(fd >= 0);
1002++ d = fdopendir(fd);
1003++ if (!d) {
1004++ safe_close(fd);
1005++ return -errno;
1006++ }
1007++ fd = dirfd(d); /* We donated the fd to fdopendir(). Let's make sure we sure we have
1008++ * the right descriptor even if it were to internally invalidate the
1009++ * one we passed. */
1010++
1011++ if (!(flags & REMOVE_PHYSICAL)) {
1012++ struct statfs sfs;
1013++
1014++ if (fstatfs(fd, &sfs) < 0)
1015++ return -errno;
1016++
1017++ if (is_physical_fs(&sfs)) {
1018++ /* We refuse to clean physical file systems with this call, unless
1019++ * explicitly requested. This is extra paranoia just to be sure we
1020++ * never ever remove non-state data. */
1021++
1022++ _cleanup_free_ char *path = NULL;
1023++
1024++ (void) fd_get_path(fd, &path);
1025++ return log_error_errno(SYNTHETIC_ERRNO(EPERM),
1026++ "Attempted to remove disk file system under \"%s\", and we can't allow that.",
1027++ strna(path));
1028++ }
1029++ }
1030++ }
1031+
1032+- d = fdopendir(fd);
1033+- if (!d) {
1034+- safe_close(fd);
1035+- return -errno;
1036+- }
1037++ FOREACH_DIRENT_ALL(de, d, return -errno) {
1038++ int is_dir;
1039+
1040+- if (!(flags & REMOVE_PHYSICAL)) {
1041+- struct statfs sfs;
1042++ if (dot_or_dot_dot(de->d_name))
1043++ continue;
1044+
1045+- if (fstatfs(dirfd(d), &sfs) < 0)
1046+- return -errno;
1047+- }
1048++ is_dir = de->d_type == DT_UNKNOWN ? -1 : de->d_type == DT_DIR;
1049+
1050+- if (is_physical_fs(&sfs)) {
1051+- /* We refuse to clean physical file systems with this call, unless explicitly
1052+- * requested. This is extra paranoia just to be sure we never ever remove non-state
1053+- * data. */
1054+-
1055+- _cleanup_free_ char *path = NULL;
1056+-
1057+- (void) fd_get_path(fd, &path);
1058+- return log_error_errno(SYNTHETIC_ERRNO(EPERM),
1059+- "Attempted to remove disk file system under \"%s\", and we can't allow that.",
1060+- strna(path));
1061+- }
1062+- }
1063++ r = rm_rf_inner_child(fd, de->d_name, is_dir, flags, root_dev, false);
1064++ if (r == -EISDIR) {
1065++ /* Push the current working state onto the todo list */
1066+
1067+- FOREACH_DIRENT_ALL(de, d, return -errno) {
1068+- int is_dir;
1069++ if (!GREEDY_REALLOC0(todos, allocated, n_todo + 2))
1070++ return log_oom();
1071+
1072+- if (dot_or_dot_dot(de->d_name))
1073+- continue;
1074++ _cleanup_free_ char *newdirname = strdup(de->d_name);
1075++ if (!newdirname)
1076++ return log_oom();
1077+
1078+- is_dir =
1079+- de->d_type == DT_UNKNOWN ? -1 :
1080+- de->d_type == DT_DIR;
1081+-
1082+- r = rm_rf_children_inner(dirfd(d), de->d_name, is_dir, flags, root_dev);
1083+- if (r < 0 && r != -ENOENT && ret == 0)
1084+- ret = r;
1085+- }
1086++ int newfd = openat(fd, de->d_name,
1087++ O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW|O_NOATIME);
1088++ if (newfd >= 0) {
1089++ todos[n_todo++] = (TodoEntry) { TAKE_PTR(d), TAKE_PTR(dirname) };
1090++ fd = newfd;
1091++ dirname = TAKE_PTR(newdirname);
1092++
1093++ goto next_fd;
1094+
1095+- if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(dirfd(d)) < 0 && ret >= 0)
1096+- ret = -errno;
1097++ } else if (errno != -ENOENT && ret == 0)
1098++ ret = -errno;
1099++
1100++ } else if (r < 0 && r != -ENOENT && ret == 0)
1101++ ret = r;
1102++ }
1103++
1104++ if (FLAGS_SET(flags, REMOVE_SYNCFS) && syncfs(fd) < 0 && ret >= 0)
1105++ ret = -errno;
1106++
1107++ if (n_todo == 0)
1108++ break;
1109++ }
1110+
1111+ return ret;
1112+ }
1113+@@ -250,5 +315,5 @@
1114+ if (FLAGS_SET(flags, REMOVE_ONLY_DIRECTORIES|REMOVE_SUBVOLUME))
1115+ return -EINVAL;
1116+
1117+- return rm_rf_children_inner(fd, name, -1, flags, NULL);
1118++ return rm_rf_inner_child(fd, name, -1, flags, NULL, true);
1119+ }
1120diff --git a/debian/patches/debian/UBUNTU-Fix-timezone-setting-on-read-only-etc.patch b/debian/patches/debian/UBUNTU-Fix-timezone-setting-on-read-only-etc.patch
1121new file mode 100644
1122index 0000000..dccf2e0
1123--- /dev/null
1124+++ b/debian/patches/debian/UBUNTU-Fix-timezone-setting-on-read-only-etc.patch
1125@@ -0,0 +1,28 @@
1126+Description: Fix timezone setting on read-only etc
1127+ Due to our read-only /etc workaround, the localtime link on such
1128+ system ends up in /etc/writable, not /etc. To make the link target
1129+ correct in both normal and such systems, makes the path absolute.
1130+ .
1131+ On Ubuntu Core, this eliminates the need for the wrapper script, and
1132+ makes the DBus interface work properly.
1133+Author: Ratchanan Srirattanamet <ratchanan@ubports.com>
1134+Origin: other
1135+Bug-Ubuntu: https://bugs.launchpad.net/snappy/+bug/1650688
1136+Forwarded: not-needed (part of read-only /etc workaround)
1137+Last-Update: 2021-09-24
1138+---
1139+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
1140+--- a/src/timedate/timedated.c
1141++++ b/src/timedate/timedated.c
1142+@@ -320,9 +320,9 @@
1143+ return r;
1144+ }
1145+
1146+- source = "../usr/share/zoneinfo/UTC";
1147++ source = "/usr/share/zoneinfo/UTC";
1148+ } else {
1149+- p = path_join("../usr/share/zoneinfo", c->zone);
1150++ p = path_join("/usr/share/zoneinfo", c->zone);
1151+ if (!p)
1152+ return -ENOMEM;
1153+
1154diff --git a/debian/patches/debian/timedatectl-lp1650688.patch b/debian/patches/debian/timedatectl-lp1650688.patch
1155new file mode 100644
1156index 0000000..35bc48c
1157--- /dev/null
1158+++ b/debian/patches/debian/timedatectl-lp1650688.patch
1159@@ -0,0 +1,53 @@
1160+Description: Fix retrieving timezone on read-only /etc
1161+ get_timezone() retrieve it by reading the link destination of
1162+ /etc/localtime, which on systems with read-only /etc will always point
1163+ to /etc/writable. Makes this function aware of the /etc/writable
1164+ redirection and handle it.
1165+ .
1166+ [ratchanan@ubports.com: add descrtiption and other metadata.]
1167+Author: Michael Vogt <michael.vogt@ubuntu.com>
1168+Origin: vendor, https://bugs.launchpad.net/snappy/+bug/1650688/comments/46
1169+Bug-Ubuntu: https://bugs.launchpad.net/snappy/+bug/1650688
1170+Forwarded: not-needed (part of read-only /etc workaround)
1171+Last-Update: 2021-09-24
1172+---
1173+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
1174+diff --git a/src/basic/time-util.c b/src/basic/time-util.c
1175+index d7028ac..b9bb4da 100644
1176+--- a/src/basic/time-util.c
1177++++ b/src/basic/time-util.c
1178+@@ -1391,6 +1391,25 @@ bool clock_supported(clockid_t clock) {
1179+ }
1180+ }
1181+
1182++/* Hack for Ubuntu phone: check if path is an existing symlink to
1183++ * /etc/writable; if it is, update that instead */
1184++static const char* writable_filename(const char *path) {
1185++ ssize_t r;
1186++ static char realfile_buf[PATH_MAX];
1187++ _cleanup_free_ char *realfile = NULL;
1188++ const char *result = path;
1189++ int orig_errno = errno;
1190++
1191++ r = readlink_and_make_absolute(path, &realfile);
1192++ if (r >= 0 && startswith(realfile, "/etc/writable")) {
1193++ snprintf(realfile_buf, sizeof(realfile_buf), "%s", realfile);
1194++ result = realfile_buf;
1195++ }
1196++
1197++ errno = orig_errno;
1198++ return result;
1199++}
1200++
1201+ int get_timezone(char **ret) {
1202+ _cleanup_free_ char *t = NULL;
1203+ const char *e;
1204+@@ -1398,7 +1417,7 @@ int get_timezone(char **ret) {
1205+ int r;
1206+ bool use_utc_fallback = false;
1207+
1208+- r = readlink_malloc("/etc/localtime", &t);
1209++ r = readlink_malloc(writable_filename("/etc/localtime"), &t);
1210+ if (r < 0) {
1211+ if (r == -ENOENT)
1212+ use_utc_fallback = true;
1213diff --git a/debian/patches/hwdb-Add-mic-mute-key-mapping-for-HP-Elite-x360.patch b/debian/patches/hwdb-Add-mic-mute-key-mapping-for-HP-Elite-x360.patch
1214new file mode 100644
1215index 0000000..d303383
1216--- /dev/null
1217+++ b/debian/patches/hwdb-Add-mic-mute-key-mapping-for-HP-Elite-x360.patch
1218@@ -0,0 +1,26 @@
1219+From f09f6dc2c8f59b2b58159cc413b605a547c8646e Mon Sep 17 00:00:00 2001
1220+From: Andy Chi <andy.chi@canonical.com>
1221+Date: Tue, 29 Mar 2022 15:36:13 +0800
1222+Subject: [PATCH] hwdb: Add mic mute key mapping for HP Elite x360
1223+
1224+On the new Elite x360 2 in 1 HP laptops, the microphone mute hotkey is "Fn+F8" and
1225+the scancode for this hotkey is 0x81, but this scancode was mapped to
1226+fn_esc in the HP generic keymap section. To fix this problem, we add
1227+a machine specific keymap section to add the correct keymap rule.
1228+---
1229+ hwdb.d/60-keyboard.hwdb | 2 ++
1230+ 1 file changed, 2 insertions(+)
1231+
1232+Index: systemd-ubuntu-core/hwdb.d/60-keyboard.hwdb
1233+===================================================================
1234+--- systemd-ubuntu-core.orig/hwdb.d/60-keyboard.hwdb
1235++++ systemd-ubuntu-core/hwdb.d/60-keyboard.hwdb
1236+@@ -600,6 +600,8 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett
1237+ # HP EliteBook
1238+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pnHPEliteBook*:pvr*
1239+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHP*:pnHPEliteBook*:pvr*
1240++# HP Elite x360
1241++evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHP*:pnHPElite*x360*:*
1242+ # HP Elite Dragonfly
1243+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHP*:pnHPEliteDragonfly*:pvr*
1244+ # HP ProBook 440 G2
1245diff --git a/debian/patches/hwdb-Mask-rfkill-event-from-intel-hid-on-HP-platforms.patch b/debian/patches/hwdb-Mask-rfkill-event-from-intel-hid-on-HP-platforms.patch
1246new file mode 100644
1247index 0000000..832ad22
1248--- /dev/null
1249+++ b/debian/patches/hwdb-Mask-rfkill-event-from-intel-hid-on-HP-platforms.patch
1250@@ -0,0 +1,27 @@
1251+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
1252+Date: Thu, 11 Jun 2020 21:32:12 +0800
1253+Subject: hwdb: Mask rfkill event from intel-hid on HP platforms
1254+
1255+HP spec mandates the hp-wireless driver as canonical source of rfkill
1256+event, so mask the rfkill event from intel-hid to avoid double rfkill
1257+events fired from a single hotkey press.
1258+
1259+(cherry picked from commit d8a9dd0dc17df77229d079afe29c05ae4a9e2ae9)
1260+---
1261+ hwdb.d/60-keyboard.hwdb | 3 +++
1262+ 1 file changed, 3 insertions(+)
1263+
1264+diff --git a/hwdb.d/60-keyboard.hwdb b/hwdb.d/60-keyboard.hwdb
1265+index fae0ecc..3d9a5d7 100644
1266+--- a/hwdb.d/60-keyboard.hwdb
1267++++ b/hwdb.d/60-keyboard.hwdb
1268+@@ -481,6 +481,9 @@ evdev:input:b0003v0458p0708*
1269+ # Hewlett Packard
1270+ ###########################################################
1271+
1272++evdev:name:Intel HID events:dmi:bvn*:bvr*:bd*:svnHP*:pn*:pvr*
1273++ KEYBOARD_KEY_8=unknown # Use hp-wireless instead
1274++
1275+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pn*:pvr*
1276+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHP*:pn*:pvr*
1277+ KEYBOARD_KEY_81=fn_esc
1278diff --git a/debian/patches/lp1664844/0001-network-add-ActivationPolicy-configuration-parameter.patch b/debian/patches/lp1664844/0001-network-add-ActivationPolicy-configuration-parameter.patch
1279new file mode 100644
1280index 0000000..0a8affa
1281--- /dev/null
1282+++ b/debian/patches/lp1664844/0001-network-add-ActivationPolicy-configuration-parameter.patch
1283@@ -0,0 +1,344 @@
1284+From 61135582e0b2e847e49c96af05e4d101323ce00c Mon Sep 17 00:00:00 2001
1285+From: Dan Streetman <ddstreet@canonical.com>
1286+Date: Thu, 18 Jun 2020 16:09:40 -0400
1287+Subject: [PATCH 1/3] network: add ActivationPolicy= configuration parameter
1288+Origin: upstream, https://github.com/systemd/systemd/pull/16228
1289+Bug-Ubuntu: https://bugs.launchpad.net/netplan/+bug/1664844
1290+
1291+This parameter allows configuring the activation policy for an interface,
1292+meaning how it manages the interface's administrative state (IFF_UP flag).
1293+The policy can be configured to bring the interface either up or down when
1294+the interface is (re)configured, to always force the interface either up or
1295+down, or to never change the interface administrative state.
1296+
1297+If the interface is bound with BindCarrier=, its administrative state is
1298+controlled by the interface(s) it's bound to, and this parameter is forced
1299+to 'bound'.
1300+
1301+This changes the default behavior of how systemd-networkd sets the IFF_UP
1302+flag; previously, it was set up (if not already up) every time the
1303+link_joined() function was called. Now, with the default ActivationPolicy=
1304+setting of 'up', it will only set the IFF_UP flag once, the first time
1305+link_joined() is called, during an interface's configuration; and on
1306+the first link_joined() call each time the interface is reconfigured.
1307+
1308+Fixes: #3031
1309+Fixes: #17437
1310+---
1311+ man/systemd.network.xml | 39 ++++++++++++-
1312+ src/network/networkd-link.c | 58 ++++++++++++++++++-
1313+ src/network/networkd-link.h | 1 +
1314+ src/network/networkd-network-gperf.gperf | 1 +
1315+ src/network/networkd-network.c | 40 ++++++++++++-
1316+ src/network/networkd-network.h | 16 +++++
1317+ .../fuzz-network-parser/directives.network | 1 +
1318+ 7 files changed, 148 insertions(+), 8 deletions(-)
1319+
1320+--- a/man/systemd.network.xml
1321++++ b/man/systemd.network.xml
1322+@@ -225,6 +225,36 @@
1323+ if <literal>RequiredForOnline=no</literal>.</para>
1324+ </listitem>
1325+ </varlistentry>
1326++ <varlistentry>
1327++ <term><varname>ActivationPolicy=</varname></term>
1328++ <listitem>
1329++ <para>Specifies the policy for <command>systemd-networkd</command> managing the link
1330++ administrative state. Specifically, this controls how <command>systemd-networkd</command>
1331++ changes the network device's <literal>IFF_UP</literal> flag, which is sometimes
1332++ controlled by system administrators by running e.g., <command>ip set dev eth0 up</command>
1333++ or <command>ip set dev eth0 down</command>, and can also be changed with
1334++ <command>networkctl up eth0</command> or <command>networkctl down eth0</command>.</para>
1335++
1336++ <para>Takes one of <literal>up</literal>, <literal>always-up</literal>,
1337++ <literal>manual</literal>, <literal>always-down</literal>, <literal>down</literal>,
1338++ or <literal>bound</literal>. When <literal>manual</literal>, <command>systemd-networkd</command>
1339++ will not change the link's admin state automatically; the system administrator must bring the
1340++ interface up or down manually, as desired. When <literal>up</literal> (the default) or
1341++ <literal>always-up</literal>, or <literal>down</literal> or <literal>always-down</literal>,
1342++ <command>systemd-networkd</command> will set the link up or down, respectively,
1343++ when the interface is (re)configured. When <literal>always-up</literal> or
1344++ <literal>always-down</literal>, <command>systemd-networkd</command> will set the link up
1345++ or down, respectively, any time <command>systemd-networkd</command> detects a change in
1346++ the administrative state. When <varname>BindCarrier=</varname> is also set, this is
1347++ automatically set to <literal>bound</literal> and any other value is ignored.</para>
1348++
1349++ <para>The administrative state is not the same as the carrier state, so using
1350++ <literal>always-up</literal> does not mean the link will never lose carrier. The link
1351++ carrier depends on both the administrative state as well as the network device's physical
1352++ connection. However, to avoid reconfiguration failures, when using <literal>always-up</literal>,
1353++ <varname>IgnoreCarrierLoss=</varname> is forced to true.</para>
1354++ </listitem>
1355++ </varlistentry>
1356+ </variablelist>
1357+ </refsect1>
1358+
1359+@@ -464,8 +494,9 @@
1360+ <listitem>
1361+ <para>A link name or a list of link names. When set, controls the behavior of the current
1362+ link. When all links in the list are in an operational down state, the current link is brought
1363+- down. When at least one link has carrier, the current interface is brought up.
1364+- </para>
1365++ down. When at least one link has carrier, the current interface is brought up.</para>
1366++
1367++ <para>This forces <varname>ActivationPolicy=</varname> to be set to <literal>bound</literal>.</para>
1368+ </listitem>
1369+ </varlistentry>
1370+ <varlistentry>
1371+@@ -819,6 +850,10 @@
1372+ of the interface even if its carrier is lost. When unset, the value specified with
1373+ <option>ConfigureWithoutCarrier=</option> is used.
1374+ </para>
1375++
1376++ <para>When <varname>ActivationPolicy=</varname> is set to <literal>always-up</literal>, this
1377++ is forced to <literal>true</literal>.
