similarity index 100%
rename from meta/recipes-core/systemd/systemd-boot_250.5.bb
rename to meta/recipes-core/systemd/systemd-boot_250.14.bb
@@ -14,7 +14,7 @@ LICENSE = "GPL-2.0-only & LGPL-2.1-only"
LIC_FILES_CHKSUM = "file://LICENSE.GPL2;md5=751419260aa954499f7abaabaa882bbe \
file://LICENSE.LGPL2.1;md5=4fbd65380cdd255951079008b364516c"
-SRCREV = "4a31fa2fb040005b73253da75cf84949b8485175"
+SRCREV = "4ada1290584745ab6643eece9e1756a8c0e079ca"
SRCBRANCH = "v250-stable"
SRC_URI = "git://github.com/systemd/systemd-stable.git;protocol=https;branch=${SRCBRANCH}"
@@ -1,4 +1,4 @@
-From 9a1841402ce3ef21a10a7314a07a615f8196d406 Mon Sep 17 00:00:00 2001
+From 10ec14bf4a75891a99defa37f5e9452ac6fe12b3 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Fri, 21 Jan 2022 22:19:37 -0800
Subject: [PATCH] Adjust for musl headers
@@ -174,7 +174,7 @@ index d15766cd7b..60728b4f94 100644
#include "conf-parser.h"
#include "ipvlan.h"
diff --git a/src/network/netdev/macsec.c b/src/network/netdev/macsec.c
-index f1a566a9ca..1f37927a83 100644
+index df0d924443..6400032f96 100644
--- a/src/network/netdev/macsec.c
+++ b/src/network/netdev/macsec.c
@@ -1,7 +1,7 @@
@@ -200,7 +200,7 @@ index c41be6e78f..ee2660c5bf 100644
#include "conf-parser.h"
#include "macvlan.h"
diff --git a/src/network/netdev/netdev.c b/src/network/netdev/netdev.c
-index 8e7fe11c18..701ab2bd69 100644
+index b46b9ecc90..e6e58c5f0f 100644
--- a/src/network/netdev/netdev.c
+++ b/src/network/netdev/netdev.c
@@ -2,7 +2,7 @@
@@ -275,7 +275,7 @@ index c946e81fc0..d1a6be73f9 100644
#include "netlink-util.h"
diff --git a/src/network/netdev/vlan.c b/src/network/netdev/vlan.c
-index af3e77963e..efa4b0a164 100644
+index 58c2da32dd..f4a5fd7343 100644
--- a/src/network/netdev/vlan.c
+++ b/src/network/netdev/vlan.c
@@ -2,7 +2,7 @@
@@ -327,7 +327,7 @@ index 30b0855598..a065158801 100644
#include "conf-parser.h"
#include "alloc-util.h"
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
-index 88f668753a..5fc753384b 100644
+index 6c251b3a2e..000e3d01a9 100644
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -6,7 +6,7 @@
@@ -373,7 +373,7 @@ index 10025a97ae..a0239ea83a 100644
#define STATIC_BRIDGE_MDB_ENTRIES_PER_NETWORK_MAX 1024U
diff --git a/src/network/networkd-dhcp-common.c b/src/network/networkd-dhcp-common.c
-index 7996960bd1..e870b9ba26 100644
+index 4f13eada05..7e3ea2108b 100644
--- a/src/network/networkd-dhcp-common.c
+++ b/src/network/networkd-dhcp-common.c
@@ -1,7 +1,8 @@
@@ -421,7 +421,7 @@ index 9acfd17d49..3108289602 100644
#include "sd-dhcp-server.h"
diff --git a/src/network/networkd-dhcp4.c b/src/network/networkd-dhcp4.c
-index cb9c428ae9..a35d58f3f1 100644
+index f97e8033b8..21026ac0bf 100644
--- a/src/network/networkd-dhcp4.c
+++ b/src/network/networkd-dhcp4.c
@@ -3,7 +3,7 @@
@@ -434,7 +434,7 @@ index cb9c428ae9..a35d58f3f1 100644
#include "alloc-util.h"