1378++ </para>
1379+ </listitem>
1380+ </varlistentry>
1381+ <varlistentry>
1382+--- a/src/network/networkd-link.c
1383++++ b/src/network/networkd-link.c
1384+@@ -2100,17 +2100,38 @@
1385+ assert(link);
1386+ assert(link->network);
1387+
1388+- if (!hashmap_isempty(link->bound_to_links)) {
1389++ switch (link->network->activation_policy) {
1390++ case ACTIVATION_POLICY_BOUND:
1391+ r = link_handle_bound_to_list(link);
1392+ if (r < 0)
1393+ return r;
1394+- } else if (!(link->flags & IFF_UP)) {
1395++ break;
1396++ case ACTIVATION_POLICY_UP:
1397++ if (link->activated)
1398++ break;
1399++ _fallthrough_;
1400++ case ACTIVATION_POLICY_ALWAYS_UP:
1401+ r = link_up(link);
1402+ if (r < 0) {
1403+ link_enter_failed(link);
1404+ return r;
1405+ }
1406++ break;
1407++ case ACTIVATION_POLICY_DOWN:
1408++ if (link->activated)
1409++ break;
1410++ _fallthrough_;
1411++ case ACTIVATION_POLICY_ALWAYS_DOWN:
1412++ r = link_down(link, NULL);
1413++ if (r < 0) {
1414++ link_enter_failed(link);
1415++ return r;
1416++ }
1417++ break;
1418++ default:
1419++ break;
1420+ }
1421++ link->activated = true;
1422+
1423+ if (link->network->bridge) {
1424+ r = link_set_bridge(link);
1425+@@ -3099,6 +3120,7 @@
1426+ return r;
1427+
1428+ link_set_state(link, LINK_STATE_PENDING);
1429++ link->activated = false;
1430+ link_dirty(link);
1431+
1432+ /* link_configure_duid() returns 0 if it requests product UUID. In that case,
1433+@@ -3680,6 +3702,16 @@
1434+ static int link_admin_state_up(Link *link) {
1435+ int r;
1436+
1437++ assert(link);
1438++
1439++ if (!link->network)
1440++ return 0;
1441++
1442++ if (link->network->activation_policy == ACTIVATION_POLICY_ALWAYS_DOWN) {
1443++ log_link_info(link, "ActivationPolicy is \"always-off\", forcing link down");
1444++ return link_down(link, NULL);
1445++ }
1446++
1447+ /* We set the ipv6 mtu after the device mtu, but the kernel resets
1448+ * ipv6 mtu on NETDEV_UP, so we need to reset it. The check for
1449+ * ipv6_mtu_set prevents this from trying to set it too early before
1450+@@ -3694,6 +3726,21 @@
1451+ return 0;
1452+ }
1453+
1454++static int link_admin_state_down(Link *link) {
1455++
1456++ assert(link);
1457++
1458++ if (!link->network)
1459++ return 0;
1460++
1461++ if (link->network->activation_policy == ACTIVATION_POLICY_ALWAYS_UP) {
1462++ log_link_info(link, "ActivationPolicy is \"always-on\", forcing link up");
1463++ return link_up(link);
1464++ }
1465++
1466++ return 0;
1467++}
1468++
1469+ int link_update(Link *link, sd_netlink_message *m) {
1470+ _cleanup_strv_free_ char **s = NULL;
1471+ struct ether_addr mac;
1472+@@ -3846,9 +3893,14 @@
1473+ r = link_admin_state_up(link);
1474+ if (r < 0)
1475+ return r;
1476+- } else if (link_was_admin_up && !(link->flags & IFF_UP))
1477++ } else if (link_was_admin_up && !(link->flags & IFF_UP)) {
1478+ log_link_info(link, "Link DOWN");
1479+
1480++ r = link_admin_state_down(link);
1481++ if (r < 0)
1482++ return r;
1483++ }
1484++
1485+ r = link_update_lldp(link);
1486+ if (r < 0)
1487+ return r;
1488+--- a/src/network/networkd-link.h
1489++++ b/src/network/networkd-link.h
1490+@@ -119,6 +119,7 @@
1491+ bool setting_mtu:1;
1492+ bool setting_genmode:1;
1493+ bool ipv6_mtu_set:1;
1494++ bool activated:1;
1495+
1496+ LIST_HEAD(Address, pool_addresses);
1497+
1498+--- a/src/network/networkd-network-gperf.gperf
1499++++ b/src/network/networkd-network-gperf.gperf
1500+@@ -48,6 +48,7 @@
1501+ Link.Multicast, config_parse_tristate, 0, offsetof(Network, multicast)
1502+ Link.AllMulticast, config_parse_tristate, 0, offsetof(Network, allmulticast)
1503+ Link.Unmanaged, config_parse_bool, 0, offsetof(Network, unmanaged)
1504++Link.ActivationPolicy, config_parse_activation_policy, 0, offsetof(Network, activation_policy)
1505+ Link.RequiredForOnline, config_parse_required_for_online, 0, 0
1506+ Network.Description, config_parse_string, 0, offsetof(Network, description)
1507+ Network.Bridge, config_parse_ifname, 0, offsetof(Network, bridge_name)
1508+--- a/src/network/networkd-network.c
1509++++ b/src/network/networkd-network.c
1510+@@ -268,9 +268,6 @@
1511+ if (network->dhcp_use_gateway < 0)
1512+ network->dhcp_use_gateway = network->dhcp_use_routes;
1513+
1514+- if (network->ignore_carrier_loss < 0)
1515+- network->ignore_carrier_loss = network->configure_without_carrier;
1516+-
1517+ if (network->dhcp_critical >= 0) {
1518+ if (network->keep_configuration >= 0)
1519+ log_warning("%s: Both KeepConfiguration= and deprecated CriticalConnection= are set. "
1520+@@ -282,6 +279,30 @@
1521+ network->keep_configuration = KEEP_CONFIGURATION_NO;
1522+ }
1523+
1524++ if (!strv_isempty(network->bind_carrier)) {
1525++ if (!IN_SET(network->activation_policy, _ACTIVATION_POLICY_INVALID, ACTIVATION_POLICY_BOUND))
1526++ log_warning("%s: ActivationPolicy=bound is required with BindCarrier=. "
1527++ "Setting ActivationPolicy=bound.", network->filename);
1528++ network->activation_policy = ACTIVATION_POLICY_BOUND;
1529++ } else if (network->activation_policy == ACTIVATION_POLICY_BOUND) {
1530++ log_warning("%s: ActivationPolicy=bound requires BindCarrier=. "
1531++ "Ignoring ActivationPolicy=bound.", network->filename);
1532++ network->activation_policy = ACTIVATION_POLICY_UP;
1533++ }
1534++
1535++ if (network->activation_policy == _ACTIVATION_POLICY_INVALID)
1536++ network->activation_policy = ACTIVATION_POLICY_UP;
1537++
1538++ if (network->activation_policy == ACTIVATION_POLICY_ALWAYS_UP) {
1539++ if (network->ignore_carrier_loss == false)
1540++ log_warning("%s: IgnoreCarrierLoss=false conflicts with ActivationPolicy=always-up. "
1541++ "Setting IgnoreCarrierLoss=true.", network->filename);
1542++ network->ignore_carrier_loss = true;
1543++ }
1544++
1545++ if (network->ignore_carrier_loss < 0)
1546++ network->ignore_carrier_loss = network->configure_without_carrier;
1547++
1548+ if (network->keep_configuration < 0)
1549+ network->keep_configuration = KEEP_CONFIGURATION_NO;
1550+
1551+@@ -451,6 +472,7 @@
1552+ .ipv6_proxy_ndp = -1,
1553+ .duid.type = _DUID_TYPE_INVALID,
1554+ .proxy_arp = -1,
1555++ .activation_policy = _ACTIVATION_POLICY_INVALID,
1556+ .arp = -1,
1557+ .multicast = -1,
1558+ .allmulticast = -1,
1559+@@ -1362,3 +1384,15 @@
1560+ };
1561+
1562+ DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(keep_configuration, KeepConfiguration, KEEP_CONFIGURATION_YES);
1563++
1564++static const char* const activation_policy_table[_ACTIVATION_POLICY_MAX] = {
1565++ [ACTIVATION_POLICY_UP] = "up",
1566++ [ACTIVATION_POLICY_ALWAYS_UP] = "always-up",
1567++ [ACTIVATION_POLICY_MANUAL] = "manual",
1568++ [ACTIVATION_POLICY_ALWAYS_DOWN] = "always-down",
1569++ [ACTIVATION_POLICY_DOWN] = "down",
1570++ [ACTIVATION_POLICY_BOUND] = "bound",
1571++};
1572++
1573++DEFINE_STRING_TABLE_LOOKUP(activation_policy, ActivationPolicy);
1574++DEFINE_CONFIG_PARSE_ENUM(config_parse_activation_policy, activation_policy, ActivationPolicy, "Failed to parse activation policy");
1575+--- a/src/network/networkd-network.h
1576++++ b/src/network/networkd-network.h
1577+@@ -53,6 +53,17 @@
1578+ _KEEP_CONFIGURATION_INVALID = -1,
1579+ } KeepConfiguration;
1580+
1581++typedef enum ActivationPolicy {
1582++ ACTIVATION_POLICY_UP,
1583++ ACTIVATION_POLICY_ALWAYS_UP,
1584++ ACTIVATION_POLICY_MANUAL,
1585++ ACTIVATION_POLICY_ALWAYS_DOWN,
1586++ ACTIVATION_POLICY_DOWN,
1587++ ACTIVATION_POLICY_BOUND,
1588++ _ACTIVATION_POLICY_MAX,
1589++ _ACTIVATION_POLICY_INVALID = -1
1590++} ActivationPolicy;
1591++
1592+ typedef struct Manager Manager;
1593+
1594+ struct Network {
1595+@@ -240,6 +251,7 @@
1596+
1597+ bool required_for_online; /* Is this network required to be considered online? */
1598+ LinkOperationalStateRange required_operstate_for_online;
1599++ ActivationPolicy activation_policy;
1600+
1601+ LLDPMode lldp_mode; /* LLDP reception */
1602+ LLDPEmit lldp_emit; /* LLDP transmission */
1603+@@ -325,6 +337,7 @@
1604+ CONFIG_PARSER_PROTOTYPE(config_parse_ntp);
1605+ CONFIG_PARSER_PROTOTYPE(config_parse_required_for_online);
1606+ CONFIG_PARSER_PROTOTYPE(config_parse_keep_configuration);
1607++CONFIG_PARSER_PROTOTYPE(config_parse_activation_policy);
1608+
1609+ const struct ConfigPerfItem* network_network_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
1610+
1611+@@ -333,3 +346,6 @@
1612+
1613+ const char* keep_configuration_to_string(KeepConfiguration i) _const_;
1614+ KeepConfiguration keep_configuration_from_string(const char *s) _pure_;
1615++
1616++const char* activation_policy_to_string(ActivationPolicy i) _const_;
1617++ActivationPolicy activation_policy_from_string(const char *s) _pure_;
1618+--- a/test/fuzz/fuzz-network-parser/directives.network
1619++++ b/test/fuzz/fuzz-network-parser/directives.network
1620+@@ -30,6 +30,7 @@
1621+ MACAddress=
1622+ PermanentMACAddress=
1623+ [Link]
1624++ActivationPolicy=
1625+ RequiredForOnline=
1626+ ARP=
1627+ AllMulticast=
1628diff --git a/debian/patches/lp1664844/0002-test-add-ActivationPolicy-unit-tests.patch b/debian/patches/lp1664844/0002-test-add-ActivationPolicy-unit-tests.patch
1629new file mode 100644
1630index 0000000..b902690
1631--- /dev/null
1632+++ b/debian/patches/lp1664844/0002-test-add-ActivationPolicy-unit-tests.patch
1633@@ -0,0 +1,121 @@
1634+From 2236d75df955118ad5d84c5ab787484c0921dfda Mon Sep 17 00:00:00 2001
1635+From: Dan Streetman <ddstreet@canonical.com>
1636+Date: Thu, 18 Jun 2020 18:31:18 -0400
1637+Subject: [PATCH 2/3] test: add ActivationPolicy= unit tests
1638+Origin: upstream, https://github.com/systemd/systemd/pull/16228
1639+Bug-Ubuntu: https://bugs.launchpad.net/netplan/+bug/1664844
1640+
1641+---
1642+ .../conf/25-activation-policy.network | 6 +++
1643+ .../always-down.conf | 2 +
1644+ .../always-up.conf | 2 +
1645+ .../25-activation-policy.network.d/down.conf | 2 +
1646+ .../manual.conf | 2 +
1647+ .../25-activation-policy.network.d/up.conf | 2 +
1648+ test/test-network/systemd-networkd-tests.py | 48 +++++++++++++++++++
1649+ 7 files changed, 64 insertions(+)
1650+ create mode 100644 test/test-network/conf/25-activation-policy.network
1651+ create mode 100644 test/test-network/conf/25-activation-policy.network.d/always-down.conf
1652+ create mode 100644 test/test-network/conf/25-activation-policy.network.d/always-up.conf
1653+ create mode 100644 test/test-network/conf/25-activation-policy.network.d/down.conf
1654+ create mode 100644 test/test-network/conf/25-activation-policy.network.d/manual.conf
1655+ create mode 100644 test/test-network/conf/25-activation-policy.network.d/up.conf
1656+
1657+--- /dev/null
1658++++ b/test/test-network/conf/25-activation-policy.network
1659+@@ -0,0 +1,6 @@
1660++[Match]
1661++Name=test1
1662++
1663++[Network]
1664++Address=192.168.10.30/24
1665++Gateway=192.168.10.1
1666+--- /dev/null
1667++++ b/test/test-network/conf/25-activation-policy.network.d/always-down.conf
1668+@@ -0,0 +1,2 @@
1669++[Link]
1670++ActivationPolicy=always-down
1671+--- /dev/null
1672++++ b/test/test-network/conf/25-activation-policy.network.d/always-up.conf
1673+@@ -0,0 +1,2 @@
1674++[Link]
1675++ActivationPolicy=always-up
1676+--- /dev/null
1677++++ b/test/test-network/conf/25-activation-policy.network.d/down.conf
1678+@@ -0,0 +1,2 @@
1679++[Link]
1680++ActivationPolicy=down
1681+--- /dev/null
1682++++ b/test/test-network/conf/25-activation-policy.network.d/manual.conf
1683+@@ -0,0 +1,2 @@
1684++[Link]
1685++ActivationPolicy=manual
1686+--- /dev/null
1687++++ b/test/test-network/conf/25-activation-policy.network.d/up.conf
1688+@@ -0,0 +1,2 @@
1689++[Link]
1690++ActivationPolicy=up
1691+--- a/test/test-network/systemd-networkd-tests.py
1692++++ b/test/test-network/systemd-networkd-tests.py
1693+@@ -1605,6 +1605,7 @@
1694+ '25-address-link-section.network',
1695+ '25-address-preferred-lifetime-zero.network',
1696+ '25-address-static.network',
1697++ '25-activation-policy.network',
1698+ '25-bind-carrier.network',
1699+ '25-bond-active-backup-slave.netdev',
1700+ '25-fibrule-invert.network',
1701+@@ -2211,6 +2212,53 @@
1702+ self.assertRegex(output, 'inet 192.168.10.30/24 brd 192.168.10.255 scope global test1')
1703+ self.wait_operstate('test1', 'routable')
1704+
1705++ def _test_activation_policy(self, test):
1706++ self.setUp()
1707++ conffile = '25-activation-policy.network'
1708++ if test:
1709++ conffile = f'{conffile}.d/{test}.conf'
1710++ copy_unit_to_networkd_unit_path('11-dummy.netdev', conffile, dropins=False)
1711++ start_networkd()
1712++
1713++ always = test.startswith('always')
1714++ if test == 'manual':
1715++ initial_up = 'UP' in check_output('ip link show test1')
1716++ else:
1717++ initial_up = not test.endswith('down') # note: default is up
1718++ expect_up = initial_up
1719++ next_up = not expect_up
1720++
1721++ # if initial expected state is down, must wait for setup_state to reach configuring
1722++ # so systemd-networkd considers it 'activated'
1723++ setup_state = None if initial_up else 'configuring'
1724++
1725++ for iteration in range(4):
1726++ with self.subTest(iteration=iteration, expect_up=expect_up):
1727++ operstate = 'routable' if expect_up else 'off'
1728++ self.wait_operstate('test1', operstate, setup_state=setup_state, setup_timeout=20)
1729++ setup_state = None
1730++
1731++ if expect_up:
1732++ self.assertIn('UP', check_output('ip link show test1'))
1733++ self.assertIn('192.168.10.30/24', check_output('ip address show test1'))
1734++ self.assertIn('default via 192.168.10.1', check_output('ip route show'))
1735++ else:
1736++ self.assertIn('DOWN', check_output('ip link show test1'))
1737++
1738++ if next_up:
1739++ check_output('ip link set dev test1 up')
1740++ else:
1741++ check_output('ip link set dev test1 down')
1742++ expect_up = initial_up if always else next_up
1743++ next_up = not next_up
1744++
1745++ self.tearDown()
1746++
1747++ def test_activation_policy(self):
1748++ for test in ['up', 'always-up', 'manual', 'always-down', 'down', '']:
1749++ with self.subTest(test=test):
1750++ self._test_activation_policy(test)
1751++
1752+ def test_domain(self):
1753+ copy_unit_to_networkd_unit_path('12-dummy.netdev', '24-search-domain.network')
1754+ start_networkd()
1755diff --git a/debian/patches/lp1664844/0003-save-link-activation-policy-to-state-file-and-displa.patch b/debian/patches/lp1664844/0003-save-link-activation-policy-to-state-file-and-displa.patch
1756new file mode 100644
1757index 0000000..a2c2250
1758--- /dev/null
1759+++ b/debian/patches/lp1664844/0003-save-link-activation-policy-to-state-file-and-displa.patch
1760@@ -0,0 +1,110 @@
1761+From a853652ae983699460b160bc2bf72f6fae0bfcd6 Mon Sep 17 00:00:00 2001
1762+From: Dan Streetman <ddstreet@canonical.com>
1763+Date: Thu, 13 Aug 2020 11:52:53 -0400
1764+Subject: [PATCH 3/3] save link activation policy to state file and display in
1765+ networkctl
1766+Origin: upstream, https://github.com/systemd/systemd/pull/16228
1767+Bug-Ubuntu: https://bugs.launchpad.net/netplan/+bug/1664844
1768+
1769+---
1770+ src/libsystemd/sd-network/sd-network.c | 21 +++++++++++++++++++++
1771+ src/network/networkctl.c | 12 +++++++++++-
1772+ src/network/networkd-link.c | 3 +++
1773+ src/systemd/sd-network.h | 5 +++++
1774+ test/test-network/systemd-networkd-tests.py | 1 +
1775+ 5 files changed, 41 insertions(+), 1 deletion(-)
1776+
1777+--- a/src/libsystemd/sd-network/sd-network.c
1778++++ b/src/libsystemd/sd-network/sd-network.c
1779+@@ -204,6 +204,27 @@
1780+ return 0;
1781+ }
1782+
1783++_public_ int sd_network_link_get_activation_policy(int ifindex, char **policy) {
1784++ _cleanup_free_ char *s = NULL;
1785++ int r;
1786++
1787++ assert_return(policy, -EINVAL);
1788++
1789++ r = network_link_get_string(ifindex, "ACTIVATION_POLICY", &s);
1790++ if (r < 0) {
1791++ if (r != -ENODATA)
1792++ return r;
1793++
1794++ /* For compatibility, assuming up. */
1795++ s = strdup("up");
1796++ if (!s)
1797++ return -ENOMEM;
1798++ }
1799++
1800++ *policy = TAKE_PTR(s);
1801++ return 0;
1802++}
1803++
1804+ _public_ int sd_network_link_get_llmnr(int ifindex, char **llmnr) {
1805+ return network_link_get_string(ifindex, "LLMNR", llmnr);
1806+ }
1807+--- a/src/network/networkctl.c
1808++++ b/src/network/networkctl.c
1809+@@ -1143,7 +1143,7 @@
1810+ const LinkInfo *info) {
1811+
1812+ _cleanup_strv_free_ char **dns = NULL, **ntp = NULL, **search_domains = NULL, **route_domains = NULL;
1813+- _cleanup_free_ char *setup_state = NULL, *operational_state = NULL, *tz = NULL;
1814++ _cleanup_free_ char *setup_state = NULL, *operational_state = NULL, *tz = NULL, *activation_policy = NULL;
1815+ _cleanup_free_ char *t = NULL, *network = NULL;
1816+ const char *driver = NULL, *path = NULL, *vendor = NULL, *model = NULL, *link = NULL;
1817+ const char *on_color_operational, *off_color_operational,
1818+@@ -1531,6 +1531,16 @@
1819+ if (r < 0)
1820+ return r;
1821+
1822++ r = sd_network_link_get_activation_policy(info->ifindex, &activation_policy);
1823++ if (r >= 0) {
1824++ r = table_add_many(table,
1825++ TABLE_EMPTY,
1826++ TABLE_STRING, "Activation Policy:",
1827++ TABLE_STRING, activation_policy);
1828++ if (r < 0)
1829++ return table_log_add_error(r);
1830++ }
1831++
1832+ (void) sd_network_link_get_timezone(info->ifindex, &tz);
1833+ if (tz) {
1834+ r = table_add_many(table,
1835+--- a/src/network/networkd-link.c
1836++++ b/src/network/networkd-link.c
1837+@@ -4039,6 +4039,9 @@
1838+ log_link_debug(link, "No DHCPv6 lease");
1839+ }
1840+
1841++ fprintf(f, "ACTIVATION_POLICY=%s\n",
1842++ activation_policy_to_string(link->network->activation_policy));
1843++
1844+ fprintf(f, "NETWORK_FILE=%s\n", link->network->filename);
1845+
1846+ fputs("DNS=", f);
1847+--- a/src/systemd/sd-network.h
1848++++ b/src/systemd/sd-network.h
1849+@@ -103,6 +103,11 @@
1850+ */
1851+ int sd_network_link_get_required_for_online(int ifindex);
1852+
1853++/* Get activation policy for ifindex.
1854++ * Possible values are as specified for ActivationPolicy=
1855++ */
1856++int sd_network_link_get_activation_policy(int ifindex, char **policy);
1857++
1858+ /* Get path to .network file applied to link */
1859+ int sd_network_link_get_network_file(int ifindex, char **filename);
1860+
1861+--- a/test/test-network/systemd-networkd-tests.py
1862++++ b/test/test-network/systemd-networkd-tests.py
1863+@@ -2407,6 +2407,7 @@
1864+ self.assertRegex(data, r'OPER_STATE=routable')
1865+ self.assertRegex(data, r'REQUIRED_FOR_ONLINE=yes')
1866+ self.assertRegex(data, r'REQUIRED_OPER_STATE_FOR_ONLINE=routable')
1867++ self.assertRegex(data, r'ACTIVATION_POLICY=up')
1868+ self.assertRegex(data, r'NETWORK_FILE=/run/systemd/network/state-file-tests.network')
1869+ self.assertRegex(data, r'DNS=10.10.10.10 10.10.10.11')
1870+ self.assertRegex(data, r'NTP=0.fedora.pool.ntp.org 1.fedora.pool.ntp.org')
1871diff --git a/debian/patches/lp1785383-resolved-address-DVE-2018-0001.patch b/debian/patches/lp1785383-resolved-address-DVE-2018-0001.patch
1872new file mode 100644
1873index 0000000..f5b5ac0
1874--- /dev/null
1875+++ b/debian/patches/lp1785383-resolved-address-DVE-2018-0001.patch
1876@@ -0,0 +1,161 @@
1877+From 1ed4e584f3a03f47d2313314b6b5a78c9dc6f135 Mon Sep 17 00:00:00 2001
1878+From: Lennart Poettering <lennart@poettering.net>
1879+Date: Thu, 12 Nov 2020 17:05:36 +0100
1880+Subject: [PATCH] resolved: address DVE-2018-0001
1881+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/bionic/+source/systemd/+bug/1785383
1882+Origin: upstream, https://github.com/systemd/systemd/commit/1ed4e584f3a03f47d2313314b6b5a78c9dc6f135
1883+
1884+This is an updated version of #8608 with more restrictive logic. To
1885+quite the original bug:
1886+
1887+ Some captive portals, lie and do not respond with the captive portal
1888+ IP address, if the query is with EDNS0 enabled and D0 bit set to
1889+ zero. Thus retry "secure" domain name look ups with less secure
1890+ methods, upon NXDOMAIN.
1891+
1892+https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md
1893+
1894+Yes, this fix sucks hard, but I guess this is what we need to do to make
1895+sure resolved works IRL.
1896+
1897+Heavily based on the original patch from Dimitri John Ledkov, and I
1898+copied the commentary verbatim.
1899+
1900+Replaces: #8608
1901+---
1902+ src/resolve/resolved-dns-transaction.c | 69 +++++++++++++++++++++-----
1903+ src/resolve/resolved-dns-transaction.h | 7 ++-
1904+ 2 files changed, 62 insertions(+), 14 deletions(-)
1905+
1906+--- a/src/resolve/resolved-dns-transaction.c
1907++++ b/src/resolve/resolved-dns-transaction.c
1908+@@ -204,7 +204,8 @@ int dns_transaction_new(DnsTransaction *
1909+ t->answer_nsec_ttl = (uint32_t) -1;
1910+ t->key = dns_resource_key_ref(key);
1911+ t->current_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
1912+- t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
1913++ t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
1914++ t->clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID;
1915+
1916+ t->id = pick_new_id(s->manager);
1917+
1918+@@ -378,15 +379,20 @@ static int dns_transaction_pick_server(D
1919+
1920+ /* If we changed the server invalidate the feature level clamping, as the new server might have completely
1921+ * different properties. */
1922+- if (server != t->server)
1923+- t->clamp_feature_level = _DNS_SERVER_FEATURE_LEVEL_INVALID;
1924++ if (server != t->server) {
1925++ t->clamp_feature_level_servfail = _DNS_SERVER_FEATURE_LEVEL_INVALID;
1926++ t->clamp_feature_level_nxdomain = _DNS_SERVER_FEATURE_LEVEL_INVALID;
1927++ }
1928+
1929+ t->current_feature_level = dns_server_possible_feature_level(server);
1930+
1931+ /* Clamp the feature level if that is requested. */
1932+- if (t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
1933+- t->current_feature_level > t->clamp_feature_level)
1934+- t->current_feature_level = t->clamp_feature_level;
1935++ if (t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
1936++ t->current_feature_level > t->clamp_feature_level_servfail)
1937++ t->current_feature_level = t->clamp_feature_level_servfail;
1938++ if (t->clamp_feature_level_nxdomain != _DNS_SERVER_FEATURE_LEVEL_INVALID &&
1939++ t->current_feature_level > t->clamp_feature_level_nxdomain)
1940++ t->current_feature_level = t->clamp_feature_level_nxdomain;
1941+
1942+ log_debug("Using feature level %s for transaction %u.", dns_server_feature_level_to_string(t->current_feature_level), t->id);
1943+
1944+@@ -1005,19 +1011,19 @@ void dns_transaction_process_reply(DnsTr
1945+ /* Reduce this feature level by one and try again. */
1946+ switch (t->current_feature_level) {
1947+ case DNS_SERVER_FEATURE_LEVEL_TLS_DO:
1948+- t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
1949++ t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN;
1950+ break;
1951+ case DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN + 1:
1952+ /* Skip plain TLS when TLS is not supported */
1953+- t->clamp_feature_level = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
1954++ t->clamp_feature_level_servfail = DNS_SERVER_FEATURE_LEVEL_TLS_PLAIN - 1;
1955+ break;
1956+ default:
1957+- t->clamp_feature_level = t->current_feature_level - 1;
1958++ t->clamp_feature_level_servfail = t->current_feature_level - 1;
1959+ }
1960+
1961+ log_debug("Server returned error %s, retrying transaction with reduced feature level %s.",
1962+ dns_rcode_to_string(DNS_PACKET_RCODE(p)),
1963+- dns_server_feature_level_to_string(t->clamp_feature_level));
1964++ dns_server_feature_level_to_string(t->clamp_feature_level_servfail));
1965+
1966+ dns_transaction_retry(t, false /* use the same server */);
1967+ return;
1968+@@ -1086,13 +1092,51 @@ void dns_transaction_process_reply(DnsTr
1969+ return;
1970+ }
1971+
1972++ if (t->scope->protocol == DNS_PROTOCOL_DNS &&
1973++ DNS_PACKET_RCODE(p) == DNS_RCODE_NXDOMAIN &&
1974++ p->opt && !DNS_PACKET_DO(p) &&
1975++ t->current_feature_level >= DNS_SERVER_FEATURE_LEVEL_EDNS0 &&
1976++ IN_SET(t->current_feature_level, DNS_SERVER_FEATURE_LEVEL_UDP, DNS_SERVER_FEATURE_LEVEL_EDNS0, DNS_SERVER_FEATURE_LEVEL_DO, DNS_SERVER_FEATURE_LEVEL_LARGE) &&
1977++ t->scope->dnssec_mode != DNSSEC_YES) {
1978++
1979++ /* Some captive portals are special in that the Aruba/Datavalet hardware will miss
1980++ * replacing the packets with the local server IP to point to the authenticated side
1981++ * of the network if EDNS0 is enabled. Instead they return NXDOMAIN, with DO bit set
1982++ * to zero... nothing to see here, yet respond with the captive portal IP, when using
1983++ * the more simple UDP level.
1984++ *
1985++ * Common portal names that fail like so are:
1986++ * secure.datavalet.io
1987++ * securelogin.arubanetworks.com
1988++ * securelogin.networks.mycompany.com
1989++ *
1990++ * Thus retry NXDOMAIN RCODES with a lower feature level.
1991++ *
1992++ * Do not lower the server's tracked feature level, as the captive portal should not
1993++ * be lying for the wider internet (e.g. _other_ queries were observed fine with
1994++ * EDNS0 on these networks, post auth), i.e. let's just lower the level transaction's
1995++ * feature level.