#include "dhcp-client-internal.h"
diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
-index b62a154828..75949e6094 100644
+index 090da53a1e..8b402a5b04 100644
--- a/src/network/networkd-link.c
+++ b/src/network/networkd-link.c
@@ -3,7 +3,7 @@
@@ -447,7 +447,7 @@ index b62a154828..75949e6094 100644
#include <linux/netdevice.h>
#include <sys/socket.h>
diff --git a/src/network/networkd-route.c b/src/network/networkd-route.c
-index ee7a535075..ce6ed64133 100644
+index f3b6f38967..5793fd93f8 100644
--- a/src/network/networkd-route.c
+++ b/src/network/networkd-route.c
@@ -1,9 +1,5 @@
@@ -472,7 +472,7 @@ index ee7a535075..ce6ed64133 100644
_cleanup_(route_freep) Route *route = NULL;
diff --git a/src/network/networkd-setlink.c b/src/network/networkd-setlink.c
-index e00cc1e589..e392c7e1a2 100644
+index 1ab58a5bd2..72860cc542 100644
--- a/src/network/networkd-setlink.c
+++ b/src/network/networkd-setlink.c
@@ -2,7 +2,7 @@
@@ -1,4 +1,4 @@
-From beb0219b71510bc63aed81d2a970a04349d6c616 Mon Sep 17 00:00:00 2001
+From e06212833237dd639a843b5f9733f8a49f3a9119 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Tue, 29 Sep 2020 18:01:41 -0700
Subject: [PATCH] Move sysusers.d/sysctl.d/binfmt.d/modules-load.d to /usr
@@ -7,21 +7,26 @@ These directories are moved to /lib since systemd v246, commit
4a56315a990b ("path: use ROOTPREFIX properly"), but in oe-core/yocto,
the old /usr/lib is still being used.
+Modified to resolve the merge conflict introduced by systemd v250.14
+version.
+
Upstream-Status: Inappropriate (OE-specific)
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
+
---
src/core/systemd.pc.in | 8 ++++----
src/libsystemd/sd-path/sd-path.c | 8 ++++----
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
-index fc0f8c34fa..65996bbed8 100644
+index 693433b34b..8368a3ff02 100644
--- a/src/core/systemd.pc.in
+++ b/src/core/systemd.pc.in
-@@ -65,16 +65,16 @@ systemdshutdowndir=${systemd_shutdown_dir}
- tmpfiles_dir=${prefix}/lib/tmpfiles.d
- tmpfilesdir=${tmpfiles_dir}
+@@ -67,16 +67,16 @@ tmpfilesdir=${tmpfiles_dir}
+
+ user_tmpfiles_dir=${prefix}/share/user-tmpfiles.d
-sysusers_dir=${rootprefix}/lib/sysusers.d
+sysusers_dir=${prefix}/lib/sysusers.d
@@ -68,6 +73,3 @@ index ff1e0d5f8e..19a001f47e 100644
return 0;
case SD_PATH_CATALOG:
-2.34.1
-
new file mode 100644
@@ -0,0 +1,41 @@
+From 10c567204edcd2926ce4f762d7015d5894756d52 Mon Sep 17 00:00:00 2001
+From: Jonas Gorski <jonas.gorski@bisdn.de>
+Date: Thu, 12 Sep 2024 15:46:29 +0200
+Subject: [PATCH] core: fix build when seccomp is off
+
+Something went wrong when 6aa2c55522d7cac62ecfd5d5687a86a84f158d18 was
+cherry-picked for v250-stable, causing it to fail to build when seccomp
+is disabled.
+
+Fix this by changing the code to how it looks like in other versions of
+the backported commit, slightly adapted to the file's style in v250.
+
+Fixes the following build error:
+
+| ../git/src/core/main.c: In function 'parse_config_file':
+| ../git/src/core/main.c:721:101: error: lvalue required as unary '&' operand
+| 721 | { "Manager", "SystemCallArchitectures", config_parse_syscall_archs, 0, &DISABLED_CONFIGURATION },
+| | ^
+
+Fixes: 8e8c7d51140b ("pid1: generate compat warning for SystemCallArchitectures= if seccomp is off")
+
+Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/b19b7c67e9cb74c44c43a0daf6172f9d32f134ec]
+Signed-off-by: Jonas Gorski <jonas.gorski@bisdn.de>
+Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
+---
+ src/core/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/core/main.c b/src/core/main.c
+index 19686fa475..5914be6a83 100644
+--- a/src/core/main.c
++++ b/src/core/main.c
+@@ -718,7 +718,7 @@ static int parse_config_file(void) {
+ #if HAVE_SECCOMP
+ { "Manager", "SystemCallArchitectures", config_parse_syscall_archs, 0, &arg_syscall_archs },
+ #else
+- { "Manager", "SystemCallArchitectures", config_parse_syscall_archs, 0, &DISABLED_CONFIGURATION },
++ { "Manager", "SystemCallArchitectures", config_parse_warn_compat, DISABLED_CONFIGURATION, NULL },
+ #endif
+ { "Manager", "TimerSlackNSec", config_parse_nsec, 0, &arg_timer_slack_nsec },
+ { "Manager", "DefaultTimerAccuracySec", config_parse_sec, 0, &arg_default_timer_accuracy_usec },
@@ -1,4 +1,4 @@
-From dab02796780f00d689cc1c7a0ba81abe7c5f28d0 Mon Sep 17 00:00:00 2001
+From 2252b9a6c598f8ed4efe95d2a149f68db7fb9cc4 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Fri, 21 Jan 2022 15:15:11 -0800
Subject: [PATCH] pass correct parameters to getdents64
@@ -12,14 +12,33 @@ Fixes
n = getdents64(fd, &buffer, sizeof(buffer));
^~~~~~~
+Modified to resolve the merge conflict introduced by systemd v250.14 version.
+
Upstream-Status: Inappropriate [musl specific]
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+Signed-off-by: Narpat Mali <narpat.falna@gmail.com>
+
---
+ src/basic/dirent-util.h | 6 ++++++
src/basic/recurse-dir.c | 2 +-
- src/basic/stat-util.c | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
+ src/basic/stat-util.c | 8 ++++++--
+ 3 files changed, 13 insertions(+), 3 deletions(-)
+diff --git a/src/basic/dirent-util.h b/src/basic/dirent-util.h
+index 04bc53003f..5fde9043a3 100644
+--- a/src/basic/dirent-util.h
++++ b/src/basic/dirent-util.h
+@@ -51,3 +51,9 @@ assert_cc(sizeof_field(struct dirent, d_name) == sizeof_field(struct dirent64, d
+ for (void *_end = (uint8_t*) ({ (de) = (buf); }) + (sz); \
+ (uint8_t*) (de) < (uint8_t*) _end; \
+ (de) = (struct dirent*) ((uint8_t*) (de) + (de)->d_reclen))
++
++#define DEFINE_DIRENT_BUFFER(name, sz) \
++ union { \
++ struct dirent de; \
++ uint8_t data[(sz) * DIRENT_SIZE_MAX]; \
++ } name
diff --git a/src/basic/recurse-dir.c b/src/basic/recurse-dir.c
index efa1797b7b..03ff10ebe9 100644
--- a/src/basic/recurse-dir.c
@@ -34,18 +53,28 @@ index efa1797b7b..03ff10ebe9 100644
return -errno;
if (n == 0)
diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c
-index c2269844f8..7cd6c7fa42 100644
+index db22f06d0f..cb76726c37 100644
--- a/src/basic/stat-util.c
+++ b/src/basic/stat-util.c
-@@ -99,7 +99,7 @@ int dir_is_empty_at(int dir_fd, const char *path) {
+@@ -66,6 +66,10 @@ int is_device_node(const char *path) {
+ int dir_is_empty_at(int dir_fd, const char *path) {
+ _cleanup_close_ int fd = -1;
+ _cleanup_closedir_ DIR *d = NULL;
++ /* Allocate space for at least 3 full dirents, since every dir has at least two entries ("." +