1996++ *
1997++ * This is reported as https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md
1998++ */
1999++
2000++ t->clamp_feature_level_nxdomain = DNS_SERVER_FEATURE_LEVEL_UDP;
2001++
2002++ log_debug("Server returned error %s in EDNS0 mode, retrying transaction with reduced feature level %s (DVE-2018-0001 mitigation)",
2003++ dns_rcode_to_string(DNS_PACKET_RCODE(p)),
2004++ dns_server_feature_level_to_string(t->clamp_feature_level_nxdomain));
2005++
2006++ dns_transaction_retry(t, false /* use the same server */);
2007++ return;
2008++ }
2009++
2010+ if (t->server) {
2011+ /* Report that we successfully received a valid packet with a good rcode after we initially got a bad
2012+ * rcode and subsequently downgraded the protocol */
2013+
2014+ if (IN_SET(DNS_PACKET_RCODE(p), DNS_RCODE_SUCCESS, DNS_RCODE_NXDOMAIN) &&
2015+- t->clamp_feature_level != _DNS_SERVER_FEATURE_LEVEL_INVALID)
2016+- dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level);
2017++ t->clamp_feature_level_servfail != _DNS_SERVER_FEATURE_LEVEL_INVALID)
2018++ dns_server_packet_rcode_downgrade(t->server, t->clamp_feature_level_servfail);
2019+
2020+ /* Report that the OPT RR was missing */
2021+ if (!p->opt)
2022+--- a/src/resolve/resolved-dns-transaction.h
2023++++ b/src/resolve/resolved-dns-transaction.h
2024+@@ -105,8 +105,11 @@ struct DnsTransaction {
2025+ /* The features of the DNS server at time of transaction start */
2026+ DnsServerFeatureLevel current_feature_level;
2027+
2028+- /* If we got SERVFAIL back, we retry the lookup, using a lower feature level than we used before. */
2029+- DnsServerFeatureLevel clamp_feature_level;
2030++ /* If we got SERVFAIL back, we retry the lookup, using a lower feature level than we used
2031++ * before. Similar, if we get NXDOMAIN in pure EDNS0 mode, we check in EDNS0-less mode before giving
2032++ * up (as mitigation for DVE-2018-0001). */
2033++ DnsServerFeatureLevel clamp_feature_level_servfail;
2034++ DnsServerFeatureLevel clamp_feature_level_nxdomain;
2035+
2036+ /* Query candidates this transaction is referenced by and that
2037+ * shall be notified about this specific transaction
2038diff --git a/debian/patches/lp1838329/0001-blockdev-propagate-one-more-unexpected-error.patch b/debian/patches/lp1838329/0001-blockdev-propagate-one-more-unexpected-error.patch
2039new file mode 100644
2040index 0000000..a5357fd
2041--- /dev/null
2042+++ b/debian/patches/lp1838329/0001-blockdev-propagate-one-more-unexpected-error.patch
2043@@ -0,0 +1,28 @@
2044+From 6cba41ab0dbe5eb817f37bd43caff4754d801d3b Mon Sep 17 00:00:00 2001
2045+From: Lennart Poettering <lennart@poettering.net>
2046+Date: Mon, 18 May 2020 18:29:57 +0200
2047+Subject: [PATCH 1/7] blockdev: propagate one more unexpected error
2048+Bug: https://github.com/systemd/systemd/issues/10179
2049+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1838329
2050+Origin: upstream, https://github.com/systemd/systemd/pull/15836
2051+
2052+---
2053+ src/basic/blockdev-util.c | 2 ++
2054+ 1 file changed, 2 insertions(+)
2055+
2056+diff --git a/src/basic/blockdev-util.c b/src/basic/blockdev-util.c
2057+index 7d94c55a6d..54431f5d0f 100644
2058+--- a/src/basic/blockdev-util.c
2059++++ b/src/basic/blockdev-util.c
2060+@@ -29,6 +29,8 @@ int block_get_whole_disk(dev_t d, dev_t *ret) {
2061+ *ret = d;
2062+ return 0;
2063+ }
2064++ if (errno != ENOENT)
2065++ return -errno;
2066+
2067+ /* If it is a partition find the originating device */
2068+ xsprintf_sys_block_path(p, "/partition", d);
2069+--
2070+2.25.1
2071+
2072diff --git a/debian/patches/lp1838329/0002-makefs-log-about-OOM-condition.patch b/debian/patches/lp1838329/0002-makefs-log-about-OOM-condition.patch
2073new file mode 100644
2074index 0000000..bc874dd
2075--- /dev/null
2076+++ b/debian/patches/lp1838329/0002-makefs-log-about-OOM-condition.patch
2077@@ -0,0 +1,33 @@
2078+From 700e0d3d87705a6ba01793d7130bbb8e6edbee16 Mon Sep 17 00:00:00 2001
2079+From: Lennart Poettering <lennart@poettering.net>
2080+Date: Mon, 18 May 2020 18:30:18 +0200
2081+Subject: [PATCH 2/7] makefs: log about OOM condition
2082+Bug: https://github.com/systemd/systemd/issues/10179
2083+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1838329
2084+Origin: upstream, https://github.com/systemd/systemd/pull/15836
2085+
2086+---
2087+ src/partition/makefs.c | 4 ++--
2088+ 1 file changed, 2 insertions(+), 2 deletions(-)
2089+
2090+diff --git a/src/partition/makefs.c b/src/partition/makefs.c
2091+index d73d67c4e8..df08a5fea6 100644
2092+--- a/src/partition/makefs.c
2093++++ b/src/partition/makefs.c
2094+@@ -54,11 +54,11 @@ static int run(int argc, char *argv[]) {
2095+ /* type and device must be copied because makefs calls safe_fork, which clears argv[] */
2096+ type = strdup(argv[1]);
2097+ if (!type)
2098+- return -ENOMEM;
2099++ return log_oom();
2100+
2101+ device = strdup(argv[2]);
2102+ if (!device)
2103+- return -ENOMEM;
2104++ return log_oom();
2105+
2106+ if (stat(device, &st) < 0)
2107+ return log_error_errno(errno, "Failed to stat \"%s\": %m", device);
2108+--
2109+2.25.1
2110+
2111diff --git a/debian/patches/lp1838329/0003-dissect-use-log_debug_errno-where-appropriate.patch b/debian/patches/lp1838329/0003-dissect-use-log_debug_errno-where-appropriate.patch
2112new file mode 100644
2113index 0000000..37686a4
2114--- /dev/null
2115+++ b/debian/patches/lp1838329/0003-dissect-use-log_debug_errno-where-appropriate.patch
2116@@ -0,0 +1,33 @@
2117+From 58dfbfbdd6138de49c6f59a763c4cfc7acb8c9a9 Mon Sep 17 00:00:00 2001
2118+From: Lennart Poettering <lennart@poettering.net>
2119+Date: Mon, 18 May 2020 18:30:49 +0200
2120+Subject: [PATCH 3/7] dissect: use log_debug_errno() where appropriate
2121+Bug: https://github.com/systemd/systemd/issues/10179
2122+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1838329
2123+Origin: upstream, https://github.com/systemd/systemd/pull/15836
2124+
2125+---
2126+ src/shared/dissect-image.c | 7 +++----
2127+ 1 file changed, 3 insertions(+), 4 deletions(-)
2128+
2129+diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
2130+index 23ad6b06cf..8decac94b2 100644
2131+--- a/src/shared/dissect-image.c
2132++++ b/src/shared/dissect-image.c
2133+@@ -75,10 +75,9 @@ int probe_filesystem(const char *node, char **ret_fstype) {
2134+ log_debug("No type detected on partition %s", node);
2135+ goto not_found;
2136+ }
2137+- if (r == -2) {
2138+- log_debug("Results ambiguous for partition %s", node);
2139+- return -EUCLEAN;
2140+- }
2141++ if (r == -2)
2142++ return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
2143++ "Results ambiguous for partition %s", node);
2144+ if (r != 0)
2145+ return errno_or_else(EIO);
2146+
2147+--
2148+2.25.1
2149+
2150diff --git a/debian/patches/lp1838329/0004-blockdev-add-helper-for-locking-whole-block-device.patch b/debian/patches/lp1838329/0004-blockdev-add-helper-for-locking-whole-block-device.patch
2151new file mode 100644
2152index 0000000..692bbbd
2153--- /dev/null
2154+++ b/debian/patches/lp1838329/0004-blockdev-add-helper-for-locking-whole-block-device.patch
2155@@ -0,0 +1,67 @@
2156+From ac83e5aeca7ca4eff3de6ef6d9a55b71b6eb10b1 Mon Sep 17 00:00:00 2001
2157+From: Lennart Poettering <lennart@poettering.net>
2158+Date: Mon, 18 May 2020 18:31:04 +0200
2159+Subject: [PATCH 4/7] blockdev: add helper for locking whole block device
2160+Bug: https://github.com/systemd/systemd/issues/10179
2161+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1838329
2162+Origin: upstream, https://github.com/systemd/systemd/pull/15836
2163+
2164+---
2165+ src/basic/blockdev-util.c | 27 +++++++++++++++++++++++++++
2166+ src/basic/blockdev-util.h | 2 ++
2167+ 2 files changed, 29 insertions(+)
2168+
2169+diff --git a/src/basic/blockdev-util.c b/src/basic/blockdev-util.c
2170+index 54431f5d0f..5f8212685b 100644
2171+--- a/src/basic/blockdev-util.c
2172++++ b/src/basic/blockdev-util.c
2173+@@ -1,5 +1,6 @@
2174+ /* SPDX-License-Identifier: LGPL-2.1+ */
2175+
2176++#include <sys/file.h>
2177+ #include <unistd.h>
2178+
2179+ #include "alloc-util.h"
2180+@@ -187,3 +188,29 @@ int get_block_device_harder(const char *path, dev_t *ret) {
2181+
2182+ return 1;
2183+ }
2184++
2185++int lock_whole_block_device(dev_t devt, int operation) {
2186++ _cleanup_free_ char *whole_node = NULL;
2187++ _cleanup_close_ int lock_fd = -1;
2188++ dev_t whole_devt;
2189++ int r;
2190++
2191++ /* Let's get a BSD file lock on the whole block device, as per: https://systemd.io/BLOCK_DEVICE_LOCKING */
2192++
2193++ r = block_get_whole_disk(devt, &whole_devt);
2194++ if (r < 0)
2195++ return r;
2196++
2197++ r = device_path_make_major_minor(S_IFBLK, whole_devt, &whole_node);
2198++ if (r < 0)
2199++ return r;
2200++
2201++ lock_fd = open(whole_node, O_RDONLY|O_CLOEXEC|O_NONBLOCK);
2202++ if (lock_fd < 0)
2203++ return -errno;
2204++
2205++ if (flock(lock_fd, operation) < 0)
2206++ return -errno;
2207++
2208++ return TAKE_FD(lock_fd);
2209++}
2210+diff --git a/src/basic/blockdev-util.h b/src/basic/blockdev-util.h
2211+index 6d8a796568..1e7588f71c 100644
2212+--- a/src/basic/blockdev-util.h
2213++++ b/src/basic/blockdev-util.h
2214+@@ -18,3 +18,5 @@ int block_get_originating(dev_t d, dev_t *ret);
2215+ int get_block_device(const char *path, dev_t *dev);
2216+
2217+ int get_block_device_harder(const char *path, dev_t *dev);
2218++
2219++int lock_whole_block_device(dev_t devt, int operation);
2220+--
2221+2.25.1
2222+
2223diff --git a/debian/patches/lp1838329/0005-makefs-lock-device-while-we-operate.patch b/debian/patches/lp1838329/0005-makefs-lock-device-while-we-operate.patch
2224new file mode 100644
2225index 0000000..5bffde5
2226--- /dev/null
2227+++ b/debian/patches/lp1838329/0005-makefs-lock-device-while-we-operate.patch
2228@@ -0,0 +1,57 @@
2229+From 0181ad85b37d37785787b4eb8aa8c72d2e4c76b4 Mon Sep 17 00:00:00 2001
2230+From: Lennart Poettering <lennart@poettering.net>
2231+Date: Mon, 18 May 2020 18:31:45 +0200
2232+Subject: [PATCH 5/7] makefs: lock device while we operate
2233+Bug: https://github.com/systemd/systemd/issues/10179
2234+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1838329
2235+Origin: upstream, https://github.com/systemd/systemd/pull/15836
2236+
2237+Let's implement our own specs, i.e.
2238+
2239+https://systemd.io/BLOCK_DEVICE_LOCKING/
2240+
2241+This should address issues like this: #13162
2242+---
2243+ src/partition/makefs.c | 11 ++++++++++-
2244+ 1 file changed, 10 insertions(+), 1 deletion(-)
2245+
2246+diff --git a/src/partition/makefs.c b/src/partition/makefs.c
2247+index df08a5fea6..128aa41044 100644
2248+--- a/src/partition/makefs.c
2249++++ b/src/partition/makefs.c
2250+@@ -7,7 +7,9 @@
2251+ #include <unistd.h>
2252+
2253+ #include "alloc-util.h"
2254++#include "blockdev-util.h"
2255+ #include "dissect-image.h"
2256++#include "fd-util.h"
2257+ #include "main-func.h"
2258+ #include "process-util.h"
2259+ #include "signal-util.h"
2260+@@ -42,6 +44,7 @@ static int makefs(const char *type, const char *device) {
2261+
2262+ static int run(int argc, char *argv[]) {
2263+ _cleanup_free_ char *device = NULL, *type = NULL, *detected = NULL;
2264++ _cleanup_close_ int lock_fd = -1;
2265+ struct stat st;
2266+ int r;
2267+
2268+@@ -63,7 +66,13 @@ static int run(int argc, char *argv[]) {
2269+ if (stat(device, &st) < 0)
2270+ return log_error_errno(errno, "Failed to stat \"%s\": %m", device);
2271+
2272+- if (!S_ISBLK(st.st_mode))
2273++ if (S_ISBLK(st.st_mode)) {
2274++ /* Lock the device so that udev doesn't interfere with our work */
2275++
2276++ lock_fd = lock_whole_block_device(st.st_rdev, LOCK_EX);
2277++ if (lock_fd < 0)
2278++ return log_error_errno(lock_fd, "Failed to lock whole block device of \"%s\": %m", device);
2279++ } else
2280+ log_info("%s is not a block device.", device);
2281+
2282+ r = probe_filesystem(device, &detected);
2283+--
2284+2.25.1
2285+
2286diff --git a/debian/patches/lp1838329/0006-makefs-normalize-logging-a-bit.patch b/debian/patches/lp1838329/0006-makefs-normalize-logging-a-bit.patch
2287new file mode 100644
2288index 0000000..bdb8bcc
2289--- /dev/null
2290+++ b/debian/patches/lp1838329/0006-makefs-normalize-logging-a-bit.patch
2291@@ -0,0 +1,39 @@
2292+From a5a8fe2e8dbb9bc1981064d273b626d4aa187152 Mon Sep 17 00:00:00 2001
2293+From: Lennart Poettering <lennart@poettering.net>
2294+Date: Mon, 18 May 2020 18:32:17 +0200
2295+Subject: [PATCH 6/7] makefs: normalize logging a bit
2296+Bug: https://github.com/systemd/systemd/issues/10179
2297+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1838329
2298+Origin: upstream, https://github.com/systemd/systemd/pull/15836
2299+
2300+---
2301+ src/partition/makefs.c | 11 ++++-------
2302+ 1 file changed, 4 insertions(+), 7 deletions(-)
2303+
2304+diff --git a/src/partition/makefs.c b/src/partition/makefs.c
2305+index 128aa41044..97f50c9033 100644
2306+--- a/src/partition/makefs.c
2307++++ b/src/partition/makefs.c
2308+@@ -76,15 +76,12 @@ static int run(int argc, char *argv[]) {
2309+ log_info("%s is not a block device.", device);
2310+
2311+ r = probe_filesystem(device, &detected);
2312++ if (r == -EUCLEAN)
2313++ return log_error_errno(r, "Ambiguous results of probing for file system on \"%s\", refusing to proceed.", device);
2314+ if (r < 0)
2315+- return log_warning_errno(r,
2316+- r == -EUCLEAN ?
2317+- "Cannot reliably determine probe \"%s\", refusing to proceed." :
2318+- "Failed to probe \"%s\": %m",
2319+- device);
2320+-
2321++ return log_error_errno(r, "Failed to probe \"%s\": %m", device);
2322+ if (detected) {
2323+- log_info("%s is not empty (type %s), exiting", device, detected);
2324++ log_info("'%s' is not empty (contains file system of type %s), exiting.", device, detected);
2325+ return 0;
2326+ }
2327+
2328+--
2329+2.25.1
2330+
2331diff --git a/debian/patches/lp1838329/0007-cryptsetup-generator-use-systemd-makefs-for-implemen.patch b/debian/patches/lp1838329/0007-cryptsetup-generator-use-systemd-makefs-for-implemen.patch
2332new file mode 100644
2333index 0000000..6707978
2334--- /dev/null
2335+++ b/debian/patches/lp1838329/0007-cryptsetup-generator-use-systemd-makefs-for-implemen.patch
2336@@ -0,0 +1,45 @@
2337+From db2c56b0dd28f271dd3fe53691b21484f72586e4 Mon Sep 17 00:00:00 2001
2338+From: Lennart Poettering <lennart@poettering.net>
2339+Date: Mon, 18 May 2020 18:37:02 +0200
2340+Subject: [PATCH 7/7] cryptsetup-generator: use systemd-makefs for
2341+ implementation of "swap" and "tmp" options
2342+Bug: https://github.com/systemd/systemd/issues/10179
2343+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1838329
2344+Origin: upstream, https://github.com/systemd/systemd/pull/15836
2345+
2346+This way we can take benefit of the correct block device locking we just
2347+added.
2348+
2349+I was thinking whether to instead pull in a regular
2350+systemd-makefs@.service instance, but I couldn't come up with a reason
2351+to, and thus opted for just doing the minimal patch and just replacing
2352+the simply mkfs calls.
2353+
2354+Fixes: #10179
2355+Replaces: #13162
2356+---
2357+ src/cryptsetup/cryptsetup-generator.c | 4 ++--
2358+ 1 file changed, 2 insertions(+), 2 deletions(-)
2359+
2360+diff --git a/src/cryptsetup/cryptsetup-generator.c b/src/cryptsetup/cryptsetup-generator.c
2361+index 20c752d88d..5724f88d0a 100644
2362+--- a/src/cryptsetup/cryptsetup-generator.c
2363++++ b/src/cryptsetup/cryptsetup-generator.c
2364+@@ -367,12 +367,12 @@ static int create_disk(
2365+
2366+ if (tmp)
2367+ fprintf(f,
2368+- "ExecStartPost=/sbin/mke2fs '/dev/mapper/%s'\n",
2369++ "ExecStartPost=" ROOTLIBEXECDIR "/systemd-makefs ext2 '/dev/mapper/%s'\n",
2370+ name_escaped);
2371+
2372+ if (swap)
2373+ fprintf(f,
2374+- "ExecStartPost=/sbin/mkswap '/dev/mapper/%s'\n",
2375++ "ExecStartPost=" ROOTLIBEXECDIR "/systemd-makefs swap '/dev/mapper/%s'\n",
2376+ name_escaped);
2377+
2378+ if (keydev)
2379+--
2380+2.25.1
2381+
2382diff --git a/debian/patches/lp1858210/0001-time-simplify-get_timezones.patch b/debian/patches/lp1858210/0001-time-simplify-get_timezones.patch
2383new file mode 100644
2384index 0000000..54b3aef
2385--- /dev/null
2386+++ b/debian/patches/lp1858210/0001-time-simplify-get_timezones.patch
2387@@ -0,0 +1,104 @@
2388+From 31097e2b996ed463ca97d3df618a614c875386c5 Mon Sep 17 00:00:00 2001
2389+From: Dan Streetman <ddstreet@canonical.com>
2390+Date: Tue, 29 Jun 2021 09:13:22 -0400
2391+Subject: [PATCH 1/3] time: simplify get_timezones()
2392+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1858210
2393+Origin: upstream, https://github.com/systemd/systemd/pull/20066
2394+
2395+The function can be simplified by using extract_many_words() and strv_extend()
2396+---
2397+ src/basic/time-util.c | 56 +++++++++++++++----------------------------
2398+ 1 file changed, 19 insertions(+), 37 deletions(-)
2399+
2400+--- a/src/basic/time-util.c
2401++++ b/src/basic/time-util.c
2402+@@ -1205,24 +1205,14 @@ bool ntp_synced(void) {
2403+ int get_timezones(char ***ret) {
2404+ _cleanup_fclose_ FILE *f = NULL;
2405+ _cleanup_strv_free_ char **zones = NULL;
2406+- size_t n_zones = 0, n_allocated = 0;
2407+ int r;
2408+
2409+ assert(ret);
2410+
2411+- zones = strv_new("UTC");
2412+- if (!zones)
2413+- return -ENOMEM;
2414+-
2415+- n_allocated = 2;
2416+- n_zones = 1;
2417+-
2418+ f = fopen("/usr/share/zoneinfo/zone1970.tab", "re");
2419+ if (f) {
2420+ for (;;) {
2421+- _cleanup_free_ char *line = NULL;
2422+- char *p, *w;
2423+- size_t k;
2424++ _cleanup_free_ char *line = NULL, *cc = NULL, *co = NULL, *tz = NULL;
2425+
2426+ r = read_line(f, LONG_LINE_MAX, &line);
2427+ if (r < 0)
2428+@@ -1230,45 +1220,34 @@ int get_timezones(char ***ret) {
2429+ if (r == 0)
2430+ break;
2431+
2432+- p = strstrip(line);
2433++ const char *p = line;
2434+
2435+- if (isempty(p) || *p == '#')
2436++ /* Line format is:
2437++ * 'country codes' 'coordinates' 'timezone' 'comments' */
2438++ r = extract_many_words(&p, NULL, 0, &cc, &co, &tz, NULL);
2439++ if (r < 0)
2440+ continue;
2441+
2442+- /* Skip over country code */
2443+- p += strcspn(p, WHITESPACE);
2444+- p += strspn(p, WHITESPACE);
2445+-
2446+- /* Skip over coordinates */
2447+- p += strcspn(p, WHITESPACE);
2448+- p += strspn(p, WHITESPACE);
2449+-
2450+- /* Found timezone name */
2451+- k = strcspn(p, WHITESPACE);
2452+- if (k <= 0)
2453++ /* Lines that start with # are comments. */
2454++ if (*cc == '#')
2455+ continue;
2456+
2457+- w = strndup(p, k);
2458+- if (!w)
2459+- return -ENOMEM;
2460+-
2461+- if (!GREEDY_REALLOC(zones, n_allocated, n_zones + 2)) {
2462+- free(w);
2463+- return -ENOMEM;
2464+- }
2465+-
2466+- zones[n_zones++] = w;
2467+- zones[n_zones] = NULL;
2468++ r = strv_extend(&zones, tz);
2469++ if (r < 0)
2470++ return r;
2471+ }
2472+-
2473+- strv_sort(zones);
2474+- strv_uniq(zones);
2475+-
2476+ } else if (errno != ENOENT)
2477+ return -errno;
2478+
2479+- *ret = TAKE_PTR(zones);
2480++ /* Always include UTC */
2481++ r = strv_extend(&zones, "UTC");
2482++ if (r < 0)
2483++ return -ENOMEM;
2484++
2485++ strv_sort(zones);
2486++ strv_uniq(zones);
2487+
2488++ *ret = TAKE_PTR(zones);
2489+ return 0;
2490+ }
2491+
2492diff --git a/debian/patches/lp1858210/0002-time-split-get_timezone-into-main-function-and-zone1.patch b/debian/patches/lp1858210/0002-time-split-get_timezone-into-main-function-and-zone1.patch
2493new file mode 100644
2494index 0000000..2dc38e5
2495--- /dev/null
2496+++ b/debian/patches/lp1858210/0002-time-split-get_timezone-into-main-function-and-zone1.patch
2497@@ -0,0 +1,102 @@
2498+From 09a54a862b8f45cff087eb4eabbd283d354afc90 Mon Sep 17 00:00:00 2001
2499+From: Dan Streetman <ddstreet@canonical.com>
2500+Date: Wed, 30 Jun 2021 07:17:22 -0400
2501+Subject: [PATCH 2/3] time: split get_timezone() into main function and
2502+ zone1970.tab function
2503+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1858210
2504+Origin: upstream, https://github.com/systemd/systemd/pull/20066
2505+
2506+This allows for adding another function to read from a different timezone
2507+source, which is added in the next commit.