++ * ".."), and only once we have seen if there's a third we know whether the dir is empty or not. */
++ DEFINE_DIRENT_BUFFER(buffer, 3);
++ ssize_t n;
+
+ if (path) {
+ assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
+@@ -85,8 +89,8 @@ int dir_is_empty_at(int dir_fd, const char *path) {
return fd;
}
-- n = getdents64(fd, &buffer, sizeof(buffer));
+- d = take_fdopendir(&fd);
+- if (!d)
+ n = getdents64(fd, (struct dirent *)&buffer, sizeof(buffer));
- if (n < 0)
++ if (n < 0)
return -errno;
-2.34.1
-
+ FOREACH_DIRENT(de, d, return -errno)
deleted file mode 100644
@@ -1,60 +0,0 @@
-From 25492154b42f68a48752a7f61eaf1fb61e454e52 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 18 Oct 2022 18:09:06 +0200
-Subject: [PATCH] shared/json: allow json_variant_dump() to return an error
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/7922ead507e0d83e4ec72a8cbd2b67194766e58c]
-
-Needed to fix CVE-2022-45873.patch backported from systemd/main,
-otherwise it fails to build with:
-
-| ../git/src/shared/elf-util.c: In function 'parse_elf_object':
-| ../git/src/shared/elf-util.c:792:27: error: void value not ignored as it ought to be
-| 792 | r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
-| | ^
-
-Signed-off-by: Martin Jansa <martin2.jansa@lgepartner.com>
----
- src/shared/json.c | 7 ++++---
- src/shared/json.h | 2 +-
- 2 files changed, 5 insertions(+), 4 deletions(-)
-
-diff --git a/src/shared/json.c b/src/shared/json.c
-index dff95eda26..81c05efe22 100644
---- a/src/shared/json.c
-+++ b/src/shared/json.c
-@@ -1792,9 +1792,9 @@ int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret) {
- return (int) sz - 1;
- }
-
--void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) {
-+int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix) {
- if (!v)
-- return;
-+ return 0;
-
- if (!f)
- f = stdout;
-@@ -1820,7 +1820,8 @@ void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const cha
- fputc('\n', f); /* In case of SSE add a second newline */
-
- if (flags & JSON_FORMAT_FLUSH)
-- fflush(f);
-+ return fflush_and_check(f);
-+ return 0;
- }
-
- int json_variant_filter(JsonVariant **v, char **to_remove) {
-diff --git a/src/shared/json.h b/src/shared/json.h
-index 8760354b66..c712700763 100644
---- a/src/shared/json.h
-+++ b/src/shared/json.h
-@@ -187,7 +187,7 @@ typedef enum JsonFormatFlags {
- } JsonFormatFlags;
-
- int json_variant_format(JsonVariant *v, JsonFormatFlags flags, char **ret);
--void json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix);
-+int json_variant_dump(JsonVariant *v, JsonFormatFlags flags, FILE *f, const char *prefix);
-
- int json_variant_filter(JsonVariant **v, char **to_remove);
-
@@ -1,4 +1,4 @@
-From 4b731a5e2547b5292f9a774b849e14c0cf7b3955 Mon Sep 17 00:00:00 2001
+From 2e7d75e9a045f7580c60436dbee44301393a66c3 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Fri, 21 Jan 2022 15:17:37 -0800
Subject: [PATCH] Add sys/stat.h for S_IFDIR
@@ -14,10 +14,10 @@ Signed-off-by: Khem Raj <raj.khem@gmail.com>
1 file changed, 1 insertion(+)
diff --git a/src/shared/mkdir-label.c b/src/shared/mkdir-label.c
-index d36a6466d7..63b764cd83 100644
+index 5b1ac5d1e0..fa5802b894 100644
--- a/src/shared/mkdir-label.c
+++ b/src/shared/mkdir-label.c
-@@ -4,6 +4,7 @@
+@@ -6,6 +6,7 @@
#include "selinux-util.h"
#include "smack-util.h"
#include "user-util.h"
@@ -1,4 +1,4 @@
-From 5513b918d02900a3a78fd0e0300a118b163edfef Mon Sep 17 00:00:00 2001
+From a134b05d2cbc0d05a5ad7d9ebbb4ba57d424752c Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 13:55:12 +0800
Subject: [PATCH] missing_type.h: add comparison_fn_t
@@ -14,6 +14,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
[Rebased for v250, Drop __compare_fn_t]
Signed-off-by: Jiaqing Zhao <jiaqing.zhao@linux.intel.com>
+
---
src/basic/missing_type.h | 4 ++++
src/basic/sort-util.h | 1 +
@@ -56,6 +57,3 @@ index 8fc87b131a..36a6efdbd8 100644
const char * const catalog_file_dirs[] = {
"/usr/local/lib/systemd/catalog/",
-2.34.1
-
@@ -1,4 +1,4 @@
-From 3d9910dcda697b1e361bba49c99050ee0d116742 Mon Sep 17 00:00:00 2001
+From e53661c4dc9b15397a87077169fe729934ce5e13 Mon Sep 17 00:00:00 2001
From: Alexander Kanavin <alex.kanavin@gmail.com>
Date: Sat, 22 May 2021 20:26:24 +0200
Subject: [PATCH] add fallback parse_printf_format implementation
@@ -23,10 +23,10 @@ Signed-off-by: Scott Murray <scott.murray@konsulko.com>
create mode 100644 src/basic/parse-printf-format.h
diff --git a/meson.build b/meson.build
-index cb9936ee8b..ae53345260 100644
+index 01c4b4dc70..29129a83e2 100644
--- a/meson.build
+++ b/meson.build
-@@ -686,6 +686,7 @@ endif
+@@ -705,6 +705,7 @@ endif
foreach header : ['crypt.h',
'linux/memfd.h',
'linux/vm_sockets.h',
@@ -1,4 +1,4 @@
-From 106b7bd7186c9d6c1dcd72bd4ca6457d3fa72d0b Mon Sep 17 00:00:00 2001
+From 38c8e75938a439dd8f961a9ea4084deca0c46269 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 14:18:21 +0800
Subject: [PATCH] src/basic/missing.h: check for missing strndupa
@@ -17,6 +17,7 @@ Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
[rebased for systemd 244]
[Rebased for v247]
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
+
---
meson.build | 1 +
src/backlight/backlight.c | 1 +
@@ -73,10 +74,10 @@ Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
52 files changed, 63 insertions(+)
diff --git a/meson.build b/meson.build
-index cb9936ee8b..7ab201c6d9 100644
+index 29129a83e2..3fec6aac3e 100644
--- a/meson.build
+++ b/meson.build
-@@ -507,6 +507,7 @@ foreach ident : ['secure_getenv', '__secure_getenv']
+@@ -526,6 +526,7 @@ foreach ident : ['secure_getenv', '__secure_getenv']
endforeach
foreach ident : [
@@ -97,7 +98,7 @@ index 5a3095cbba..22cfa4d526 100644
static int help(void) {
_cleanup_free_ char *link = NULL;
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
-index a626ecf2e2..f7dc6c8421 100644
+index e65ad678ab..d3bed80620 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -37,6 +37,7 @@
@@ -121,7 +122,7 @@ index 885967e7f3..d0b7dc845e 100644
/* We follow bash for the character set. Different shells have different rules. */
#define VALID_BASH_ENV_NAME_CHARS \
diff --git a/src/basic/log.c b/src/basic/log.c
-index 12071e2ebd..15254c7bbc 100644
+index 10de8bd7c0..4f0e7eaad3 100644
--- a/src/basic/log.c
+++ b/src/basic/log.c
@@ -36,6 +36,7 @@
@@ -153,7 +154,7 @@ index 8c76f93eb2..9068bfb4f0 100644
+ })
+#endif
diff --git a/src/basic/mkdir.c b/src/basic/mkdir.c
-index 51a0d74e87..03569f71f8 100644
+index 27144dd45a..0395c124da 100644
--- a/src/basic/mkdir.c
+++ b/src/basic/mkdir.c
@@ -15,6 +15,7 @@
@@ -237,7 +238,7 @@ index 65f96abb06..e485a0196b 100644
int procfs_get_pid_max(uint64_t *ret) {
_cleanup_free_ char *value = NULL;
diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index b659d6905d..020112be24 100644
+index 89dc593d44..ffbaffd451 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -26,6 +26,7 @@
@@ -273,7 +274,7 @@ index f0d8759e85..b4c1053e64 100644
BUS_DEFINE_PROPERTY_GET(bus_property_get_tasks_max, "t", TasksMax, tasks_max_resolve);