2508+---
2509+ src/basic/time-util.c | 62 ++++++++++++++++++++++++++-----------------
2510+ 1 file changed, 38 insertions(+), 24 deletions(-)
2511+
2512+--- a/src/basic/time-util.c
2513++++ b/src/basic/time-util.c
2514+@@ -1202,7 +1202,7 @@ bool ntp_synced(void) {
2515+ return true;
2516+ }
2517+
2518+-int get_timezones(char ***ret) {
2519++static int get_timezones_from_zone1970_tab(char ***ret) {
2520+ _cleanup_fclose_ FILE *f = NULL;
2521+ _cleanup_strv_free_ char **zones = NULL;
2522+ int r;
2523+@@ -1210,35 +1210,49 @@ int get_timezones(char ***ret) {
2524+ assert(ret);
2525+
2526+ f = fopen("/usr/share/zoneinfo/zone1970.tab", "re");
2527+- if (f) {
2528+- for (;;) {
2529+- _cleanup_free_ char *line = NULL, *cc = NULL, *co = NULL, *tz = NULL;
2530+-
2531+- r = read_line(f, LONG_LINE_MAX, &line);
2532+- if (r < 0)
2533+- return r;
2534+- if (r == 0)
2535+- break;
2536+-
2537+- const char *p = line;
2538+-
2539+- /* Line format is:
2540+- * 'country codes' 'coordinates' 'timezone' 'comments' */
2541+- r = extract_many_words(&p, NULL, 0, &cc, &co, &tz, NULL);
2542+- if (r < 0)
2543+- continue;
2544+-
2545+- /* Lines that start with # are comments. */
2546+- if (*cc == '#')
2547+- continue;
2548+-
2549+- r = strv_extend(&zones, tz);
2550+- if (r < 0)
2551+- return r;
2552+- }
2553+- } else if (errno != ENOENT)
2554++ if (!f)
2555+ return -errno;
2556+
2557++ for (;;) {
2558++ _cleanup_free_ char *line = NULL, *cc = NULL, *co = NULL, *tz = NULL;
2559++
2560++ r = read_line(f, LONG_LINE_MAX, &line);
2561++ if (r < 0)
2562++ return r;
2563++ if (r == 0)
2564++ break;
2565++
2566++ const char *p = line;
2567++
2568++ /* Line format is:
2569++ * 'country codes' 'coordinates' 'timezone' 'comments' */
2570++ r = extract_many_words(&p, NULL, 0, &cc, &co, &tz, NULL);
2571++ if (r < 0)
2572++ continue;
2573++
2574++ /* Lines that start with # are comments. */
2575++ if (*cc == '#')
2576++ continue;
2577++
2578++ r = strv_extend(&zones, tz);
2579++ if (r < 0)
2580++ return r;
2581++ }
2582++
2583++ *ret = TAKE_PTR(zones);
2584++ return 0;
2585++}
2586++
2587++int get_timezones(char ***ret) {
2588++ _cleanup_strv_free_ char **zones = NULL;
2589++ int r;
2590++
2591++ assert(ret);
2592++
2593++ r = get_timezones_from_zone1970_tab(&zones);
2594++ if (r < 0 && r != -ENOENT)
2595++ return r;
2596++
2597+ /* Always include UTC */
2598+ r = strv_extend(&zones, "UTC");
2599+ if (r < 0)
2600diff --git a/debian/patches/lp1858210/0003-time-get-timezones-from-tzdata.zi.patch b/debian/patches/lp1858210/0003-time-get-timezones-from-tzdata.zi.patch
2601new file mode 100644
2602index 0000000..605aa49
2603--- /dev/null
2604+++ b/debian/patches/lp1858210/0003-time-get-timezones-from-tzdata.zi.patch
2605@@ -0,0 +1,90 @@
2606+From 147bc3639b3d7b15fc7b548b24715e7c4d95c6e1 Mon Sep 17 00:00:00 2001
2607+From: Dan Streetman <ddstreet@canonical.com>
2608+Date: Wed, 30 Jun 2021 07:30:28 -0400
2609+Subject: [PATCH 3/3] time: get timezones from tzdata.zi
2610+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1858210
2611+Origin: upstream, https://github.com/systemd/systemd/pull/20066
2612+
2613+The zone1970.tab file doesn't include any timezone 'aliases'. Instead
2614+of parsing it, parse the tzdata.zi file which does include all zones
2615+as well as aliases.
2616+
2617+This keeps the parsing function for zone1970.tab as a fallback in case
2618+the tzdata.zi file isn't found.
2619+---
2620+ src/basic/time-util.c | 58 ++++++++++++++++++++++++++++++++++++++++++-
2621+ 1 file changed, 57 insertions(+), 1 deletion(-)
2622+
2623+--- a/src/basic/time-util.c
2624++++ b/src/basic/time-util.c
2625+@@ -1243,13 +1243,69 @@ static int get_timezones_from_zone1970_t
2626+ return 0;
2627+ }
2628+
2629++static int get_timezones_from_tzdata_zi(char ***ret) {
2630++ _cleanup_fclose_ FILE *f = NULL;
2631++ _cleanup_strv_free_ char **zones = NULL;
2632++ int r;
2633++
2634++ f = fopen("/usr/share/zoneinfo/tzdata.zi", "re");
2635++ if (!f)
2636++ return -errno;
2637++
2638++ for (;;) {
2639++ _cleanup_free_ char *line = NULL, *type = NULL, *f1 = NULL, *f2 = NULL;
2640++
2641++ r = read_line(f, LONG_LINE_MAX, &line);
2642++ if (r < 0)
2643++ return r;
2644++ if (r == 0)
2645++ break;
2646++
2647++ const char *p = line;
2648++
2649++ /* The only lines we care about are Zone and Link lines.
2650++ * Zone line format is:
2651++ * 'Zone' 'timezone' ...
2652++ * Link line format is:
2653++ * 'Link' 'target' 'alias'
2654++ * See 'man zic' for more detail. */
2655++ r = extract_many_words(&p, NULL, 0, &type, &f1, &f2, NULL);
2656++ if (r < 0)
2657++ continue;
2658++
2659++ char *tz;
2660++ if (*type == 'Z' || *type == 'z')
2661++ /* Zone lines have timezone in field 1. */
2662++ tz = f1;
2663++ else if (*type == 'L' || *type == 'l')
2664++ /* Link lines have timezone in field 2. */
2665++ tz = f2;
2666++ else
2667++ /* Not a line we care about. */
2668++ continue;
2669++
2670++ r = strv_extend(&zones, tz);
2671++ if (r < 0)
2672++ return r;
2673++ }
2674++
2675++ *ret = TAKE_PTR(zones);
2676++ return 0;
2677++}
2678++
2679+ int get_timezones(char ***ret) {
2680+ _cleanup_strv_free_ char **zones = NULL;
2681+ int r;
2682+
2683+ assert(ret);
2684+
2685+- r = get_timezones_from_zone1970_tab(&zones);
2686++ r = get_timezones_from_tzdata_zi(&zones);
2687++ if (r == -ENOENT) {
2688++ log_debug_errno(r, "Could not get timezone data from tzdata.zi, using zone1970.tab: %m");
2689++ r = get_timezones_from_zone1970_tab(&zones);
2690++ if (r == -ENOENT)
2691++ log_debug_errno(r, "Could not get timezone data from zone1970.tab, using UTC: %m");
2692++ }
2693+ if (r < 0 && r != -ENOENT)
2694+ return r;
2695+
2696diff --git a/debian/patches/lp1860926-network-Change-IgnoreCarrierLoss-default-to-value-of.patch b/debian/patches/lp1860926-network-Change-IgnoreCarrierLoss-default-to-value-of.patch
2697new file mode 100644
2698index 0000000..63290be
2699--- /dev/null
2700+++ b/debian/patches/lp1860926-network-Change-IgnoreCarrierLoss-default-to-value-of.patch
2701@@ -0,0 +1,75 @@
2702+From b520a35de0f1ad99f30fa3e1e9b02cc2d4832971 Mon Sep 17 00:00:00 2001
2703+From: Dan Streetman <ddstreet@canonical.com>
2704+Date: Mon, 27 Apr 2020 06:38:40 -0400
2705+Subject: [PATCH 1/3] network: Change IgnoreCarrierLoss default to value of
2706+ ConfigureWithoutCarrier
2707+Origin: upstream, https://github.com/systemd/systemd/pull/15619
2708+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1860926
2709+
2710+It doesn't make much sense to have ConfigureWithoutCarrier set, but not
2711+IgnoreCarrierLoss; all the configuration added during initial interface
2712+bring-up will be lost at the first carrier up/down.
2713+---
2714+ man/systemd.network.xml | 5 +++--
2715+ src/network/networkd-network-gperf.gperf | 2 +-
2716+ src/network/networkd-network.c | 5 +++++
2717+ src/network/networkd-network.h | 2 +-
2718+ 4 files changed, 10 insertions(+), 4 deletions(-)
2719+
2720+--- a/man/systemd.network.xml
2721++++ b/man/systemd.network.xml
2722+@@ -815,8 +815,9 @@
2723+ <varlistentry>
2724+ <term><varname>IgnoreCarrierLoss=</varname></term>
2725+ <listitem>
2726+- <para>A boolean. Allows networkd to retain both the static and dynamic configuration of the
2727+- interface even if its carrier is lost. Defaults to false.
2728++ <para>Takes a boolean. Allows networkd to retain both the static and dynamic configuration
2729++ of the interface even if its carrier is lost. When unset, the value specified with
2730++ <option>ConfigureWithoutCarrier=</option> is used.
2731+ </para>
2732+ </listitem>
2733+ </varlistentry>
2734+--- a/src/network/networkd-network-gperf.gperf
2735++++ b/src/network/networkd-network-gperf.gperf
2736+@@ -98,7 +98,7 @@ Network.ProxyARP,
2737+ Network.IPv6ProxyNDPAddress, config_parse_ipv6_proxy_ndp_address, 0, 0
2738+ Network.BindCarrier, config_parse_strv, 0, offsetof(Network, bind_carrier)
2739+ Network.ConfigureWithoutCarrier, config_parse_bool, 0, offsetof(Network, configure_without_carrier)
2740+-Network.IgnoreCarrierLoss, config_parse_bool, 0, offsetof(Network, ignore_carrier_loss)
2741++Network.IgnoreCarrierLoss, config_parse_tristate, 0, offsetof(Network, ignore_carrier_loss)
2742+ Network.KeepConfiguration, config_parse_keep_configuration, 0, offsetof(Network, keep_configuration)
2743+ Address.Address, config_parse_address, 0, 0
2744+ Address.Peer, config_parse_address, 0, 0
2745+--- a/src/network/networkd-network.c
2746++++ b/src/network/networkd-network.c
2747+@@ -268,6 +268,9 @@ int network_verify(Network *network) {
2748+ if (network->dhcp_use_gateway < 0)
2749+ network->dhcp_use_gateway = network->dhcp_use_routes;
2750+
2751++ if (network->ignore_carrier_loss < 0)
2752++ network->ignore_carrier_loss = network->configure_without_carrier;
2753++
2754+ if (network->dhcp_critical >= 0) {
2755+ if (network->keep_configuration >= 0)
2756+ log_warning("%s: Both KeepConfiguration= and deprecated CriticalConnection= are set. "
2757+@@ -458,6 +461,8 @@ int network_load_one(Manager *manager, O
2758+ .ipv6_accept_ra_route_table = RT_TABLE_MAIN,
2759+ .ipv6_accept_ra_route_table_set = false,
2760+
2761++ .configure_without_carrier = false,
2762++ .ignore_carrier_loss = -1,
2763+ .keep_configuration = _KEEP_CONFIGURATION_INVALID,
2764+
2765+ .can_triple_sampling = -1,
2766+--- a/src/network/networkd-network.h
2767++++ b/src/network/networkd-network.h
2768+@@ -231,7 +231,7 @@ struct Network {
2769+ int allmulticast;
2770+ bool unmanaged;
2771+ bool configure_without_carrier;
2772+- bool ignore_carrier_loss;
2773++ int ignore_carrier_loss;
2774+ KeepConfiguration keep_configuration;
2775+ uint32_t iaid;
2776+ DUID duid;
2777diff --git a/debian/patches/lp1861941-dont-generate-disk-byuuid-for-bcache-uuid.patch b/debian/patches/lp1861941-dont-generate-disk-byuuid-for-bcache-uuid.patch
2778new file mode 100644
2779index 0000000..a4a08f0
2780--- /dev/null
2781+++ b/debian/patches/lp1861941-dont-generate-disk-byuuid-for-bcache-uuid.patch
2782@@ -0,0 +1,54 @@
2783+Description: skip disk/by-uuid for bcache devices
2784+
2785+blkid reports bcache superblock dev.uuid as a filesystem UUID but it actually
2786+is not a filesystem, it's the UUID of the backing device, which is maintained
2787+at /dev/bcache/by-uuid instead of /dev/disk/by-uuid.
2788+
2789+ [Forwarding Note]
2790+
2791+ There is an on-going discussion upstream whether this patch should exist.
2792+ This patch is not a FIX to LP: #1861941, but can work as a mitigation. The
2793+ FIX for LP: #1861941 is the bcache-tools (0003-Add-bcache-export-cached-
2794+ helper.patch).
2795+
2796+ Ryan Harper arguments are that blkid - and/or udev default rules - should skip
2797+ devices with "ID_FS_TYPE = bcache" by default from creating symlinks at
2798+ /dev/disk/{by-uuid,by-label}/{ID_FS_UUID_ENC,ID_FS_LABEL_ENC} just because
2799+ those devices aren't meant to be used directly (as they are backing devices
2800+ to bcache). Actually this is what was causing the issue fixed by bcache-tools
2801+ udev rules: symlink management for bcache backing devices were removing
2802+ /dev/bcache/xxx symlinks.
2803+
2804+ Considering that this is a minor delta, and I agree to Ryan's arguments, of
2805+ not having /dev/disk/by-uuid/xxx symlinks to devices that should not be
2806+ accessed directly, thus giving a better experience to end user, I'm keeping
2807+ this until either upstream provides it by default OR the patch
2808+ 0003-Add-bcache-export-cached-helper.patch can be removed from bcache-tools
2809+ because udev and/or libblkid started differentiating UUID_CACHED and FS_UUID
2810+ when doing /dev/disk/ symlinks.
2811+
2812+ -
2813+ rafaeldtinoco
2814+
2815+Author: Ryan Harper <ryan.harper@canonical.com>
2816+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1861941
2817+Forwarded: https://github.com/systemd/systemd/pull/16317
2818+Reviewed-by: Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
2819+Last-Update: 2020-07-23
2820+
2821+---
2822+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
2823+--- a/rules.d/60-persistent-storage.rules
2824++++ b/rules.d/60-persistent-storage.rules
2825+@@ -109,8 +109,11 @@ KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!=
2826+ KERNEL!="sr*", IMPORT{builtin}="blkid"
2827+
2828+ # by-label/by-uuid links (filesystem metadata)
2829++# Skip bcache backing devices, handled in 69-bcache.rules
2830++ENV{ID_FS_TYPE}=="bcache", GOTO="skip_bcache_fs_type"
2831+ ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_UUID_ENC}=="?*", SYMLINK+="disk/by-uuid/$env{ID_FS_UUID_ENC}"
2832+ ENV{ID_FS_USAGE}=="filesystem|other|crypto", ENV{ID_FS_LABEL_ENC}=="?*", SYMLINK+="disk/by-label/$env{ID_FS_LABEL_ENC}"
2833++LABEL="skip_bcache_fs_type"
2834+
2835+ # by-id (World Wide Name)
2836+ ENV{DEVTYPE}=="disk", ENV{ID_WWN_WITH_EXTENSION}=="?*", SYMLINK+="disk/by-id/wwn-$env{ID_WWN_WITH_EXTENSION}"
2837diff --git a/debian/patches/lp1867375/0001-network-add-a-flag-to-ignore-gateway-provided-by-DHC.patch b/debian/patches/lp1867375/0001-network-add-a-flag-to-ignore-gateway-provided-by-DHC.patch
2838new file mode 100644
2839index 0000000..7b35237
2840--- /dev/null
2841+++ b/debian/patches/lp1867375/0001-network-add-a-flag-to-ignore-gateway-provided-by-DHC.patch
2842@@ -0,0 +1,97 @@
2843+From b453122789ec4c6f39e6ceb9900e0e80a6abeb99 Mon Sep 17 00:00:00 2001
2844+From: Yu Watanabe <watanabe.yu+github@gmail.com>
2845+Date: Mon, 16 Mar 2020 18:55:10 +0900
2846+Subject: [PATCH 1/2] network: add a flag to ignore gateway provided by DHCP
2847+ server
2848+Origin: upstream, https://github.com/systemd/systemd/pull/15136
2849+Bug: https://github.com/systemd/systemd/issues/15117
2850+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1867375
2851+
2852+Closes #15117.
2853+---
2854+ man/systemd.network.xml | 8 +++++++-
2855+ src/network/networkd-dhcp4.c | 5 ++++-
2856+ src/network/networkd-network-gperf.gperf | 1 +
2857+ src/network/networkd-network.c | 1 +
2858+ src/network/networkd-network.h | 1 +
2859+ test/fuzz/fuzz-network-parser/directives.network | 1 +
2860+ 6 files changed, 15 insertions(+), 2 deletions(-)
2861+
2862+--- a/man/systemd.network.xml
2863++++ b/man/systemd.network.xml
2864+@@ -1474,7 +1474,13 @@
2865+ "link" scope will be used. For anything else, scope defaults to "global".</para>
2866+ </listitem>
2867+ </varlistentry>
2868+-
2869++ <varlistentry>
2870++ <term><varname>UseGateway=</varname></term>
2871++ <listitem>
2872++ <para>When true (the default), the gateway will be requested from the DHCP server and added to the
2873++ routing table with a metric of 1024, and a scope of "link".</para>
2874++ </listitem>
2875++ </varlistentry>
2876+ <varlistentry>
2877+ <term><varname>UseTimezone=</varname></term>
2878+
2879+--- a/src/network/networkd-dhcp4.c
2880++++ b/src/network/networkd-dhcp4.c
2881+@@ -323,6 +323,9 @@ static int link_set_dhcp_routes(Link *li
2882+ }
2883+ }
2884+
2885++ if (!link->network->dhcp_use_gateway)
2886++ return 0;
2887++
2888+ r = sd_dhcp_lease_get_router(link->dhcp_lease, &router);
2889+ if (IN_SET(r, 0, -ENODATA))
2890+ log_link_info(link, "DHCP: No gateway received from DHCP server.");
2891+@@ -451,7 +454,7 @@ static int dhcp_remove_router(Link *link
2892+ assert(link);
2893+ assert(address);
2894+
2895+- if (!link->network->dhcp_use_routes)
2896++ if (!link->network->dhcp_use_gateway)
2897+ return 0;
2898+
2899+ r = sd_dhcp_lease_get_router(lease, &router);
2900+--- a/src/network/networkd-network-gperf.gperf
2901++++ b/src/network/networkd-network-gperf.gperf
2902+@@ -162,6 +162,7 @@ DHCPv4.UseMTU,
2903+ DHCPv4.UseHostname, config_parse_bool, 0, offsetof(Network, dhcp_use_hostname)
2904+ DHCPv4.UseDomains, config_parse_dhcp_use_domains, 0, offsetof(Network, dhcp_use_domains)
2905+ DHCPv4.UseRoutes, config_parse_bool, 0, offsetof(Network, dhcp_use_routes)
2906++DHCPv4.UseGateway, config_parse_bool, 0, offsetof(Network, dhcp_use_gateway)
2907+ DHCPv4.RequestOptions, config_parse_dhcp_request_options, 0, 0
2908+ DHCPv4.Anonymize, config_parse_bool, 0, offsetof(Network, dhcp_anonymize)
2909+ DHCPv4.SendHostname, config_parse_bool, 0, offsetof(Network, dhcp_send_hostname)
2910+--- a/src/network/networkd-network.c
2911++++ b/src/network/networkd-network.c
2912+@@ -383,6 +383,7 @@ int network_load_one(Manager *manager, O
2913+ .dhcp_use_dns = true,
2914+ .dhcp_use_hostname = true,
2915+ .dhcp_use_routes = true,
2916++ .dhcp_use_gateway = true,
2917+ /* NOTE: this var might be overwritten by network_apply_anonymize_if_set */
2918+ .dhcp_send_hostname = true,
2919+ .dhcp_send_release = true,
2920+--- a/src/network/networkd-network.h
2921++++ b/src/network/networkd-network.h
2922+@@ -110,6 +110,7 @@ struct Network {
2923+ bool dhcp_use_sip;
2924+ bool dhcp_use_mtu;
2925+ bool dhcp_use_routes;
2926++ bool dhcp_use_gateway;
2927+ bool dhcp_use_timezone;
2928+ bool rapid_commit;
2929+ bool dhcp_use_hostname;
2930+--- a/test/fuzz/fuzz-network-parser/directives.network
2931++++ b/test/fuzz/fuzz-network-parser/directives.network
2932+@@ -73,6 +73,7 @@ UseDNS=
2933+ RoutesToDNS=
2934+ UseDomains=
2935+ UseRoutes=
2936++UseGateway=
2937+ IAID=
2938+ UserClass=
2939+ UseNTP=
2940diff --git a/debian/patches/lp1867375/0002-test-network-add-a-test-case-for-DHCPv4.UseGateway-n.patch b/debian/patches/lp1867375/0002-test-network-add-a-test-case-for-DHCPv4.UseGateway-n.patch
2941new file mode 100644
2942index 0000000..629c455
2943--- /dev/null
2944+++ b/debian/patches/lp1867375/0002-test-network-add-a-test-case-for-DHCPv4.UseGateway-n.patch
2945@@ -0,0 +1,56 @@
2946+From 0d7bd445d26590aad7b05040c9d8423fcd6e5d4f Mon Sep 17 00:00:00 2001
2947+From: Yu Watanabe <watanabe.yu+github@gmail.com>
2948+Date: Mon, 16 Mar 2020 19:08:36 +0900
2949+Subject: [PATCH 2/2] test-network: add a test case for DHCPv4.UseGateway=no
2950+Origin: upstream, https://github.com/systemd/systemd/pull/15136
2951+Bug: https://github.com/systemd/systemd/issues/15117
2952+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1867375
2953+
2954+---
2955+ .../conf/dhcp-client-ipv4-use-gateway-no.network | 9 +++++++++
2956+ test/test-network/systemd-networkd-tests.py | 14 ++++++++++++++
2957+ 2 files changed, 23 insertions(+)
2958+ create mode 100644 test/test-network/conf/dhcp-client-ipv4-use-gateway-no.network
2959+
2960+--- /dev/null
2961++++ b/test/test-network/conf/dhcp-client-ipv4-use-gateway-no.network
2962+@@ -0,0 +1,9 @@
2963++[Match]
2964++Name=veth99
2965++
2966++[Network]
2967++DHCP=ipv4
2968++IPv6AcceptRA=false
2969++
2970++[DHCPv4]
2971++UseGateway=no
2972+--- a/test/test-network/systemd-networkd-tests.py
2973++++ b/test/test-network/systemd-networkd-tests.py
2974+@@ -2826,6 +2826,7 @@ class NetworkdDHCPClientTests(unittest.T
2975+ 'dhcp-client-ipv4-dhcp-settings.network',
2976+ 'dhcp-client-ipv4-only-ipv6-disabled.network',
2977+ 'dhcp-client-ipv4-only.network',
2978++ 'dhcp-client-ipv4-use-gateway-no.network',
2979+ 'dhcp-client-ipv4-use-routes-no.network',
2980+ 'dhcp-client-ipv6-only.network',
2981+ 'dhcp-client-ipv6-rapid-commit.network',
2982+@@ -2945,6 +2946,19 @@ class NetworkdDHCPClientTests(unittest.T
2983+ self.assertRegex(output, r'default via 192.168.5.1 proto dhcp src 192.168.5.181 metric 1024')
2984+ self.assertRegex(output, r'192.168.5.1 proto dhcp scope link src 192.168.5.181 metric 1024')
2985+
2986++ def test_dhcp_client_ipv4_use_gateway_no(self):
2987++ copy_unit_to_networkd_unit_path('25-veth.netdev', 'dhcp-server-veth-peer.network', 'dhcp-client-ipv4-use-gateway-no.network')
2988++
2989++ start_networkd()
2990++ self.wait_online(['veth-peer:carrier'])
2991++ start_dnsmasq(additional_options='--dhcp-option=option:dns-server,192.168.5.6,192.168.5.7', lease_time='2m')
2992++ self.wait_online(['veth99:routable', 'veth-peer:routable'])
2993++
2994++ output = check_output('ip route show dev veth99')
2995++ print(output)
2996++ self.assertRegex(output, r'192.168.5.0/24 via 192.168.5.5 proto dhcp src 192.168.5.181 metric 1024')
2997++ self.assertNotRegex(output, r'default via 192.168.5.1')
2998++
2999+ def test_dhcp_client_ipv4_ipv6(self):
3000+ copy_unit_to_networkd_unit_path('25-veth.netdev', 'dhcp-server-veth-peer.network', 'dhcp-client-ipv6-only.network',
3001+ 'dhcp-client-ipv4-only.network')
3002diff --git a/debian/patches/lp1867375/0003-network-change-UseGateway-default-to-UseRoutes-setti.patch b/debian/patches/lp1867375/0003-network-change-UseGateway-default-to-UseRoutes-setti.patch
3003new file mode 100644
3004index 0000000..9e0c3d9
3005--- /dev/null
3006+++ b/debian/patches/lp1867375/0003-network-change-UseGateway-default-to-UseRoutes-setti.patch
3007@@ -0,0 +1,77 @@
3008+From 589397a27759bd650b3674029cb0ef73347c913b Mon Sep 17 00:00:00 2001
3009+From: Dan Streetman <ddstreet@canonical.com>
3010+Date: Wed, 15 Apr 2020 14:40:21 -0400
3011+Subject: [PATCH 1/4] network: change UseGateway= default to UseRoutes= setting
3012+Origin: upstream, https://github.com/systemd/systemd/pull/15443
3013+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1867375
3014+
3015+Anyone previously using the UseRoutes=false parameter expected their
3016+dhcp4-provided gateway route to be ignored, as well. However, with
3017+the introduction of the UseGateway= parameter, this is no longer true.