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
-index 5c499e5d06..e7ab1bb9a5 100644
+index db1698393c..77cc8bb507 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -44,6 +44,7 @@
@@ -297,10 +298,10 @@ index 32a2ec0ff9..36be2511e4 100644
int bus_property_get_triggered_unit(
sd_bus *bus,
diff --git a/src/core/execute.c b/src/core/execute.c
-index 0b20d386d3..fccfb9268c 100644
+index da0cd2dcbe..d2a7bf7e7b 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
-@@ -102,6 +102,7 @@
+@@ -103,6 +103,7 @@
#include "unit-serialize.h"
#include "user-util.h"
#include "utmp-wtmp.h"
@@ -321,7 +322,7 @@ index d054668b8e..9b4caa7651 100644
#if HAVE_KMOD
#include "module-util.h"
diff --git a/src/core/service.c b/src/core/service.c
-index 87f0d34c8c..ccda3feb29 100644
+index e02c2e38ad..2a64a14647 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -42,6 +42,7 @@
@@ -369,7 +370,7 @@ index 3e3646e45f..6a8fc60f6d 100644
#define PRIV_KEY_FILE CERTIFICATE_ROOT "/private/journal-remote.pem"
#define CERT_FILE CERTIFICATE_ROOT "/certs/journal-remote.pem"
diff --git a/src/journal/journalctl.c b/src/journal/journalctl.c
-index 3c4a7c0a7a..6a792404f2 100644
+index d4a751c575..b175b11a8f 100644
--- a/src/journal/journalctl.c
+++ b/src/journal/journalctl.c
@@ -73,6 +73,7 @@
@@ -381,7 +382,7 @@ index 3c4a7c0a7a..6a792404f2 100644
#define DEFAULT_FSS_INTERVAL_USEC (15*USEC_PER_MINUTE)
#define PROCESS_INOTIFY_INTERVAL 1024 /* Every 1,024 messages processed */
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
-index 96529b422b..ddb5e9c698 100644
+index ca0b290ed2..3fa703eb61 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -20,6 +20,7 @@
@@ -393,11 +394,11 @@ index 96529b422b..ddb5e9c698 100644
static int message_append_basic(sd_bus_message *m, char type, const void *p, const void **stored);
diff --git a/src/libsystemd/sd-bus/bus-objects.c b/src/libsystemd/sd-bus/bus-objects.c
-index 28d8336718..5d3ce88a53 100644
+index 5c6c6c5c5f..00499d53d1 100644
--- a/src/libsystemd/sd-bus/bus-objects.c
+++ b/src/libsystemd/sd-bus/bus-objects.c
-@@ -12,6 +12,7 @@
- #include "set.h"
+@@ -11,6 +11,7 @@
+ #include "missing_capability.h"
#include "string-util.h"
#include "strv.h"
+#include "missing_stdlib.h"
@@ -405,7 +406,7 @@ index 28d8336718..5d3ce88a53 100644
static int node_vtable_get_userdata(
sd_bus *bus,
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
-index 14951ccb33..b7f86ca501 100644
+index af67fc70eb..f80afa8327 100644
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -28,6 +28,7 @@
@@ -417,7 +418,7 @@ index 14951ccb33..b7f86ca501 100644
#define SNDBUF_SIZE (8*1024*1024)
diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
-index 9e1d29cc1d..8c3165f0ce 100644
+index 8f12be6d56..01945df0c4 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -43,6 +43,7 @@
@@ -441,7 +442,7 @@ index 317653bedc..d028216c48 100644
#define MAX_SIZE (2*1024*1024)
diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c
-index 7a6cc4aca3..b7f7cd65c5 100644
+index de9deb2e6d..6f4e1856d5 100644
--- a/src/libsystemd/sd-journal/sd-journal.c
+++ b/src/libsystemd/sd-journal/sd-journal.c
@@ -41,6 +41,7 @@
@@ -450,10 +451,10 @@ index 7a6cc4aca3..b7f7cd65c5 100644
#include "syslog-util.h"
+#include "missing_stdlib.h"
- #define JOURNAL_FILES_MAX 7168
+ #define JOURNAL_FILES_RECHECK_USEC (2 * USEC_PER_SEC)
diff --git a/src/locale/keymap-util.c b/src/locale/keymap-util.c
-index 10d2ed7aec..4fbe3f6b4a 100644
+index eaa1c6f0d2..7014c1e227 100644
--- a/src/locale/keymap-util.c
+++ b/src/locale/keymap-util.c
@@ -24,6 +24,7 @@
@@ -489,7 +490,7 @@ index 063ad08d80..f9823a433b 100644
/*
# .network
diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c
-index 1f58bf3ed4..8457a3b0e3 100644
+index c4be8f5d4e..04ab34f165 100644
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@@ -17,6 +17,7 @@
@@ -513,7 +514,7 @@ index c64e79bdff..eda26b0b9a 100644
static void setup_logging_once(void) {
static pthread_once_t once = PTHREAD_ONCE_INIT;
diff --git a/src/portable/portable.c b/src/portable/portable.c
-index 0e6461ba93..54148d5924 100644
+index 3f73151bfe..452cadb764 100644
--- a/src/portable/portable.c
+++ b/src/portable/portable.c
@@ -39,6 +39,7 @@
@@ -525,7 +526,7 @@ index 0e6461ba93..54148d5924 100644
/* Markers used in the first line of our 20-portable.conf unit file drop-in to determine, that a) the unit file was
* dropped there by the portable service logic and b) for which image it was dropped there. */
diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c
-index 5b3ceeff36..d36d1d57ae 100644
+index 5ec4b63568..5a6a32f691 100644
--- a/src/resolve/resolvectl.c
+++ b/src/resolve/resolvectl.c
@@ -43,6 +43,7 @@
@@ -561,7 +562,7 @@ index 87c0334fec..402ab3493b 100644
struct CGroupInfo {
char *cgroup_path;
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
-index dcce530c99..faf5a5bda0 100644
+index ef134bcee4..48a5c3bec6 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -49,6 +49,7 @@
@@ -585,7 +586,7 @@ index 4a2b7684bc..ee6d687c58 100644
static int name_owner_change_callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
sd_event *e = userdata;
diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
-index f54b187a1b..299758c7e4 100644
+index 5e0d921487..f9a39b60d9 100644
--- a/src/shared/dns-domain.c
+++ b/src/shared/dns-domain.c
@@ -17,6 +17,7 @@
@@ -609,7 +610,7 @@ index c6caf9330a..ebe33bd44a 100644
enum {
IMPORTER_STATE_LINE = 0, /* waiting to read, or reading line */
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
-index cf83eb6bca..e672a003a3 100644
+index e2315e6eb1..65533b412c 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -42,6 +42,7 @@
@@ -669,7 +670,7 @@ index cc9a7cb838..a679614a47 100644
TEST(hexchar) {
diff --git a/src/udev/udev-builtin-path_id.c b/src/udev/udev-builtin-path_id.c
-index ae92e45205..1e6f3205cb 100644
+index 1084eb2d81..db07b84124 100644
--- a/src/udev/udev-builtin-path_id.c
+++ b/src/udev/udev-builtin-path_id.c
@@ -22,6 +22,7 @@
@@ -693,7 +694,7 @@ index a60e4f294c..571c43765b 100644
typedef struct Spawn {
sd_device *device;
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
-index 1a384d6b38..0089833e3f 100644
+index cf461e1e68..9d6431d865 100644
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@@ -34,6 +34,7 @@
@@ -704,6 +705,3 @@ index 1a384d6b38..0089833e3f 100644
#define RULES_DIRS (const char* const*) CONF_PATHS_STRV("udev/rules.d")
-2.34.1
-
@@ -1,4 +1,4 @@
-From 74c664bcd6b9a5fcf3466310c07f608d12456f7f Mon Sep 17 00:00:00 2001
+From 5de6ab5196cfd629f4a15f8d0d34f69b1e425715 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 14:56:21 +0800
Subject: [PATCH] don't fail if GLOB_BRACE and GLOB_ALTDIRFUNC is not defined
@@ -115,7 +115,7 @@ index ec8b74f48f..d99a6095df 100644
(void) rm_rf(template, REMOVE_ROOT|REMOVE_PHYSICAL);
diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
-index fcab51c208..fdef1807ae 100644
+index 07ef3af0a0..8293661aa7 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -67,6 +67,12 @@