3018+
3019+In order to keep backwards compatibility, this sets the UseGateway=
3020+default value to whatever UseRoutes= has been set to.
3021+---
3022+ man/systemd.network.xml | 5 +++--
3023+ src/network/networkd-network-gperf.gperf | 2 +-
3024+ src/network/networkd-network.c | 5 ++++-
3025+ src/network/networkd-network.h | 2 +-
3026+ 4 files changed, 9 insertions(+), 5 deletions(-)
3027+
3028+--- a/man/systemd.network.xml
3029++++ b/man/systemd.network.xml
3030+@@ -1477,8 +1477,9 @@
3031+ <varlistentry>
3032+ <term><varname>UseGateway=</varname></term>
3033+ <listitem>
3034+- <para>When true (the default), the gateway will be requested from the DHCP server and added to the
3035+- routing table with a metric of 1024, and a scope of "link".</para>
3036++ <para>When true, the gateway will be requested from the DHCP server and added to the routing table with a
3037++ metric of 1024, and a scope of "link". When unset, the value specified with <option>UseRoutes=</option>
3038++ is used.</para>
3039+ </listitem>
3040+ </varlistentry>
3041+ <varlistentry>
3042+--- a/src/network/networkd-network-gperf.gperf
3043++++ b/src/network/networkd-network-gperf.gperf
3044+@@ -162,7 +162,7 @@ DHCPv4.UseMTU,
3045+ DHCPv4.UseHostname, config_parse_bool, 0, offsetof(Network, dhcp_use_hostname)
3046+ DHCPv4.UseDomains, config_parse_dhcp_use_domains, 0, offsetof(Network, dhcp_use_domains)
3047+ DHCPv4.UseRoutes, config_parse_bool, 0, offsetof(Network, dhcp_use_routes)
3048+-DHCPv4.UseGateway, config_parse_bool, 0, offsetof(Network, dhcp_use_gateway)
3049++DHCPv4.UseGateway, config_parse_tristate, 0, offsetof(Network, dhcp_use_gateway)
3050+ DHCPv4.RequestOptions, config_parse_dhcp_request_options, 0, 0
3051+ DHCPv4.Anonymize, config_parse_bool, 0, offsetof(Network, dhcp_anonymize)
3052+ DHCPv4.SendHostname, config_parse_bool, 0, offsetof(Network, dhcp_send_hostname)
3053+--- a/src/network/networkd-network.c
3054++++ b/src/network/networkd-network.c
3055+@@ -265,6 +265,9 @@ int network_verify(Network *network) {
3056+ network->dhcp_use_mtu = false;
3057+ }
3058+
3059++ if (network->dhcp_use_gateway < 0)
3060++ network->dhcp_use_gateway = network->dhcp_use_routes;
3061++
3062+ if (network->dhcp_critical >= 0) {
3063+ if (network->keep_configuration >= 0)
3064+ log_warning("%s: Both KeepConfiguration= and deprecated CriticalConnection= are set. "
3065+@@ -383,7 +386,7 @@ int network_load_one(Manager *manager, O
3066+ .dhcp_use_dns = true,
3067+ .dhcp_use_hostname = true,
3068+ .dhcp_use_routes = true,
3069+- .dhcp_use_gateway = true,
3070++ .dhcp_use_gateway = -1,
3071+ /* NOTE: this var might be overwritten by network_apply_anonymize_if_set */
3072+ .dhcp_send_hostname = true,
3073+ .dhcp_send_release = true,
3074+--- a/src/network/networkd-network.h
3075++++ b/src/network/networkd-network.h
3076+@@ -110,7 +110,7 @@ struct Network {
3077+ bool dhcp_use_sip;
3078+ bool dhcp_use_mtu;
3079+ bool dhcp_use_routes;
3080+- bool dhcp_use_gateway;
3081++ int dhcp_use_gateway;
3082+ bool dhcp_use_timezone;
3083+ bool rapid_commit;
3084+ bool dhcp_use_hostname;
3085diff --git a/debian/patches/lp1867375/0004-test-modify-add-tests-for-UseRoutes-and-UseGateway-c.patch b/debian/patches/lp1867375/0004-test-modify-add-tests-for-UseRoutes-and-UseGateway-c.patch
3086new file mode 100644
3087index 0000000..6bb2c41
3088--- /dev/null
3089+++ b/debian/patches/lp1867375/0004-test-modify-add-tests-for-UseRoutes-and-UseGateway-c.patch
3090@@ -0,0 +1,187 @@
3091+From 7c0d36ff5fc31d00e26661fd2ad45291ed0eb6f7 Mon Sep 17 00:00:00 2001
3092+From: Dan Streetman <ddstreet@canonical.com>
3093+Date: Wed, 15 Apr 2020 16:26:20 -0400
3094+Subject: [PATCH 2/4] test: modify/add tests for UseRoutes= and UseGateway=
3095+ configuration
3096+Origin: upstream, https://github.com/systemd/systemd/pull/15443
3097+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1867375
3098+
3099+The last commit changed the UseGateway= default to the value of UseRoutes=
3100+so the tests need to check for all combinations of the two parameters.
3101+---
3102+ .../dhcp-client-ipv4-use-routes-no.network | 9 ---
3103+ ...lient-ipv4-use-routes-use-gateway.network} | 2 +-
3104+ .../use-gateway-False.conf | 2 +
3105+ .../use-gateway-True.conf | 2 +
3106+ .../use-routes-False.conf | 2 +
3107+ .../use-routes-True.conf | 2 +
3108+ test/test-network/systemd-networkd-tests.py | 58 +++++++++++++------
3109+ 7 files changed, 48 insertions(+), 29 deletions(-)
3110+ delete mode 100644 test/test-network/conf/dhcp-client-ipv4-use-routes-no.network
3111+ rename test/test-network/conf/{dhcp-client-ipv4-use-gateway-no.network => dhcp-client-ipv4-use-routes-use-gateway.network} (81%)
3112+ create mode 100644 test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-gateway-False.conf
3113+ create mode 100644 test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-gateway-True.conf
3114+ create mode 100644 test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-routes-False.conf
3115+ create mode 100644 test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-routes-True.conf
3116+
3117+--- a/test/test-network/conf/dhcp-client-ipv4-use-routes-no.network
3118++++ /dev/null
3119+@@ -1,9 +0,0 @@
3120+-[Match]
3121+-Name=veth99
3122+-
3123+-[Network]
3124+-DHCP=ipv4
3125+-IPv6AcceptRA=false
3126+-
3127+-[DHCPv4]
3128+-UseRoutes=no
3129+--- a/test/test-network/conf/dhcp-client-ipv4-use-gateway-no.network
3130++++ /dev/null
3131+@@ -1,9 +0,0 @@
3132+-[Match]
3133+-Name=veth99
3134+-
3135+-[Network]
3136+-DHCP=ipv4
3137+-IPv6AcceptRA=false
3138+-
3139+-[DHCPv4]
3140+-UseGateway=no
3141+--- /dev/null
3142++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network
3143+@@ -0,0 +1,9 @@
3144++[Match]
3145++Name=veth99
3146++
3147++[Network]
3148++DHCP=ipv4
3149++IPv6AcceptRA=false
3150++
3151++[DHCPv4]
3152++RoutesToDNS=yes
3153+--- /dev/null
3154++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-gateway-False.conf
3155+@@ -0,0 +1,2 @@
3156++[DHCPv4]
3157++UseGateway=no
3158+--- /dev/null
3159++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-gateway-True.conf
3160+@@ -0,0 +1,2 @@
3161++[DHCPv4]
3162++UseGateway=yes
3163+--- /dev/null
3164++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-routes-False.conf
3165+@@ -0,0 +1,2 @@
3166++[DHCPv4]
3167++UseRoutes=no
3168+--- /dev/null
3169++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-routes-True.conf
3170+@@ -0,0 +1,2 @@
3171++[DHCPv4]
3172++UseRoutes=yes
3173+--- a/test/test-network/systemd-networkd-tests.py
3174++++ b/test/test-network/systemd-networkd-tests.py
3175+@@ -3,6 +3,7 @@
3176+ # systemd-networkd tests
3177+
3178+ import argparse
3179++import itertools
3180+ import os
3181+ import re
3182+ import shutil
3183+@@ -2826,8 +2827,7 @@ class NetworkdDHCPClientTests(unittest.T
3184+ 'dhcp-client-ipv4-dhcp-settings.network',
3185+ 'dhcp-client-ipv4-only-ipv6-disabled.network',
3186+ 'dhcp-client-ipv4-only.network',
3187+- 'dhcp-client-ipv4-use-gateway-no.network',
3188+- 'dhcp-client-ipv4-use-routes-no.network',
3189++ 'dhcp-client-ipv4-use-routes-use-gateway.network',
3190+ 'dhcp-client-ipv6-only.network',
3191+ 'dhcp-client-ipv6-rapid-commit.network',
3192+ 'dhcp-client-keep-configuration-dhcp-on-stop.network',
3193+@@ -2842,7 +2842,6 @@ class NetworkdDHCPClientTests(unittest.T
3194+ 'dhcp-client-use-dns-no.network',
3195+ 'dhcp-client-use-dns-yes.network',
3196+ 'dhcp-client-use-domains.network',
3197+- 'dhcp-client-use-routes-no.network',
3198+ 'dhcp-client-vrf.network',
3199+ 'dhcp-client-with-ipv4ll-fallback-with-dhcp-server.network',
3200+ 'dhcp-client-with-ipv4ll-fallback-without-dhcp-server.network',
3201+@@ -2851,7 +2850,6 @@ class NetworkdDHCPClientTests(unittest.T
3202+ 'dhcp-server-decline.network',
3203+ 'dhcp-server-veth-peer.network',
3204+ 'dhcp-v4-server-veth-peer.network',
3205+- 'dhcp-client-use-domains.network',
3206+ 'static.network']
3207+
3208+ def setUp(self):
3209+@@ -2932,8 +2930,21 @@ class NetworkdDHCPClientTests(unittest.T
3210+ self.assertRegex(output, r'192.168.5.7 proto dhcp scope link src 192.168.5.181 metric 1024')
3211+ self.assertRegex(output, r'192.168.5.8 proto dhcp scope link src 192.168.5.181 metric 1024')
3212+
3213+- def test_dhcp_client_ipv4_use_routes_no(self):
3214+- copy_unit_to_networkd_unit_path('25-veth.netdev', 'dhcp-server-veth-peer.network', 'dhcp-client-ipv4-use-routes-no.network')
3215++ def test_dhcp_client_ipv4_use_routes_gateway(self):
3216++ for (routes, gateway) in itertools.product([True, False, None], repeat=2):
3217++ self.setUp()
3218++ with self.subTest(routes=routes, gateway=gateway):
3219++ self._test_dhcp_client_ipv4_use_routes_gateway(routes, gateway)
3220++ self.tearDown()
3221++
3222++ def _test_dhcp_client_ipv4_use_routes_gateway(self, routes, gateway):
3223++ testunit = 'dhcp-client-ipv4-use-routes-use-gateway.network'
3224++ testunits = ['25-veth.netdev', 'dhcp-server-veth-peer.network', testunit]
3225++ if routes != None:
3226++ testunits.append(f'{testunit}.d/use-routes-{routes}.conf');
3227++ if gateway != None:
3228++ testunits.append(f'{testunit}.d/use-gateway-{gateway}.conf');
3229++ copy_unit_to_networkd_unit_path(*testunits, dropins=False)
3230+
3231+ start_networkd()
3232+ self.wait_online(['veth-peer:carrier'])
3233+@@ -2942,22 +2953,31 @@ class NetworkdDHCPClientTests(unittest.T
3234+
3235+ output = check_output('ip route show dev veth99')
3236+ print(output)
3237+- self.assertNotRegex(output, r'192.168.5.5')
3238+- self.assertRegex(output, r'default via 192.168.5.1 proto dhcp src 192.168.5.181 metric 1024')
3239+- self.assertRegex(output, r'192.168.5.1 proto dhcp scope link src 192.168.5.181 metric 1024')
3240+
3241+- def test_dhcp_client_ipv4_use_gateway_no(self):
3242+- copy_unit_to_networkd_unit_path('25-veth.netdev', 'dhcp-server-veth-peer.network', 'dhcp-client-ipv4-use-gateway-no.network')
3243++ # UseRoutes= defaults to true
3244++ useroutes = routes in [True, None]
3245++ # UseGateway= defaults to useroutes
3246++ usegateway = useroutes if gateway == None else gateway
3247++
3248++ # Check UseRoutes=
3249++ if useroutes:
3250++ self.assertRegex(output, r'192.168.5.0/24 via 192.168.5.5 proto dhcp src 192.168.5.181 metric 1024')
3251++ else:
3252++ self.assertNotRegex(output, r'192.168.5.5')
3253+
3254+- start_networkd()
3255+- self.wait_online(['veth-peer:carrier'])
3256+- start_dnsmasq(additional_options='--dhcp-option=option:dns-server,192.168.5.6,192.168.5.7', lease_time='2m')
3257+- self.wait_online(['veth99:routable', 'veth-peer:routable'])
3258++ # Check UseGateway=
3259++ if usegateway:
3260++ self.assertRegex(output, r'default via 192.168.5.1 proto dhcp src 192.168.5.181 metric 1024')
3261++ else:
3262++ self.assertNotRegex(output, r'default via 192.168.5.1')
3263+
3264+- output = check_output('ip route show dev veth99')
3265+- print(output)
3266+- self.assertRegex(output, r'192.168.5.0/24 via 192.168.5.5 proto dhcp src 192.168.5.181 metric 1024')
3267+- self.assertNotRegex(output, r'default via 192.168.5.1')
3268++ # check for routes to DNS server, only if using gateway
3269++ if usegateway:
3270++ self.assertRegex(output, r'192.168.5.6 proto dhcp scope link src 192.168.5.181 metric 1024')
3271++ self.assertRegex(output, r'192.168.5.7 proto dhcp scope link src 192.168.5.181 metric 1024')
3272++ else:
3273++ self.assertNotRegex(output, r'192.168.5.6')
3274++ self.assertNotRegex(output, r'192.168.5.7')
3275+
3276+ def test_dhcp_client_ipv4_ipv6(self):
3277+ copy_unit_to_networkd_unit_path('25-veth.netdev', 'dhcp-server-veth-peer.network', 'dhcp-client-ipv6-only.network',
3278diff --git a/debian/patches/lp1867375/0005-network-honor-SetDNSRoutes-even-if-UseGateway-False.patch b/debian/patches/lp1867375/0005-network-honor-SetDNSRoutes-even-if-UseGateway-False.patch
3279new file mode 100644
3280index 0000000..2acf6ee
3281--- /dev/null
3282+++ b/debian/patches/lp1867375/0005-network-honor-SetDNSRoutes-even-if-UseGateway-False.patch
3283@@ -0,0 +1,162 @@
3284+From 244490f5e0a98f83190e92033fbdaa1bbcd9b000 Mon Sep 17 00:00:00 2001
3285+From: Dan Streetman <ddstreet@canonical.com>
3286+Date: Wed, 15 Apr 2020 18:05:14 -0400
3287+Subject: [PATCH 3/4] network: honor SetDNSRoutes= even if UseGateway=False
3288+Origin: upstream, https://github.com/systemd/systemd/pull/15443
3289+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1867375
3290+
3291+---
3292+ src/network/networkd-dhcp4.c | 129 +++++++++++++++++------------------
3293+ 1 file changed, 64 insertions(+), 65 deletions(-)
3294+
3295+--- a/src/network/networkd-dhcp4.c
3296++++ b/src/network/networkd-dhcp4.c
3297+@@ -323,78 +323,77 @@ static int link_set_dhcp_routes(Link *li
3298+ }
3299+ }
3300+
3301+- if (!link->network->dhcp_use_gateway)
3302+- return 0;
3303+-
3304+- r = sd_dhcp_lease_get_router(link->dhcp_lease, &router);
3305+- if (IN_SET(r, 0, -ENODATA))
3306+- log_link_info(link, "DHCP: No gateway received from DHCP server.");
3307+- else if (r < 0)
3308+- log_link_warning_errno(link, r, "DHCP error: could not get gateway: %m");
3309+- else if (in4_addr_is_null(&router[0]))
3310+- log_link_info(link, "DHCP: Received gateway is null.");
3311+-
3312+- /* According to RFC 3442: If the DHCP server returns both a Classless Static Routes option and
3313+- a Router option, the DHCP client MUST ignore the Router option. */
3314+- if (classless_route && static_route)
3315+- log_link_warning(link, "Classless static routes received from DHCP server: ignoring static-route option and router option");
3316+-
3317+- if (r > 0 && !classless_route && !in4_addr_is_null(&router[0])) {
3318+- _cleanup_(route_freep) Route *route = NULL, *route_gw = NULL;
3319+-
3320+- r = route_new(&route_gw);
3321+- if (r < 0)
3322+- return log_link_error_errno(link, r, "Could not allocate route: %m");
3323+-
3324+- /* The dhcp netmask may mask out the gateway. Add an explicit
3325+- * route for the gw host so that we can route no matter the
3326+- * netmask or existing kernel route tables. */
3327+- route_gw->family = AF_INET;
3328+- route_gw->dst.in = router[0];
3329+- route_gw->dst_prefixlen = 32;
3330+- route_gw->prefsrc.in = address;
3331+- route_gw->scope = RT_SCOPE_LINK;
3332+- route_gw->protocol = RTPROT_DHCP;
3333+- route_gw->priority = link->network->dhcp_route_metric;
3334+- route_gw->table = table;
3335+- route_gw->mtu = link->network->dhcp_route_mtu;
3336+-
3337+- r = dhcp_route_configure(&route_gw, link);
3338+- if (r < 0)
3339+- return log_link_error_errno(link, r, "Could not set host route: %m");
3340+-
3341+- r = route_new(&route);
3342+- if (r < 0)
3343+- return log_link_error_errno(link, r, "Could not allocate route: %m");
3344+-
3345+- route->family = AF_INET;
3346+- route->gw.in = router[0];
3347+- route->prefsrc.in = address;
3348+- route->protocol = RTPROT_DHCP;
3349+- route->priority = link->network->dhcp_route_metric;
3350+- route->table = table;
3351+- route->mtu = link->network->dhcp_route_mtu;
3352+-
3353+- r = dhcp_route_configure(&route, link);
3354+- if (r < 0)
3355+- return log_link_error_errno(link, r, "Could not set router: %m");
3356+- }
3357++ if (link->network->dhcp_use_gateway) {
3358++ r = sd_dhcp_lease_get_router(link->dhcp_lease, &router);
3359++ if (IN_SET(r, 0, -ENODATA))
3360++ log_link_info(link, "DHCP: No gateway received from DHCP server.");
3361++ else if (r < 0)
3362++ log_link_warning_errno(link, r, "DHCP error: could not get gateway: %m");
3363++ else if (in4_addr_is_null(&router[0]))
3364++ log_link_info(link, "DHCP: Received gateway is null.");
3365++
3366++ /* According to RFC 3442: If the DHCP server returns both a Classless Static Routes option and
3367++ a Router option, the DHCP client MUST ignore the Router option. */
3368++ if (classless_route && static_route)
3369++ log_link_warning(link, "Classless static routes received from DHCP server: ignoring static-route option and router option");
3370++
3371++ if (r > 0 && !classless_route && !in4_addr_is_null(&router[0])) {
3372++ _cleanup_(route_freep) Route *route = NULL, *route_gw = NULL;
3373++
3374++ r = route_new(&route_gw);
3375++ if (r < 0)
3376++ return log_link_error_errno(link, r, "Could not allocate route: %m");
3377++
3378++ /* The dhcp netmask may mask out the gateway. Add an explicit
3379++ * route for the gw host so that we can route no matter the
3380++ * netmask or existing kernel route tables. */
3381++ route_gw->family = AF_INET;
3382++ route_gw->dst.in = router[0];
3383++ route_gw->dst_prefixlen = 32;
3384++ route_gw->prefsrc.in = address;
3385++ route_gw->scope = RT_SCOPE_LINK;
3386++ route_gw->protocol = RTPROT_DHCP;
3387++ route_gw->priority = link->network->dhcp_route_metric;
3388++ route_gw->table = table;
3389++ route_gw->mtu = link->network->dhcp_route_mtu;
3390++
3391++ r = dhcp_route_configure(&route_gw, link);
3392++ if (r < 0)
3393++ return log_link_error_errno(link, r, "Could not set host route: %m");
3394++
3395++ r = route_new(&route);
3396++ if (r < 0)
3397++ return log_link_error_errno(link, r, "Could not allocate route: %m");
3398++
3399++ route->family = AF_INET;
3400++ route->gw.in = router[0];
3401++ route->prefsrc.in = address;
3402++ route->protocol = RTPROT_DHCP;
3403++ route->priority = link->network->dhcp_route_metric;
3404++ route->table = table;
3405++ route->mtu = link->network->dhcp_route_mtu;
3406++
3407++ r = dhcp_route_configure(&route, link);
3408++ if (r < 0)
3409++ return log_link_error_errno(link, r, "Could not set router: %m");
3410++ }
3411+
3412+- Route *rt;
3413+- LIST_FOREACH(routes, rt, link->network->static_routes) {
3414+- if (!rt->gateway_from_dhcp)
3415+- continue;
3416+-
3417+- if (rt->family != AF_INET)
3418+- continue;
3419+-
3420+- rt->gw.in = router[0];
3421+-
3422+- r = route_configure(rt, link, dhcp4_route_handler);
3423+- if (r < 0)
3424+- return log_link_error_errno(link, r, "Could not set gateway: %m");
3425+- if (r > 0)
3426+- link->dhcp4_messages++;
3427++ Route *rt;
3428++ LIST_FOREACH(routes, rt, link->network->static_routes) {
3429++ if (!rt->gateway_from_dhcp)
3430++ continue;
3431++
3432++ if (rt->family != AF_INET)
3433++ continue;
3434++
3435++ rt->gw.in = router[0];
3436++
3437++ r = route_configure(rt, link, dhcp4_route_handler);
3438++ if (r < 0)
3439++ return log_link_error_errno(link, r, "Could not set gateway: %m");
3440++ if (r > 0)
3441++ link->dhcp4_messages++;
3442++ }
3443+ }
3444+
3445+ return link_set_dns_routes(link, &address);
3446diff --git a/debian/patches/lp1867375/0006-test-verify-RoutesToDNS-is-independent-of-UseGateway.patch b/debian/patches/lp1867375/0006-test-verify-RoutesToDNS-is-independent-of-UseGateway.patch
3447new file mode 100644
3448index 0000000..ad3d89c
3449--- /dev/null
3450+++ b/debian/patches/lp1867375/0006-test-verify-RoutesToDNS-is-independent-of-UseGateway.patch
3451@@ -0,0 +1,74 @@
3452+From 06c2b0c76bf7e2756f8e9ef18765c85dee99ae14 Mon Sep 17 00:00:00 2001
3453+From: Dan Streetman <ddstreet@canonical.com>
3454+Date: Wed, 15 Apr 2020 18:30:33 -0400
3455+Subject: [PATCH 4/4] test: verify RoutesToDNS= is independent of UseGateway=
3456+Origin: upstream, https://github.com/systemd/systemd/pull/15443
3457+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1867375
3458+
3459+---
3460+ ...dhcp-client-ipv4-use-routes-use-gateway.network | 3 ---
3461+ .../use-dns-routes-False.conf | 2 ++
3462+ .../use-dns-routes-True.conf | 2 ++
3463+ test/test-network/systemd-networkd-tests.py | 14 ++++++++------
3464+ 4 files changed, 12 insertions(+), 9 deletions(-)
3465+ create mode 100644 test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-dns-routes-False.conf
3466+ create mode 100644 test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-dns-routes-True.conf
3467+
3468+--- a/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network
3469++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network
3470+@@ -4,6 +4,3 @@ Name=veth99
3471+ [Network]
3472+ DHCP=ipv4
3473+ IPv6AcceptRA=false
3474+-
3475+-[DHCPv4]
3476+-RoutesToDNS=yes
3477+--- /dev/null
3478++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-dns-routes-False.conf
3479+@@ -0,0 +1,2 @@
3480++[DHCPv4]
3481++RoutesToDNS=no
3482+--- /dev/null
3483++++ b/test/test-network/conf/dhcp-client-ipv4-use-routes-use-gateway.network.d/use-dns-routes-True.conf
3484+@@ -0,0 +1,2 @@
3485++[DHCPv4]
3486++RoutesToDNS=yes
3487+--- a/test/test-network/systemd-networkd-tests.py
3488++++ b/test/test-network/systemd-networkd-tests.py
3489+@@ -2931,19 +2931,21 @@ class NetworkdDHCPClientTests(unittest.T
3490+ self.assertRegex(output, r'192.168.5.8 proto dhcp scope link src 192.168.5.181 metric 1024')
3491+
3492+ def test_dhcp_client_ipv4_use_routes_gateway(self):
3493+- for (routes, gateway) in itertools.product([True, False, None], repeat=2):
3494++ for (routes, gateway, dnsroutes) in itertools.product([True, False, None], repeat=3):
3495+ self.setUp()
3496+- with self.subTest(routes=routes, gateway=gateway):
3497+- self._test_dhcp_client_ipv4_use_routes_gateway(routes, gateway)
3498++ with self.subTest(routes=routes, gateway=gateway, dnsroutes=dnsroutes):
3499++ self._test_dhcp_client_ipv4_use_routes_gateway(routes, gateway, dnsroutes)
3500+ self.tearDown()
3501+
3502+- def _test_dhcp_client_ipv4_use_routes_gateway(self, routes, gateway):
3503++ def _test_dhcp_client_ipv4_use_routes_gateway(self, routes, gateway, dnsroutes):
3504+ testunit = 'dhcp-client-ipv4-use-routes-use-gateway.network'
3505+ testunits = ['25-veth.netdev', 'dhcp-server-veth-peer.network', testunit]
3506+ if routes != None:
3507+ testunits.append(f'{testunit}.d/use-routes-{routes}.conf');
3508+ if gateway != None:
3509+ testunits.append(f'{testunit}.d/use-gateway-{gateway}.conf');
3510++ if dnsroutes != None:
3511++ testunits.append(f'{testunit}.d/use-dns-routes-{dnsroutes}.conf');
3512+ copy_unit_to_networkd_unit_path(*testunits, dropins=False)
3513+
3514+ start_networkd()
3515+@@ -2971,8 +2973,8 @@ class NetworkdDHCPClientTests(unittest.T
3516+ else:
3517+ self.assertNotRegex(output, r'default via 192.168.5.1')
3518+
3519+- # check for routes to DNS server, only if using gateway
3520+- if usegateway:
3521++ # Check RoutesToDNS=, which defaults to false
3522++ if dnsroutes:
3523+ self.assertRegex(output, r'192.168.5.6 proto dhcp scope link src 192.168.5.181 metric 1024')
3524+ self.assertRegex(output, r'192.168.5.7 proto dhcp scope link src 192.168.5.181 metric 1024')
3525+ else:
3526diff --git a/debian/patches/lp1873607/0001-core-some-minor-clean-ups-modernizations.patch b/debian/patches/lp1873607/0001-core-some-minor-clean-ups-modernizations.patch
3527new file mode 100644
3528index 0000000..e4d47c8
3529--- /dev/null
3530+++ b/debian/patches/lp1873607/0001-core-some-minor-clean-ups-modernizations.patch
3531@@ -0,0 +1,56 @@
3532+From 5b99bd5fd4274c5fac86c82a38ca3334e55df543 Mon Sep 17 00:00:00 2001
3533+From: Lennart Poettering <lennart@poettering.net>
3534+Date: Wed, 22 Apr 2020 20:33:57 +0200
3535+Subject: [PATCH 1/2] core: some minor clean-ups/modernizations
3536+Origin: upstream, https://github.com/systemd/systemd/pull/15546
3537+Bug: https://github.com/systemd/systemd/issues/15356
3538+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1873607
3539+
3540+---
3541+ src/core/service.c | 14 +++++++++++---
3542+ 1 file changed, 11 insertions(+), 3 deletions(-)
3543+
3544+diff --git a/src/core/service.c b/src/core/service.c
3545+index 53dbd5509c..861d82041a 100644
3546+--- a/src/core/service.c
3547++++ b/src/core/service.c
3548+@@ -2569,6 +2569,8 @@ static unsigned service_exec_command_index(Unit *u, ServiceExecCommand id, ExecC
3549+ ExecCommand *first, *c;
3550+
3551+ assert(s);
3552++ assert(id >= 0);
3553++ assert(id < _SERVICE_EXEC_COMMAND_MAX);
3554+
3555+ first = s->exec_command[id];
3556+
3557+@@ -2632,10 +2634,12 @@ static int service_serialize_exec_command(Unit *u, FILE *f, ExecCommand *command
3558+
3559+ p = cescape(command->path);
3560+ if (!p)
3561+- return -ENOMEM;
3562++ return log_oom();
3563+
3564+ key = strjoina(type, "-command");
3565+- return serialize_item_format(f, key, "%s %u %s %s", service_exec_command_to_string(id), idx, p, args);
3566++ (void) serialize_item_format(f, key, "%s %u %s %s", service_exec_command_to_string(id), idx, p, args);
3567++
3568++ return 0;
3569+ }
3570+
3571+ static int service_serialize(Unit *u, FILE *f, FDSet *fds) {
3572+@@ -2737,7 +2741,11 @@ static int service_serialize(Unit *u, FILE *f, FDSet *fds) {
3573+ return 0;
3574+ }
3575+
3576+-static int service_deserialize_exec_command(Unit *u, const char *key, const char *value) {
3577++static int service_deserialize_exec_command(
3578++ Unit *u,
3579++ const char *key,
3580++ const char *value) {
3581++
3582+ Service *s = SERVICE(u);
3583+ int r;
3584+ unsigned idx = 0, i;
3585+--
3586+2.25.1
3587+
3588diff --git a/debian/patches/lp1873607/0002-core-make-sure-to-restore-the-control-command-id-too.patch b/debian/patches/lp1873607/0002-core-make-sure-to-restore-the-control-command-id-too.patch
3589new file mode 100644
3590index 0000000..f7c1864
3591--- /dev/null
3592+++ b/debian/patches/lp1873607/0002-core-make-sure-to-restore-the-control-command-id-too.patch
3593@@ -0,0 +1,33 @@
3594+From e9da62b18af647bfa73807e1c7fc3bfa4bb4b2ac Mon Sep 17 00:00:00 2001
3595+From: Lennart Poettering <lennart@poettering.net>
3596+Date: Wed, 22 Apr 2020 20:34:02 +0200
3597+Subject: [PATCH 2/2] core: make sure to restore the control command id, too
3598+Origin: upstream, https://github.com/systemd/systemd/pull/15546
3599+Bug: https://github.com/systemd/systemd/issues/15356
3600+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1873607
3601+
3602+Fixes: #15356
3603+---
3604+ src/core/service.c | 5 +++--
3605+ 1 file changed, 3 insertions(+), 2 deletions(-)
3606+
3607+diff --git a/src/core/service.c b/src/core/service.c
3608+index 861d82041a..7d5928e455 100644
3609+--- a/src/core/service.c
3610++++ b/src/core/service.c
3611+@@ -2834,9 +2834,10 @@ static int service_deserialize_exec_command(
3612+ break;
3613+ }
3614+
3615+- if (command && control)
3616++ if (command && control) {
3617+ s->control_command = command;
3618+- else if (command)
3619++ s->control_command_id = id;
3620++ } else if (command)
3621+ s->main_command = command;
3622+ else
3623+ log_unit_warning(u, "Current command vanished from the unit file, execution of the command list won't be resumed.");
3624+--
3625+2.25.1
3626+
3627diff --git a/debian/patches/lp1875708/journald-Increase-stdout-buffer-size-sooner-when-almost-f.patch b/debian/patches/lp1875708/journald-Increase-stdout-buffer-size-sooner-when-almost-f.patch
3628new file mode 100644
3629index 0000000..916b1ed
3630--- /dev/null
3631+++ b/debian/patches/lp1875708/journald-Increase-stdout-buffer-size-sooner-when-almost-f.patch
3632@@ -0,0 +1,28 @@
3633+From: Benjamin Robin <dev@benjarobin.fr>
3634+Date: Sun, 3 May 2020 18:37:21 +0200
3635+Subject: journald: Increase stdout buffer size sooner, when almost full
3636+
3637+If the previous received buffer length is almost equal to the allocated
3638+buffer size, before this change the next read can only receive a couple
3639+of bytes (in the worst case only 1 byte), which is not efficient.
3640+
3641+(cherry picked from commit 034e9719ac1ba88a36b05da38c7aa98761d42c77)
3642+---
3643+ src/journal/journald-stream.c | 4 ++--
3644+ 1 file changed, 2 insertions(+), 2 deletions(-)
3645+
3646+diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
3647+index 202ac3c..7fdbe34 100644
3648+--- a/src/journal/journald-stream.c
3649++++ b/src/journal/journald-stream.c
3650+@@ -511,8 +511,8 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents,
3651+ goto terminate;
3652+ }
3653+
3654+- /* If the buffer is full already (discounting the extra NUL we need), add room for another 1K */
3655+- if (s->length + 1 >= s->allocated) {
3656++ /* If the buffer is almost full, add room for another 1K */
3657++ if (s->length + 512 >= s->allocated) {
3658+ if (!GREEDY_REALLOC(s->buffer, s->allocated, s->length + 1 + 1024)) {
3659+ log_oom();
3660+ goto terminate;
3661diff --git a/debian/patches/lp1875708/journald-rework-end-of-line-marker-handling-to-use-a-fiel.patch b/debian/patches/lp1875708/journald-rework-end-of-line-marker-handling-to-use-a-fiel.patch
3662new file mode 100644
3663index 0000000..896cd75
3664--- /dev/null
3665+++ b/debian/patches/lp1875708/journald-rework-end-of-line-marker-handling-to-use-a-fiel.patch
3666@@ -0,0 +1,73 @@
3667+From: Lennart Poettering <lennart@poettering.net>
3668+Date: Tue, 12 May 2020 18:53:35 +0200
3669+Subject: journald: rework end of line marker handling to use a field table
3670+
3671+(cherry picked from commit 549b7379ba404c33fd448d2bca46a57f6529b00b)
3672+---
3673+ src/journal/journald-stream.c | 29 ++++++++++++++++++++---------
3674+ 1 file changed, 20 insertions(+), 9 deletions(-)
3675+
3676+diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
3677+index 85f5fa6..aca0434 100644
3678+--- a/src/journal/journald-stream.c
3679++++ b/src/journal/journald-stream.c
3680+@@ -58,6 +58,8 @@ typedef enum LineBreak {
3681+ LINE_BREAK_NUL,
3682+ LINE_BREAK_LINE_MAX,
3683+ LINE_BREAK_EOF,
3684++ _LINE_BREAK_MAX,
3685++ _LINE_BREAK_INVALID = -1,
3686+ } LineBreak;
3687+
3688+ struct StdoutStream {
3689+@@ -238,7 +240,11 @@ fail:
3690+ return log_error_errno(r, "Failed to save stream data %s: %m", s->state_file);
3691+ }
3692+
3693+-static int stdout_stream_log(StdoutStream *s, const char *p, LineBreak line_break) {
3694++static int stdout_stream_log(
3695++ StdoutStream *s,
3696++ const char *p,
3697++ LineBreak line_break) {
3698++
3699+ struct iovec *iovec;
3700+ int priority;
3701+ char syslog_priority[] = "PRIORITY=\0";
3702+@@ -250,6 +256,9 @@ static int stdout_stream_log(StdoutStream *s, const char *p, LineBreak line_brea
3703+ assert(s);
3704+ assert(p);
3705+
3706++ assert(line_break >= 0);
3707++ assert(line_break < _LINE_BREAK_MAX);
3708++
3709+ if (s->context)
3710+ (void) client_context_maybe_refresh(s->server, s->context, NULL, NULL, 0, NULL, USEC_INFINITY);
3711+ else if (pid_is_valid(s->ucred.pid)) {
3712+@@ -301,17 +310,19 @@ static int stdout_stream_log(StdoutStream *s, const char *p, LineBreak line_brea
3713+ iovec[n++] = IOVEC_MAKE_STRING(syslog_identifier);
3714+ }
3715+
3716+- if (line_break != LINE_BREAK_NEWLINE) {
3717+- const char *c;
3718++ static const char * const line_break_field_table[_LINE_BREAK_MAX] = {
3719++ [LINE_BREAK_NEWLINE] = NULL, /* Do not add field if traditional newline */
3720++ [LINE_BREAK_NUL] = "_LINE_BREAK=nul",
3721++ [LINE_BREAK_LINE_MAX] = "_LINE_BREAK=line-max",
3722++ [LINE_BREAK_EOF] = "_LINE_BREAK=eof",
3723++ };
3724+
3725+- /* If this log message was generated due to an uncommon line break then mention this in the log
3726+- * entry */
3727++ const char *c = line_break_field_table[line_break];
3728+
3729+- c = line_break == LINE_BREAK_NUL ? "_LINE_BREAK=nul" :
3730+- line_break == LINE_BREAK_LINE_MAX ? "_LINE_BREAK=line-max" :
3731+- "_LINE_BREAK=eof";
3732++ /* If this log message was generated due to an uncommon line break then mention this in the log
3733++ * entry */
3734++ if (c)
3735+ iovec[n++] = IOVEC_MAKE_STRING(c);
3736+- }
3737+
3738+ message = strjoin("MESSAGE=", p);
3739+ if (message)
3740diff --git a/debian/patches/lp1875708/journald-rework-pid-change-handling.patch b/debian/patches/lp1875708/journald-rework-pid-change-handling.patch
3741new file mode 100644
3742index 0000000..8a9fe0f
3743--- /dev/null
3744+++ b/debian/patches/lp1875708/journald-rework-pid-change-handling.patch
3745@@ -0,0 +1,218 @@
3746+From: Lennart Poettering <lennart@poettering.net>
3747+Date: Tue, 12 May 2020 18:56:34 +0200
3748+Subject: journald: rework pid change handling
3749+
3750+Let's introduce an explicit line ending marker for line endings due to
3751+pid change.
3752+
3753+Let's also make sure we don't get confused with buffer management.
3754+
3755+Fixes: #15654
3756+(cherry picked from commit 45ba1ea5e9264d385fa565328fe957ef1d78caa1)
3757+---
3758+ src/journal/journald-stream.c | 103 ++++++++++++++++++++++++++++--------------
3759+ 1 file changed, 68 insertions(+), 35 deletions(-)
3760+
3761+diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
3762+index 5474436..4fcf71e 100644
3763+--- a/src/journal/journald-stream.c
3764++++ b/src/journal/journald-stream.c
3765+@@ -58,6 +58,7 @@ typedef enum LineBreak {
3766+ LINE_BREAK_NUL,
3767+ LINE_BREAK_LINE_MAX,
3768+ LINE_BREAK_EOF,
3769++ LINE_BREAK_PID_CHANGE,
3770+ _LINE_BREAK_MAX,
3771+ _LINE_BREAK_INVALID = -1,
3772+ } LineBreak;
3773+@@ -315,6 +316,7 @@ static int stdout_stream_log(
3774+ [LINE_BREAK_NUL] = "_LINE_BREAK=nul",
3775+ [LINE_BREAK_LINE_MAX] = "_LINE_BREAK=line-max",
3776+ [LINE_BREAK_EOF] = "_LINE_BREAK=eof",
3777++ [LINE_BREAK_PID_CHANGE] = "_LINE_BREAK=pid-change",
3778+ };
3779+
3780+ const char *c = line_break_field_table[line_break];
3781+@@ -435,21 +437,43 @@ static int stdout_stream_line(StdoutStream *s, char *p, LineBreak line_break) {
3782+ assert_not_reached("Unknown stream state");
3783+ }
3784+
3785+-static int stdout_stream_scan(StdoutStream *s, bool force_flush) {
3786+- char *p;
3787+- size_t remaining;
3788++static int stdout_stream_found(
3789++ StdoutStream *s,
3790++ char *p,
3791++ size_t l,
3792++ LineBreak line_break) {
3793++
3794++ char saved;
3795+ int r;
3796+
3797+ assert(s);
3798++ assert(p);
3799++
3800++ /* Let's NUL terminate the specified buffer for this call, and revert back afterwards */
3801++ saved = p[l];
3802++ p[l] = 0;
3803++ r = stdout_stream_line(s, p, line_break);
3804++ p[l] = saved;
3805+
3806+- p = s->buffer;
3807+- remaining = s->length;
3808++ return r;
3809++}
3810++
3811++static int stdout_stream_scan(
3812++ StdoutStream *s,
3813++ char *p,
3814++ size_t remaining,
3815++ LineBreak force_flush,
3816++ size_t *ret_consumed) {
3817+
3818+- /* XXX: This function does nothing if (s->length == 0) */
3819++ size_t consumed = 0;
3820++ int r;
3821++
3822++ assert(s);
3823++ assert(p);
3824+
3825+ for (;;) {
3826+ LineBreak line_break;
3827+- size_t skip;
3828++ size_t skip, found;
3829+ char *end1, *end2;
3830+
3831+ end1 = memchr(p, '\n', remaining);
3832+@@ -457,43 +481,40 @@ static int stdout_stream_scan(StdoutStream *s, bool force_flush) {
3833+
3834+ if (end2) {
3835+ /* We found a NUL terminator */
3836+- skip = end2 - p + 1;
3837++ found = end2 - p;
3838++ skip = found + 1;
3839+ line_break = LINE_BREAK_NUL;
3840+ } else if (end1) {
3841+ /* We found a \n terminator */
3842+- *end1 = 0;
3843+- skip = end1 - p + 1;
3844++ found = end1 - p;
3845++ skip = found + 1;
3846+ line_break = LINE_BREAK_NEWLINE;
3847+ } else if (remaining >= s->server->line_max) {
3848+ /* Force a line break after the maximum line length */
3849+- *(p + s->server->line_max) = 0;
3850+- skip = remaining;
3851++ found = skip = s->server->line_max;
3852+ line_break = LINE_BREAK_LINE_MAX;
3853+ } else
3854+ break;
3855+
3856+- r = stdout_stream_line(s, p, line_break);
3857++ r = stdout_stream_found(s, p, found, line_break);
3858+ if (r < 0)
3859+ return r;
3860+
3861+- remaining -= skip;
3862+ p += skip;
3863++ consumed += skip;
3864++ remaining -= skip;
3865+ }
3866+
3867+- if (force_flush && remaining > 0) {
3868+- p[remaining] = 0;
3869+- r = stdout_stream_line(s, p, LINE_BREAK_EOF);
3870++ if (force_flush >= 0 && remaining > 0) {
3871++ r = stdout_stream_found(s, p, remaining, force_flush);
3872+ if (r < 0)
3873+ return r;
3874+
3875+- p += remaining;
3876+- remaining = 0;
3877++ consumed += remaining;
3878+ }
3879+
3880+- if (p > s->buffer) {
3881+- memmove(s->buffer, p, remaining);
3882+- s->length = remaining;
3883+- }
3884++ if (ret_consumed)
3885++ *ret_consumed = consumed;
3886+
3887+ return 0;
3888+ }
3889+@@ -501,10 +522,11 @@ static int stdout_stream_scan(StdoutStream *s, bool force_flush) {
3890+ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents, void *userdata) {
3891+ uint8_t buf[CMSG_SPACE(sizeof(struct ucred))];
3892+ StdoutStream *s = userdata;
3893++ size_t limit, consumed;
3894+ struct ucred *ucred;
3895+ struct iovec iovec;
3896+- size_t limit;
3897+ ssize_t l;
3898++ char *p;
3899+ int r;
3900+
3901+ struct msghdr msghdr = {
3902+@@ -532,7 +554,7 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents,
3903+ /* Try to make use of the allocated buffer in full, but never read more than the configured line size. Also,
3904+ * always leave room for a terminating NUL we might need to add. */
3905+ limit = MIN(s->allocated - 1, s->server->line_max);
3906+-
3907++ assert(s->length <= limit);
3908+ iovec = IOVEC_MAKE(s->buffer + s->length, limit - s->length);
3909+
3910+ l = recvmsg(s->fd, &msghdr, MSG_DONTWAIT|MSG_CMSG_CLOEXEC);
3911+@@ -546,31 +568,42 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents,
3912+ cmsg_close_all(&msghdr);
3913+
3914+ if (l == 0) {
3915+- stdout_stream_scan(s, true);
3916++ (void) stdout_stream_scan(s, s->buffer, s->length, /* force_flush = */ LINE_BREAK_EOF, NULL);
3917+ goto terminate;
3918+ }
3919+
3920+- /* Invalidate the context if the pid of the sender changed. This happens when a forked process
3921+- * inherits stdout / stderr from a parent. In this case getpeercred returns the ucred of the parent,
3922+- * which can be invalid if the parent has exited in the meantime.
3923+- */
3924++ /* Invalidate the context if the PID of the sender changed. This happens when a forked process
3925++ * inherits stdout/stderr from a parent. In this case getpeercred() returns the ucred of the parent,
3926++ * which can be invalid if the parent has exited in the meantime. */
3927+ ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
3928+ if (ucred && ucred->pid != s->ucred.pid) {
3929+- /* force out any previously half-written lines from a different process, before we switch to
3930++ /* Force out any previously half-written lines from a different process, before we switch to
3931+ * the new ucred structure for everything we just added */
3932+- r = stdout_stream_scan(s, true);
3933++ r = stdout_stream_scan(s, s->buffer, s->length, /* force_flush = */ LINE_BREAK_PID_CHANGE, NULL);
3934+ if (r < 0)
3935+ goto terminate;
3936+
3937+- s->ucred = *ucred;
3938+ s->context = client_context_release(s->server, s->context);
3939++
3940++ p = s->buffer + s->length;
3941++ } else {
3942++ p = s->buffer;
3943++ l += s->length;
3944+ }
3945+
3946+- s->length += l;
3947+- r = stdout_stream_scan(s, false);
3948++ /* Always copy in the new credentials */
3949++ if (ucred)
3950++ s->ucred = *ucred;
3951++
3952++ r = stdout_stream_scan(s, p, l, _LINE_BREAK_INVALID, &consumed);
3953+ if (r < 0)
3954+ goto terminate;
3955+
3956++ /* Move what wasn't consumed to the front of the buffer */
3957++ assert(consumed <= (size_t) l);
3958++ s->length = l - consumed;
3959++ memmove(s->buffer, p + consumed, s->length);
3960++
3961+ return 1;
3962+
3963+ terminate:
3964diff --git a/debian/patches/lp1875708/journald-use-log_warning_errno-where-appropriate.patch b/debian/patches/lp1875708/journald-use-log_warning_errno-where-appropriate.patch
3965new file mode 100644
3966index 0000000..d8b4863
3967--- /dev/null
3968+++ b/debian/patches/lp1875708/journald-use-log_warning_errno-where-appropriate.patch
3969@@ -0,0 +1,37 @@
3970+From: Lennart Poettering <lennart@poettering.net>
3971+Date: Tue, 12 May 2020 18:52:33 +0200
3972+Subject: journald: use log_warning_errno() where appropriate
3973+
3974+(cherry picked from commit 5fe7fb0bf604b7652091ffacd5679b310b18a70f)
3975+---
3976+ src/journal/journald-stream.c | 9 ++++-----
3977+ 1 file changed, 4 insertions(+), 5 deletions(-)
3978+
3979+diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
3980+index 7fdbe34..85f5fa6 100644
3981+--- a/src/journal/journald-stream.c
3982++++ b/src/journal/journald-stream.c
3983+@@ -322,8 +322,8 @@ static int stdout_stream_log(StdoutStream *s, const char *p, LineBreak line_brea
3984+ }
3985+
3986+ static int stdout_stream_line(StdoutStream *s, char *p, LineBreak line_break) {
3987+- int r;
3988+ char *orig;
3989++ int r;
3990+
3991+ assert(s);
3992+ assert(p);
3993+@@ -332,10 +332,9 @@ static int stdout_stream_line(StdoutStream *s, char *p, LineBreak line_break) {
3994+ p = strstrip(p);
3995+
3996+ /* line breaks by NUL, line max length or EOF are not permissible during the negotiation part of the protocol */
3997+- if (line_break != LINE_BREAK_NEWLINE && s->state != STDOUT_STREAM_RUNNING) {
3998+- log_warning("Control protocol line not properly terminated.");
3999+- return -EINVAL;
4000+- }
4001++ if (line_break != LINE_BREAK_NEWLINE && s->state != STDOUT_STREAM_RUNNING)
4002++ return log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
4003++ "Control protocol line not properly terminated.");
4004+
4005+ switch (s->state) {
4006+
4007diff --git a/debian/patches/lp1875708/journald-use-the-fact-that-client_context_release-returns.patch b/debian/patches/lp1875708/journald-use-the-fact-that-client_context_release-returns.patch
4008new file mode 100644
4009index 0000000..4838b56
4010--- /dev/null
4011+++ b/debian/patches/lp1875708/journald-use-the-fact-that-client_context_release-returns.patch
4012@@ -0,0 +1,23 @@
4013+From: Lennart Poettering <lennart@poettering.net>
4014+Date: Tue, 12 May 2020 19:15:38 +0200
4015+Subject: journald: use the fact that client_context_release() returns NULL
4016+
4017+(cherry picked from commit 020b4a023c2c6dda83afb9a82a62e640569c40c1)
4018+---
4019+ src/journal/journald-stream.c | 3 +--
4020+ 1 file changed, 1 insertion(+), 2 deletions(-)
4021+
4022+diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
4023+index aca0434..5474436 100644
4024+--- a/src/journal/journald-stream.c
4025++++ b/src/journal/journald-stream.c
4026+@@ -563,8 +563,7 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents,
4027+ goto terminate;
4028+
4029+ s->ucred = *ucred;
4030+- client_context_release(s->server, s->context);
4031+- s->context = NULL;
4032++ s->context = client_context_release(s->server, s->context);
4033+ }
4034+
4035+ s->length += l;
4036diff --git a/debian/patches/lp1875708/man-document-the-new-_LINE_BREAK-type.patch b/debian/patches/lp1875708/man-document-the-new-_LINE_BREAK-type.patch
4037new file mode 100644
4038index 0000000..39adafe
4039--- /dev/null
4040+++ b/debian/patches/lp1875708/man-document-the-new-_LINE_BREAK-type.patch
4041@@ -0,0 +1,39 @@
4042+From: Lennart Poettering <lennart@poettering.net>
4043+Date: Wed, 13 May 2020 00:09:43 +0200
4044+Subject: man: document the new _LINE_BREAK= type
4045+
4046+(cherry picked from commit a3d9aee14fa2f7df429dc401582877176206b7fd)
4047+---
4048+ man/systemd.journal-fields.xml | 19 ++++++++++---------
4049+ 1 file changed, 10 insertions(+), 9 deletions(-)
4050+
4051+diff --git a/man/systemd.journal-fields.xml b/man/systemd.journal-fields.xml
4052+index a0771f3..4d35cfb 100644
4053+--- a/man/systemd.journal-fields.xml
4054++++ b/man/systemd.journal-fields.xml
4055+@@ -347,15 +347,16 @@
4056+ <varlistentry>
4057+ <term><varname>_LINE_BREAK=</varname></term>
4058+ <listitem>
4059+- <para>Only applies to <literal>_TRANSPORT=stdout</literal> records: indicates that the log message in the
4060+- standard output/error stream was not terminated with a normal newline character (<literal>\n</literal>,
4061+- i.e. ASCII 10). Specifically, when set this field is one of <option>nul</option> (in case the line was
4062+- terminated by a NUL byte), <option>line-max</option> (in case the maximum log line length was reached, as
4063+- configured with <varname>LineMax=</varname> in
4064+- <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>) or
4065+- <option>eof</option> (if this was the last log record of a stream and the stream ended without a final
4066+- newline character). Note that this record is not generated when a normal newline character was used for
4067+- marking the log line end.</para>
4068++ <para>Only applies to <literal>_TRANSPORT=stdout</literal> records: indicates that the log message
4069++ in the standard output/error stream was not terminated with a normal newline character
4070++ (<literal>\n</literal>, i.e. ASCII 10). Specifically, when set this field is one of
4071++ <option>nul</option> (in case the line was terminated by a NUL byte), <option>line-max</option> (in
4072++ case the maximum log line length was reached, as configured with <varname>LineMax=</varname> in
4073++ <citerefentry><refentrytitle>journald.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>),
4074++ <option>eof</option> (if this was the last log record of a stream and the stream ended without a
4075++ final newline character), or <option>pid-change</option> (if the process which generated the log
4076++ output changed in the middle of a line). Note that this record is not generated when a normal
4077++ newline character was used for marking the log line end.</para>
4078+ </listitem>
4079+ </varlistentry>
4080+ <varlistentry>
4081diff --git a/debian/patches/lp1875708/socket-util-introduce-type-safe-dereferencing-wrapper-CMS.patch b/debian/patches/lp1875708/socket-util-introduce-type-safe-dereferencing-wrapper-CMS.patch
4082new file mode 100644
4083index 0000000..3e98d44
4084--- /dev/null
4085+++ b/debian/patches/lp1875708/socket-util-introduce-type-safe-dereferencing-wrapper-CMS.patch
4086@@ -0,0 +1,198 @@
4087+From: Lennart Poettering <lennart@poettering.net>
4088+Date: Fri, 17 Apr 2020 11:52:48 +0200
4089+Subject: socket-util: introduce type-safe,
4090+ dereferencing wrapper CMSG_FIND_DATA around cmsg_find()
4091+
4092+let's take this once step further, and add type-safety to cmsg_find(),
4093+and imply the CMSG_DATA() macro for finding the cmsg payload.
4094+
4095+(cherry picked from commit 371d72e05b7e2c2b7850cb04d8d4c18be1e60421)
4096+---
4097+ src/basic/socket-util.h | 8 ++++++++
4098+ src/import/importd.c | 10 ++--------
4099+ src/journal/journald-stream.c | 25 +++++++------------------
4100+ src/nspawn/nspawn.c | 13 ++-----------
4101+ src/shared/ask-password-api.c | 7 ++-----
4102+ src/udev/udevd.c | 10 ++--------
4103+ 6 files changed, 23 insertions(+), 50 deletions(-)
4104+
4105+diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h
4106+index 24e1213..e233260 100644
4107+--- a/src/basic/socket-util.h
4108++++ b/src/basic/socket-util.h
4109+@@ -158,6 +158,14 @@ int flush_accept(int fd);
4110+
4111+ struct cmsghdr* cmsg_find(struct msghdr *mh, int level, int type, socklen_t length);
4112+
4113++/* Type-safe, dereferencing version of cmsg_find() */
4114++#define CMSG_FIND_DATA(mh, level, type, ctype) \
4115++ ({ \
4116++ struct cmsghdr *_found; \
4117++ _found = cmsg_find(mh, level, type, CMSG_LEN(sizeof(ctype))); \
4118++ (ctype*) (_found ? CMSG_DATA(_found) : NULL); \
4119++ })
4120++
4121+ /*
4122+ * Certain hardware address types (e.g Infiniband) do not fit into sll_addr
4123+ * (8 bytes) and run over the structure. This macro returns the correct size that
4124+diff --git a/src/import/importd.c b/src/import/importd.c
4125+index 93e704e..91290af 100644
4126+--- a/src/import/importd.c
4127++++ b/src/import/importd.c
4128+@@ -556,9 +556,8 @@ static int manager_on_notify(sd_event_source *s, int fd, uint32_t revents, void
4129+ .msg_control = &control,
4130+ .msg_controllen = sizeof(control),
4131+ };
4132+- struct ucred *ucred = NULL;
4133++ struct ucred *ucred;
4134+ Manager *m = userdata;
4135+- struct cmsghdr *cmsg;
4136+ char *p, *e;
4137+ Transfer *t;
4138+ Iterator i;
4139+@@ -575,17 +574,12 @@ static int manager_on_notify(sd_event_source *s, int fd, uint32_t revents, void
4140+
4141+ cmsg_close_all(&msghdr);
4142+
4143+- CMSG_FOREACH(cmsg, &msghdr)
4144+- if (cmsg->cmsg_level == SOL_SOCKET &&
4145+- cmsg->cmsg_type == SCM_CREDENTIALS &&
4146+- cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred)))
4147+- ucred = (struct ucred*) CMSG_DATA(cmsg);
4148+-
4149+ if (msghdr.msg_flags & MSG_TRUNC) {
4150+ log_warning("Got overly long notification datagram, ignoring.");
4151+ return 0;
4152+ }
4153+
4154++ ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
4155+ if (!ucred || ucred->pid <= 0) {
4156+ log_warning("Got notification datagram lacking credential information, ignoring.");
4157+ return 0;
4158+diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
4159+index 609af50..202ac3c 100644
4160+--- a/src/journal/journald-stream.c
4161++++ b/src/journal/journald-stream.c
4162+@@ -491,8 +491,7 @@ static int stdout_stream_scan(StdoutStream *s, bool force_flush) {
4163+ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents, void *userdata) {
4164+ uint8_t buf[CMSG_SPACE(sizeof(struct ucred))];
4165+ StdoutStream *s = userdata;
4166+- struct ucred *ucred = NULL;
4167+- struct cmsghdr *cmsg;
4168++ struct ucred *ucred;
4169+ struct iovec iovec;
4170+ size_t limit;
4171+ ssize_t l;
4172+@@ -541,24 +540,14 @@ static int stdout_stream_process(sd_event_source *es, int fd, uint32_t revents,
4173+ goto terminate;
4174+ }
4175+
4176+- CMSG_FOREACH(cmsg, &msghdr)
4177+- if (cmsg->cmsg_level == SOL_SOCKET &&
4178+- cmsg->cmsg_type == SCM_CREDENTIALS &&
4179+- cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred))) {
4180+- ucred = (struct ucred *)CMSG_DATA(cmsg);
4181+- break;
4182+- }
4183+-
4184+- /* Invalidate the context if the pid of the sender changed.
4185+- * This happens when a forked process inherits stdout / stderr
4186+- * from a parent. In this case getpeercred returns the ucred
4187+- * of the parent, which can be invalid if the parent has exited
4188+- * in the meantime.
4189++ /* Invalidate the context if the pid of the sender changed. This happens when a forked process
4190++ * inherits stdout / stderr from a parent. In this case getpeercred returns the ucred of the parent,
4191++ * which can be invalid if the parent has exited in the meantime.
4192+ */
4193++ ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
4194+ if (ucred && ucred->pid != s->ucred.pid) {
4195+- /* force out any previously half-written lines from a
4196+- * different process, before we switch to the new ucred
4197+- * structure for everything we just added */
4198++ /* force out any previously half-written lines from a different process, before we switch to
4199++ * the new ucred structure for everything we just added */
4200+ r = stdout_stream_scan(s, true);
4201+ if (r < 0)
4202+ goto terminate;
4203+diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
4204+index 734dee1..01fa6f2 100644
4205+--- a/src/nspawn/nspawn.c
4206++++ b/src/nspawn/nspawn.c
4207+@@ -3696,8 +3696,7 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r
4208+ .msg_control = &control,
4209+ .msg_controllen = sizeof(control),
4210+ };
4211+- struct cmsghdr *cmsg;
4212+- struct ucred *ucred = NULL;
4213++ struct ucred *ucred;
4214+ ssize_t n;
4215+ pid_t inner_child_pid;
4216+ _cleanup_strv_free_ char **tags = NULL;
4217+@@ -3720,15 +3719,7 @@ static int nspawn_dispatch_notify_fd(sd_event_source *source, int fd, uint32_t r
4218+ }
4219+ cmsg_close_all(&msghdr);
4220+
4221+- CMSG_FOREACH(cmsg, &msghdr) {
4222+- if (cmsg->cmsg_level == SOL_SOCKET &&
4223+- cmsg->cmsg_type == SCM_CREDENTIALS &&
4224+- cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred))) {
4225+-
4226+- ucred = (struct ucred*) CMSG_DATA(cmsg);
4227+- }
4228+- }
4229+-
4230++ ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
4231+ if (!ucred || ucred->pid != inner_child_pid) {
4232+ log_debug("Received notify message without valid credentials. Ignoring.");
4233+ return 0;
4234+diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
4235+index 0fc5501..4a6f093 100644
4236+--- a/src/shared/ask-password-api.c
4237++++ b/src/shared/ask-password-api.c
4238+@@ -939,15 +939,12 @@ int ask_password_agent(
4239+ continue;
4240+ }
4241+
4242+- if (msghdr.msg_controllen < CMSG_LEN(sizeof(struct ucred)) ||
4243+- control.cmsghdr.cmsg_level != SOL_SOCKET ||
4244+- control.cmsghdr.cmsg_type != SCM_CREDENTIALS ||
4245+- control.cmsghdr.cmsg_len != CMSG_LEN(sizeof(struct ucred))) {
4246++ ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
4247++ if (!ucred) {
4248+ log_debug("Received message without credentials. Ignoring.");
4249+ continue;
4250+ }
4251+
4252+- ucred = (struct ucred*) CMSG_DATA(&control.cmsghdr);
4253+ if (ucred->uid != 0) {
4254+ log_debug("Got request from unprivileged user. Ignoring.");
4255+ continue;
4256+diff --git a/src/udev/udevd.c b/src/udev/udevd.c
4257+index ca65474..07deadf 100644
4258+--- a/src/udev/udevd.c
4259++++ b/src/udev/udevd.c
4260+@@ -905,9 +905,8 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat
4261+ .msg_control = &control,
4262+ .msg_controllen = sizeof(control),
4263+ };
4264+- struct cmsghdr *cmsg;
4265+ ssize_t size;
4266+- struct ucred *ucred = NULL;
4267++ struct ucred *ucred;
4268+ struct worker *worker;
4269+
4270+ size = recvmsg(fd, &msghdr, MSG_DONTWAIT);
4271+@@ -924,12 +923,7 @@ static int on_worker(sd_event_source *s, int fd, uint32_t revents, void *userdat
4272+ continue;
4273+ }
4274+
4275+- CMSG_FOREACH(cmsg, &msghdr)
4276+- if (cmsg->cmsg_level == SOL_SOCKET &&
4277+- cmsg->cmsg_type == SCM_CREDENTIALS &&
4278+- cmsg->cmsg_len == CMSG_LEN(sizeof(struct ucred)))
4279+- ucred = (struct ucred*) CMSG_DATA(cmsg);
4280+-
4281++ ucred = CMSG_FIND_DATA(&msghdr, SOL_SOCKET, SCM_CREDENTIALS, struct ucred);
4282+ if (!ucred || ucred->pid <= 0) {
4283+ log_warning("Ignoring worker message without valid PID");
4284+ continue;
4285diff --git a/debian/patches/lp1875708/test-Add-a-test-case-for-15654.patch b/debian/patches/lp1875708/test-Add-a-test-case-for-15654.patch
4286new file mode 100644
4287index 0000000..c5b6edb
4288--- /dev/null
4289+++ b/debian/patches/lp1875708/test-Add-a-test-case-for-15654.patch
4290@@ -0,0 +1,28 @@
4291+From: Benjamin Robin <dev@benjarobin.fr>
4292+Date: Wed, 6 May 2020 23:28:02 +0200
4293+Subject: test: Add a test case for #15654
4294+
4295+(cherry picked from commit c11d8fd1dab3bc3f0abbc861ba5eb34518cec1da)
4296+---
4297+ test/TEST-04-JOURNAL/test-journal.sh | 8 ++++++++
4298+ 1 file changed, 8 insertions(+)
4299+
4300+diff --git a/test/TEST-04-JOURNAL/test-journal.sh b/test/TEST-04-JOURNAL/test-journal.sh
4301+index 1431dad..07ef8f4 100755
4302+--- a/test/TEST-04-JOURNAL/test-journal.sh
4303++++ b/test/TEST-04-JOURNAL/test-journal.sh
4304+@@ -87,6 +87,14 @@ journalctl -b -o export -t "$ID" --output-fields=_PID | grep '^_PID=' >/output
4305+ grep -q "^_PID=$PID" /output
4306+ grep -vq "^_PID=$PID" /output
4307+
4308++# https://github.com/systemd/systemd/issues/15654
4309++ID=$(journalctl --new-id128 | sed -n 2p)
4310++printf "This will\nusually fail\nand be truncated\n">/expected
4311++systemd-cat -t "$ID" /bin/sh -c 'env echo -n "This will";echo;env echo -n "usually fail";echo;env echo -n "and be truncated";echo;'
4312++journalctl --sync
4313++journalctl -b -o cat -t "$ID" >/output
4314++cmp /expected /output
4315++
4316+ # Add new tests before here, the journald restarts below
4317+ # may make tests flappy.
4318+
4319diff --git a/debian/patches/lp1878969-meson-initialize-time-epoch-to-reproducible-builds-compat.patch b/debian/patches/lp1878969-meson-initialize-time-epoch-to-reproducible-builds-compat.patch
4320new file mode 100644
4321index 0000000..3c0de0f
4322--- /dev/null
4323+++ b/debian/patches/lp1878969-meson-initialize-time-epoch-to-reproducible-builds-compat.patch
4324@@ -0,0 +1,61 @@
4325+From: Dimitri John Ledkov <xnox@ubuntu.com>
4326+Date: Fri, 15 May 2020 19:16:05 +0100
4327+Subject: meson: initialize time-epoch to reproducible builds compatible value
4328+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1878969
4329+Origin: upstream, https://github.com/systemd/systemd/commit/6dbf352cfbbaf9c9b277af54da50da38296ae5c6
4330+
4331+Debian Policy encourages to preserve timestamps whenever possible in the
4332+tarballs, thus stable release updates of systemd usually do not bump NEWS file
4333+timestamp. And thus time-epoch remains the same for the lifetime of a release.
4334+
4335+It would be better, if each new stable release rebuild of systemd would bump
4336+the time epoch a bit. But at the same time remain
4337+reproducible. SOURCE_DATE_EPOCH is an environmnet variable defined for this
4338+purpose. Thus if available, prefer that, instead of the NEWS file modification
4339+time.
4340+
4341+For example, on Debian/Ubuntu under the reproducible builds the
4342+SOURCE_DATE_EPOCH is set to the timestamp from the packaging metadata, thus it
4343+is incremented on every new stable release update, whilst preserving
4344+reproducible builds capability.
4345+
4346+Reference: https://reproducible-builds.org/docs/timestamps/
4347+---
4348+ TODO | 3 ---
4349+ meson.build | 9 +++++++--
4350+ 2 files changed, 7 insertions(+), 5 deletions(-)
4351+
4352+diff --git a/TODO b/TODO
4353+index e944245..51b23cf 100644
4354+--- a/TODO
4355++++ b/TODO
4356+@@ -446,9 +446,6 @@ Features:
4357+
4358+ * support projid-based quota in machinectl for containers
4359+
4360+-* maybe use SOURCE_DATE_EPOCH (i.e. the env var the reproducible builds folks
4361+- introduced) as the RTC epoch, instead of the mtime of NEWS.
4362+-
4363+ * add a way to lock down cgroup migration: a boolean, which when set for a unit
4364+ makes sure the processes in it can never migrate out of it
4365+
4366+diff --git a/meson.build b/meson.build
4367+index 60f8284..4ced8d7 100644
4368+--- a/meson.build
4369++++ b/meson.build
4370+@@ -671,8 +671,13 @@ conf.set_quoted('DEFAULT_NET_NAMING_SCHEME', default_net_naming_scheme)
4371+
4372+ time_epoch = get_option('time-epoch')
4373+ if time_epoch == -1
4374+- NEWS = files('NEWS')
4375+- time_epoch = run_command(stat, '-c', '%Y', NEWS).stdout().to_int()
4376++ source_date_epoch = run_command('sh', ['-c', 'echo "$SOURCE_DATE_EPOCH"']).stdout().strip()
4377++ if source_date_epoch != ''
4378++ time_epoch = source_date_epoch.to_int()
4379++ else
4380++ NEWS = files('NEWS')
4381++ time_epoch = run_command(stat, '-c', '%Y', NEWS).stdout().to_int()
4382++ endif
4383+ endif
4384+ conf.set('TIME_EPOCH', time_epoch)
4385+
4386diff --git a/debian/patches/lp1882596-man-fix-some-manvolnum.patch b/debian/patches/lp1882596-man-fix-some-manvolnum.patch
4387new file mode 100644
4388index 0000000..a1b0fd0
4389--- /dev/null
4390+++ b/debian/patches/lp1882596-man-fix-some-manvolnum.patch
4391@@ -0,0 +1,267 @@
4392+From 675fa6ea284b715d8fc909e6523f520a0125b7eb Mon Sep 17 00:00:00 2001
4393+From: Anita Zhang <the.anitazha@gmail.com>
4394+Date: Fri, 10 Jul 2020 15:05:23 -0700
4395+Subject: [PATCH] man: fix some manvolnum
4396+Origin: upstream, https://github.com/systemd/systemd/commit/675fa6ea284b715d8fc909e6523f520a0125b7eb
4397+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1882596
4398+
4399+---
4400+ man/homectl.xml | 2 +-
4401+ man/journal-remote.conf.xml | 2 +-
4402+ man/journal-upload.conf.xml | 2 +-
4403+ man/journalctl.xml | 2 +-
4404+ man/journald.conf.xml | 2 +-
4405+ man/logind.conf.xml | 2 +-
4406+ man/systemd-bless-boot.service.xml | 2 +-
4407+ man/systemd-boot-check-no-failures.service.xml | 2 +-
4408+ man/systemd-environment-d-generator.xml | 2 +-
4409+ man/systemd-sleep.conf.xml | 2 +-
4410+ man/systemd-system.conf.xml | 2 +-
4411+ man/systemd-sysv-generator.xml | 2 +-
4412+ man/systemd-xdg-autostart-generator.xml | 2 +-
4413+ man/systemd.link.xml | 2 +-
4414+ man/systemd.netdev.xml | 2 +-
4415+ man/systemd.network.xml | 2 +-
4416+ man/systemd.slice.xml | 6 +++---
4417+ man/systemd.unit.xml | 2 +-
4418+ man/systemd.xml | 2 +-
4419+ man/timesyncd.conf.xml | 2 +-
4420+ man/user@.service.xml | 4 ++--
4421+ 21 files changed, 24 insertions(+), 24 deletions(-)
4422+
4423+--- a/man/homectl.xml
4424++++ b/man/homectl.xml
4425+@@ -395,7 +395,7 @@
4426+
4427+ <listitem><para>Each of these options takes a time span specification as argument (in the syntax
4428+ documented in
4429+- <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>5</manvolnum></citerefentry>) and
4430++ <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>) and
4431+ configure various aspects of the user's password expiration policy. Specifically,
4432+ <option>--password-change-min=</option> configures how much time has to pass after changing the
4433+ password of the user until the password may be changed again. If the user tries to change their
4434+--- a/man/journal-remote.conf.xml
4435++++ b/man/journal-remote.conf.xml
4436+@@ -39,7 +39,7 @@
4437+ <para>These files configure various parameters of
4438+ <citerefentry><refentrytitle>systemd-journal-remote.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
4439+ See
4440+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4441++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4442+ for a general description of the syntax.</para>
4443+ </refsect1>
4444+
4445+--- a/man/journal-upload.conf.xml
4446++++ b/man/journal-upload.conf.xml
4447+@@ -34,7 +34,7 @@
4448+ <para>These files configure various parameters of
4449+ <citerefentry><refentrytitle>systemd-journal-upload.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
4450+ See
4451+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4452++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4453+ for a general description of the syntax.</para>
4454+ </refsect1>
4455+
4456+--- a/man/journalctl.xml
4457++++ b/man/journalctl.xml
4458+@@ -1015,7 +1015,7 @@ journalctl _SYSTEMD_CGROUP=/user.slice/u
4459+ + OBJECT_SYSTEMD_UNIT=<replaceable>name</replaceable>.service _UID=0
4460+ + COREDUMP_UNIT=<replaceable>name</replaceable>.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1
4461+ </programlisting>
4462+- (see <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4463++ (see <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4464+ for an explanation of those patterns).
4465+ </para>
4466+
4467+--- a/man/journald.conf.xml
4468++++ b/man/journald.conf.xml
4469+@@ -36,7 +36,7 @@
4470+ <para>These files configure various parameters of the systemd journal service,
4471+ <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
4472+ See
4473+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4474++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4475+ for a general description of the syntax.</para>
4476+
4477+ <para>The <command>systemd-journald</command> instance managing the default namespace is configured by
4478+--- a/man/logind.conf.xml
4479++++ b/man/logind.conf.xml
4480+@@ -36,7 +36,7 @@
4481+
4482+ <para>These files configure various parameters of the systemd login manager,
4483+ <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. See
4484+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4485++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4486+ for a general description of the syntax.</para>
4487+ </refsect1>
4488+
4489+--- a/man/systemd-bless-boot.service.xml
4490++++ b/man/systemd-bless-boot.service.xml
4491+@@ -106,7 +106,7 @@
4492+ <para>
4493+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
4494+ <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
4495+- <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>1</manvolnum></citerefentry>
4496++ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4497+ </para>
4498+ </refsect1>
4499+
4500+--- a/man/systemd-boot-check-no-failures.service.xml
4501++++ b/man/systemd-boot-check-no-failures.service.xml
4502+@@ -45,7 +45,7 @@
4503+ <title>See Also</title>
4504+ <para>
4505+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
4506+- <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>1</manvolnum></citerefentry>
4507++ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4508+ </para>
4509+ </refsect1>
4510+
4511+--- a/man/systemd-environment-d-generator.xml
4512++++ b/man/systemd-environment-d-generator.xml
4513+@@ -46,7 +46,7 @@
4514+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
4515+ <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
4516+ <citerefentry><refentrytitle>systemd.environment-generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
4517+- <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4518++ <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4519+ </para>
4520+ </refsect1>
4521+
4522+--- a/man/systemd-sleep.conf.xml
4523++++ b/man/systemd-sleep.conf.xml
4524+@@ -95,7 +95,7 @@
4525+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
4526+ attempts to suspend or hibernate the machine.
4527+ See
4528+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4529++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4530+ for a general description of the syntax.</para>
4531+ </refsect1>
4532+
4533+--- a/man/systemd-system.conf.xml
4534++++ b/man/systemd-system.conf.xml
4535+@@ -48,7 +48,7 @@
4536+ <filename>user.conf.d</filename> directories. These configuration
4537+ files contain a few settings controlling basic manager
4538+ operations. See
4539+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4540++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4541+ for a general description of the syntax.</para>
4542+ </refsect1>
4543+
4544+--- a/man/systemd-sysv-generator.xml
4545++++ b/man/systemd-sysv-generator.xml
4546+@@ -43,7 +43,7 @@
4547+ <literal>$named</literal>, <literal>$portmap</literal>,
4548+ <literal>$time</literal> are supported and will be turned into
4549+ dependencies on specific native systemd targets. See
4550+- <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4551++ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4552+ for more details.</para>
4553+
4554+ <para>SysV runlevels have corresponding systemd targets
4555+--- a/man/systemd.link.xml
4556++++ b/man/systemd.link.xml
4557+@@ -29,7 +29,7 @@
4558+ <para>A plain ini-style text file that encodes configuration for matching network devices, used by
4559+ <citerefentry><refentrytitle>systemd-udev</refentrytitle><manvolnum>8</manvolnum></citerefentry> and in
4560+ particular its <command>net_setup_link</command> builtin. See
4561+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a
4562++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a
4563+ general description of the syntax.</para>
4564+
4565+ <para>The link files are read from the files located in the system
4566+--- a/man/systemd.netdev.xml
4567++++ b/man/systemd.netdev.xml
4568+@@ -29,7 +29,7 @@
4569+
4570+ <para>A plain ini-style text file that encodes configuration about a virtual network device, used by
4571+ <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
4572+- See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4573++ See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4574+ for a general description of the syntax.</para>
4575+
4576+ <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
4577+--- a/man/systemd.network.xml
4578++++ b/man/systemd.network.xml
4579+@@ -31,7 +31,7 @@
4580+ <para>A plain ini-style text file that encodes network configuration for matching network interfaces,
4581+ used by
4582+ <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
4583+- See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4584++ See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4585+ for a general description of the syntax.</para>
4586+
4587+ <para>The main network file must have the extension <filename>.network</filename>; other
4588+--- a/man/systemd.slice.xml
4589++++ b/man/systemd.slice.xml
4590+@@ -43,12 +43,12 @@
4591+ <para>By default, service and scope units are placed in
4592+ <filename>system.slice</filename>, virtual machines and containers
4593+ registered with
4594+- <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>1</manvolnum></citerefentry>
4595++ <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>
4596+ are found in <filename>machine.slice</filename>, and user sessions
4597+ handled by
4598+- <citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>1</manvolnum></citerefentry>
4599++ <citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>8</manvolnum></citerefentry>
4600+ in <filename>user.slice</filename>. See
4601+- <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4602++ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4603+ for more information.</para>
4604+
4605+ <para>See
4606+--- a/man/systemd.unit.xml
4607++++ b/man/systemd.unit.xml
4608+@@ -80,7 +80,7 @@
4609+ target, a watched file system path, a timer controlled and supervised by
4610+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, a
4611+ resource management slice or a group of externally created processes. See
4612+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4613++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4614+ for a general description of the syntax.</para>
4615+
4616+ <para>This man page lists the common configuration options of all
4617+--- a/man/systemd.xml
4618++++ b/man/systemd.xml
4619+@@ -1228,7 +1228,7 @@
4620+ <citerefentry><refentrytitle>daemon</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
4621+ <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
4622+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
4623+- <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
4624++ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
4625+ <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
4626+ <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
4627+ <citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
4628+--- a/man/timesyncd.conf.xml
4629++++ b/man/timesyncd.conf.xml
4630+@@ -32,7 +32,7 @@
4631+ <title>Description</title>
4632+
4633+ <para>These configuration files control NTP network time synchronization. See
4634+- <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
4635++ <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4636+ for a general description of the syntax.</para>
4637+ </refsect1>
4638+
4639+--- a/man/user@.service.xml
4640++++ b/man/user@.service.xml
4641+@@ -37,7 +37,7 @@
4642+ hierarchy of its own units. See
4643+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
4644+ a discussion of systemd units and
4645+- <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>1</manvolnum></citerefentry>
4646++ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
4647+ for a list of units that form the basis of the unit hierarchies of system and user units.</para>
4648+
4649+ <para><filename>user@<replaceable>UID</replaceable>.service</filename> is accompanied by the
4650+@@ -57,7 +57,7 @@
4651+
4652+ <para>Individual <filename>user-<replaceable>UID</replaceable>.slice</filename> slices are
4653+ collected under <filename>user.slice</filename>, see
4654+- <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
4655++ <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
4656+ </para>
4657+ </refsect1>
4658+
4659diff --git a/debian/patches/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch b/debian/patches/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch
4660new file mode 100644
4661index 0000000..bb81adb
4662--- /dev/null
4663+++ b/debian/patches/lp1887744-basic-unit-file-when-loading-linked-unit-files-use-l.patch
4664@@ -0,0 +1,92 @@
4665+From 3aa57658434e7a95c6000bebb166c31f1c6d051b Mon Sep 17 00:00:00 2001
4666+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
4667+Date: Sun, 14 Feb 2021 14:38:32 +0100
4668+Subject: [PATCH] basic/unit-file: when loading linked unit files, use link
4669+ source as "fragment path"
4670+Origin: upstream, https://github.com/systemd/systemd/pull/18579/commits/3aa57658434e7a95c6000bebb166c31f1c6d051b
4671+Bug: https://github.com/systemd/systemd/issues/18058
4672+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1887744
4673+
4674+The general idea is that when a unit file is "linked" (i.e. installed by
4675+symlinking from outside of the search paths), the *destination* name is
4676+irrelevant. It doesn't even have to be a valid unit name, or to match the type
4677+or instance value. The obvious collorary is that we shouldn't look at the
4678+symlink destination name to derive the unit name, instance value, or anything
4679+else at all.
4680+
4681+When building the name map, when we find a linked unit (possibly at the end
4682+of a series of alias redirects), store the *source* of the final symlink as the
4683+fragment path. This has two effects:
4684+- we stop looking at the *target* file name to derive unit info, i.e. actually
4685+ implement the stuff described in the first paragraph.
4686+- we load the unit fragment through the symlink. If someone were to remove the
4687+ symlink, we'll not load the unit. This seems like the right thing.
4688+
4689+Fixes #18058.
4690+Before this change, we were generally quite confused about unit alises for
4691+linked units. Fortunately most poeple use the same symlink source and target,
4692+so in practice we wouldn't hit this too often.
4693+
4694+In unit_load_fragment() a comment is added to explain what we're doing there.
4695+---
4696+ src/basic/unit-file.c | 14 ++++++++------
4697+ src/core/load-fragment.c | 7 ++++---
4698+ 2 files changed, 12 insertions(+), 9 deletions(-)
4699+
4700+--- a/src/shared/unit-file.c
4701++++ b/src/shared/unit-file.c
4702+@@ -347,10 +347,16 @@ int unit_file_build_name_map(
4703+
4704+ /* Check if the symlink goes outside of our search path.
4705+ * If yes, it's a linked unit file or mask, and we don't care about the target name.
4706+- * Let's just store the link destination directly.
4707++ * Let's just store the link source directly.
4708+ * If not, let's verify that it's a good symlink. */
4709+ char *tail = path_startswith_strv(simplified, lp->search_path);
4710+- if (tail) {
4711++ if (!tail) {
4712++ log_debug("%s: linked unit file: %s → %s",
4713++ __func__, filename, simplified);
4714++
4715++ dst = filename;
4716++ } else {
4717++
4718+ bool self_alias;
4719+
4720+ dst = basename(simplified);
4721+@@ -373,10 +379,6 @@ int unit_file_build_name_map(
4722+ }
4723+
4724+ log_debug("%s: alias: %s/%s → %s", __func__, *dir, de->d_name, dst);
4725+- } else {
4726+- dst = simplified;
4727+-
4728+- log_debug("%s: linked unit file: %s/%s → %s", __func__, *dir, de->d_name, dst);
4729+ }
4730+
4731+ } else {
4732+--- a/src/core/load-fragment.c
4733++++ b/src/core/load-fragment.c
4734+@@ -4787,10 +4787,11 @@ int unit_load_fragment(Unit *u) {
4735+ u->source_mtime = 0;
4736+ }
4737+
4738+- /* We do the merge dance here because for some unit types, the unit might have aliases which are not
4739++ /* Call merge_by_names with the name derived from the fragment path as the preferred name.
4740++ *
4741++ * We do the merge dance here because for some unit types, the unit might have aliases which are not
4742+ * declared in the file system. In particular, this is true (and frequent) for device and swap units.
4743+ */
4744+- Unit *merged;
4745+ const char *id = u->id;
4746+ _cleanup_free_ char *free_id = NULL;
4747+
4748+@@ -4807,7 +4808,7 @@ int unit_load_fragment(Unit *u) {
4749+ }
4750+ }
4751+
4752+- merged = u;
4753++ Unit *merged = u;
4754+ r = merge_by_names(&merged, names, id);
4755+ if (r < 0)
4756+ return r;
4757diff --git a/debian/patches/lp1890448-hwdb-Add-EliteBook-to-use-micmute-hotkey.patch b/debian/patches/lp1890448-hwdb-Add-EliteBook-to-use-micmute-hotkey.patch
4758new file mode 100644
4759index 0000000..7697dc2
4760--- /dev/null
4761+++ b/debian/patches/lp1890448-hwdb-Add-EliteBook-to-use-micmute-hotkey.patch
4762@@ -0,0 +1,32 @@
4763+From b6eb208b29ae720e45a2950453fa4278a88bbcc9 Mon Sep 17 00:00:00 2001
4764+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
4765+Date: Tue, 16 Jun 2020 13:24:27 +0800
4766+Subject: [PATCH] hwdb: Add EliteBook to use micmute hotkey
4767+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1890448
4768+Origin: upstream, https://github.com/systemd/systemd/commit/b6eb208b29ae720e45a2950453fa4278a88bbcc9
4769+
4770+Like HP ZBooks, all EliteBooks use the same micmute scancode.
4771+---
4772+ hwdb.d/60-keyboard.hwdb | 8 +++-----
4773+ 1 file changed, 3 insertions(+), 5 deletions(-)
4774+
4775+--- a/hwdb.d/60-keyboard.hwdb
4776++++ b/hwdb.d/60-keyboard.hwdb
4777+@@ -584,6 +584,9 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett
4778+
4779+ # HP EliteBook 725 G2
4780+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pnHPLicrice:pvr*
4781++# HP EliteBook
4782++evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pnHPEliteBook*:pvr*
4783++evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHP*:pnHPEliteBook*:pvr*
4784+ # HP ProBook 440 G2
4785+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pnHP440G2:pvr*
4786+ # several HP ProBooks 4xx
4787+@@ -610,7 +613,6 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHP:pnHP
4788+
4789+ # HP Folio 1040g2
4790+ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnHewlett-Packard*:pnHPEliteBookFolio1040G2:pvr*
4791+- KEYBOARD_KEY_81=f20 # Fn+F8; Microphone mute button, should be micmute
4792+ KEYBOARD_KEY_d8=!f23 # touchpad off
4793+ KEYBOARD_KEY_d9=!f22 # touchpad on
4794+
4795diff --git a/debian/patches/lp1891215/0001-fs-util-add-conservative_rename-that-suppresses-unne.patch b/debian/patches/lp1891215/0001-fs-util-add-conservative_rename-that-suppresses-unne.patch
4796new file mode 100644
4797index 0000000..00c7142
4798--- /dev/null
4799+++ b/debian/patches/lp1891215/0001-fs-util-add-conservative_rename-that-suppresses-unne.patch
4800@@ -0,0 +1,184 @@
4801+From 1098142436f46b889f6b7bcc87af54bc5b95d560 Mon Sep 17 00:00:00 2001
4802+From: Lennart Poettering <lennart@poettering.net>
4803+Date: Wed, 18 Nov 2020 15:11:43 +0100
4804+Subject: [PATCH] fs-util: add conservative_rename() that suppresses
4805+ unnecessary renames
4806+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1891215
4807+Origin: upstream, https://github.com/systemd/systemd/commit/1098142436f46b889f6b7bcc87af54bc5b95d560
4808+
4809+if the source and destination file match in contents and basic file
4810+attributes, don#t rename, but just remove source.
4811+
4812+This is a simple way to suppress inotify events + mtime changes when
4813+atomically updating files.
4814+---
4815+ src/basic/fs-util.c | 77 +++++++++++++++++++++++++++++++++++++++++
4816+ src/basic/fs-util.h | 2 ++
4817+ src/test/test-fs-util.c | 48 +++++++++++++++++++++++++
4818+ 3 files changed, 127 insertions(+)
4819+
4820+--- a/src/basic/fs-util.c
4821++++ b/src/basic/fs-util.c
4822+@@ -1479,3 +1479,80 @@ int open_parent(const char *path, int fl
4823+
4824+ return fd;
4825+ }
4826++
4827++int conservative_rename(
4828++ int olddirfd, const char *oldpath,
4829++ int newdirfd, const char *newpath) {
4830++
4831++ _cleanup_close_ int old_fd = -1, new_fd = -1;
4832++ struct stat old_stat, new_stat;
4833++
4834++ /* Renames the old path to thew new path, much like renameat() — except if both are regular files and
4835++ * have the exact same contents and basic file attributes already. In that case remove the new file
4836++ * instead. This call is useful for reducing inotify wakeups on files that are updated but don't
4837++ * actually change. This function is written in a style that we rather rename too often than suppress
4838++ * too much. i.e. whenever we are in doubt we rather rename than fail. After all reducing inotify
4839++ * events is an optimization only, not more. */
4840++
4841++ old_fd = openat(olddirfd, oldpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
4842++ if (old_fd < 0)
4843++ goto do_rename;
4844++
4845++ new_fd = openat(newdirfd, newpath, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
4846++ if (new_fd < 0)
4847++ goto do_rename;
4848++
4849++ if (fstat(old_fd, &old_stat) < 0)
4850++ goto do_rename;
4851++
4852++ if (!S_ISREG(old_stat.st_mode))
4853++ goto do_rename;
4854++
4855++ if (fstat(new_fd, &new_stat) < 0)
4856++ goto do_rename;
4857++
4858++ if (new_stat.st_ino == old_stat.st_ino &&
4859++ new_stat.st_dev == old_stat.st_dev)
4860++ goto is_same;
4861++
4862++ if (old_stat.st_mode != new_stat.st_mode ||
4863++ old_stat.st_size != new_stat.st_size ||
4864++ old_stat.st_uid != new_stat.st_uid ||
4865++ old_stat.st_gid != new_stat.st_gid)
4866++ goto do_rename;
4867++
4868++ for (;;) {
4869++ char buf1[16*1024];
4870++ char buf2[sizeof(buf1) + 1];
4871++ ssize_t l1, l2;
4872++
4873++ l1 = read(old_fd, buf1, sizeof(buf1));
4874++ if (l1 < 0)
4875++ goto do_rename;
4876++
4877++ l2 = read(new_fd, buf2, l1 + 1);
4878++ if (l1 != l2)
4879++ goto do_rename;
4880++
4881++ if (l1 == 0) /* EOF on both! And everything's the same so far, yay! */
4882++ break;
4883++
4884++ if (memcmp(buf1, buf2, l1) != 0)
4885++ goto do_rename;
4886++ }
4887++
4888++is_same:
4889++ /* Everything matches? Then don't rename, instead remove the source file, and leave the existing
4890++ * destination in place */
4891++
4892++ if (unlinkat(olddirfd, oldpath, 0) < 0)
4893++ goto do_rename;
4894++
4895++ return 0;
4896++
4897++do_rename:
4898++ if (renameat(olddirfd, oldpath, newdirfd, newpath) < 0)
4899++ return -errno;
4900++
4901++ return 1;
4902++}
4903+--- a/src/basic/fs-util.h
4904++++ b/src/basic/fs-util.h
4905+@@ -122,3 +122,5 @@ int fsync_path_at(int at_fd, const char
4906+ int syncfs_path(int atfd, const char *path);
4907+
4908+ int open_parent(const char *path, int flags, mode_t mode);
4909++
4910++int conservative_rename(int olddirfd, const char *oldpath, int newdirfd, const char *newpath);
4911+--- a/src/test/test-fs-util.c
4912++++ b/src/test/test-fs-util.c
4913+@@ -3,7 +3,9 @@
4914+ #include <unistd.h>
4915+
4916+ #include "alloc-util.h"
4917++#include "copy.h"
4918+ #include "fd-util.h"
4919++#include "fileio.h"
4920+ #include "fs-util.h"
4921+ #include "id128-util.h"
4922+ #include "macro.h"
4923+@@ -849,6 +851,53 @@ static void test_chmod_and_chown_unsafe(
4924+ assert_se(S_ISLNK(st.st_mode));
4925+ }
4926+
4927++static void test_conservative_rename(void) {
4928++ _cleanup_(unlink_and_freep) char *p = NULL;
4929++ _cleanup_free_ char *q = NULL;
4930++ struct stat st;
4931++
4932++ assert_se(tempfn_random_child(NULL, NULL, &p) >= 0);
4933++ assert_se(write_string_file(p, "this is a test", WRITE_STRING_FILE_CREATE) >= 0);
4934++
4935++ assert_se(tempfn_random_child(NULL, NULL, &q) >= 0);
4936++
4937++ /* Check that the hardlinked "copy" is detected */
4938++ assert_se(link(p, q) >= 0);
4939++ assert_se(conservative_rename(AT_FDCWD, q, AT_FDCWD, p) == 0);
4940++ assert_se(access(q, F_OK) < 0 && errno == ENOENT);
4941++
4942++ /* Check that a manual copy is detected */
4943++ assert_se(stat(p, &st) >= 0);
4944++ assert_se(copy_file(p, q, 0, st.st_mode, 0, 0, COPY_REFLINK) >= 0);
4945++ assert_se(conservative_rename(AT_FDCWD, q, AT_FDCWD, p) == 0);
4946++ assert_se(access(q, F_OK) < 0 && errno == ENOENT);
4947++
4948++ /* Check that a manual new writeout is also detected */
4949++ assert_se(write_string_file(q, "this is a test", WRITE_STRING_FILE_CREATE) >= 0);
4950++ assert_se(conservative_rename(AT_FDCWD, q, AT_FDCWD, p) == 0);
4951++ assert_se(access(q, F_OK) < 0 && errno == ENOENT);
4952++
4953++ /* Check that a minimally changed version is detected */
4954++ assert_se(write_string_file(q, "this is a_test", WRITE_STRING_FILE_CREATE) >= 0);
4955++ assert_se(conservative_rename(AT_FDCWD, q, AT_FDCWD, p) > 0);
4956++ assert_se(access(q, F_OK) < 0 && errno == ENOENT);
4957++
4958++ /* Check that this really is new updated version */
4959++ assert_se(write_string_file(q, "this is a_test", WRITE_STRING_FILE_CREATE) >= 0);
4960++ assert_se(conservative_rename(AT_FDCWD, q, AT_FDCWD, p) == 0);
4961++ assert_se(access(q, F_OK) < 0 && errno == ENOENT);
4962++
4963++ /* Make sure we detect extended files */
4964++ assert_se(write_string_file(q, "this is a_testx", WRITE_STRING_FILE_CREATE) >= 0);
4965++ assert_se(conservative_rename(AT_FDCWD, q, AT_FDCWD, p) > 0);
4966++ assert_se(access(q, F_OK) < 0 && errno == ENOENT);
4967++
4968++ /* Make sure we detect truncated files */
4969++ assert_se(write_string_file(q, "this is a_test", WRITE_STRING_FILE_CREATE) >= 0);
4970++ assert_se(conservative_rename(AT_FDCWD, q, AT_FDCWD, p) > 0);
4971++ assert_se(access(q, F_OK) < 0 && errno == ENOENT);
4972++}
4973++
4974+ int main(int argc, char *argv[]) {
4975+ test_setup_logging(LOG_INFO);
4976+
4977+@@ -867,6 +916,7 @@ int main(int argc, char *argv[]) {
4978+ test_rename_noreplace();
4979+ test_chmod_and_chown();
4980+ test_chmod_and_chown_unsafe();
4981++ test_conservative_rename();
4982+
4983+ return 0;
4984+ }
4985diff --git a/debian/patches/lp1891215/0002-resolved-don-t-update-resolv.conf-snippets-unnecessa.patch b/debian/patches/lp1891215/0002-resolved-don-t-update-resolv.conf-snippets-unnecessa.patch
4986new file mode 100644
4987index 0000000..4a88f77
4988--- /dev/null
4989+++ b/debian/patches/lp1891215/0002-resolved-don-t-update-resolv.conf-snippets-unnecessa.patch
4990@@ -0,0 +1,46 @@
4991+From f3e1f00d03445911ee73729219cea88c8a70c612 Mon Sep 17 00:00:00 2001
4992+From: Lennart Poettering <lennart@poettering.net>
4993+Date: Wed, 18 Nov 2020 15:12:44 +0100
4994+Subject: [PATCH] resolved: don't update resolv.conf snippets unnecessarily
4995+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1891215
4996+Origin: upstream, https://github.com/systemd/systemd/commit/f3e1f00d03445911ee73729219cea88c8a70c612
4997+
4998+Fixes: #17577
4999+---
5000+ src/resolve/resolved-resolv-conf.c | 10 ++++++----
The diff has been truncated for viewing.

Subscribers

People subscribed via source and target branches