@@ -131,7 +131,7 @@ index fcab51c208..fdef1807ae 100644
/* This reads all files listed in /etc/tmpfiles.d/?*.conf and creates
* them in the file system. This is intended to be used to create
* properly owned directories beneath /tmp, /var/tmp, /run, which are
-@@ -1961,7 +1967,9 @@ finish:
+@@ -1958,7 +1964,9 @@ finish:
static int glob_item(Item *i, action_t action) {
_cleanup_globfree_ glob_t g = {
@@ -141,7 +141,7 @@ index fcab51c208..fdef1807ae 100644
};
int r = 0, k;
char **fn;
-@@ -1981,7 +1989,9 @@ static int glob_item(Item *i, action_t action) {
+@@ -1978,7 +1986,9 @@ static int glob_item(Item *i, action_t action) {
static int glob_item_recursively(Item *i, fdaction_t action) {
_cleanup_globfree_ glob_t g = {
@@ -1,4 +1,4 @@
-From a0450f7909348e7ff1d58adc0aee4119a0519c1f Mon Sep 17 00:00:00 2001
+From 427534fec8c205a9a97b20a4075dd84e1faca611 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 15:00:06 +0800
Subject: [PATCH] add missing FTW_ macros for musl
@@ -49,7 +49,7 @@ index 6c0456349d..5140892e22 100644
+#define FTW_SKIP_SIBLINGS 3
+#endif
diff --git a/src/shared/mount-setup.c b/src/shared/mount-setup.c
-index 7917968497..cc3d5baaab 100644
+index 7ba579ef63..2d62b1978f 100644
--- a/src/shared/mount-setup.c
+++ b/src/shared/mount-setup.c
@@ -32,6 +32,7 @@
@@ -1,4 +1,4 @@
-From 3ca0920429f7eaf8c59f9ac8afd30a43b83d95ed Mon Sep 17 00:00:00 2001
+From fefd1b6ae9dd75133f86c373ce17d4f15ef05e2d Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 15:03:47 +0800
Subject: [PATCH] fix missing of __register_atfork for non-glibc builds
@@ -15,7 +15,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
1 file changed, 7 insertions(+)
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
-index c971852158..df6e85b1fc 100644
+index 5e27097cbb..db252b8dfe 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -18,6 +18,9 @@
@@ -28,7 +28,7 @@ index c971852158..df6e85b1fc 100644
#include "alloc-util.h"
#include "architecture.h"
-@@ -1161,11 +1164,15 @@ void reset_cached_pid(void) {
+@@ -1165,11 +1168,15 @@ void reset_cached_pid(void) {
cached_pid = CACHED_PID_UNSET;
}
@@ -1,4 +1,4 @@
-From 48a791aae7a47a2a08e9e60c18054071a43b8cda Mon Sep 17 00:00:00 2001
+From 4bf0a67c097c53129c772aab6123740d07b66823 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 15:12:41 +0800
Subject: [PATCH] Use uintmax_t for handling rlim_t
@@ -87,10 +87,10 @@ index 33dfde9d6c..e018fd81fd 100644
return 1;
}
diff --git a/src/core/execute.c b/src/core/execute.c
-index fccfb9268c..90f00e10a5 100644
+index d2a7bf7e7b..0cc806b929 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
-@@ -5633,9 +5633,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
+@@ -5671,9 +5671,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
for (unsigned i = 0; i < RLIM_NLIMITS; i++)
if (c->rlimit[i]) {
fprintf(f, "%sLimit%s: " RLIM_FMT "\n",
@@ -1,4 +1,4 @@
-From e8025c8eefdf1be4bba34c48f3430838f3859c52 Mon Sep 17 00:00:00 2001
+From 755d647dc2e0842b89c29211af839c4e61faf006 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Wed, 28 Feb 2018 21:25:22 -0800
Subject: [PATCH] test-sizeof.c: Disable tests for missing typedefs in musl
@@ -1,4 +1,4 @@
-From 46fdc959257d60d9b32953cae0152ae118f8564b Mon Sep 17 00:00:00 2001
+From 5667af9b7ee73ee5a003221aaca5337c306469c7 Mon Sep 17 00:00:00 2001
From: Andre McCurdy <armccurdy@gmail.com>
Date: Tue, 10 Oct 2017 14:33:30 -0700
Subject: [PATCH] don't pass AT_SYMLINK_NOFOLLOW flag to faccessat()
@@ -65,7 +65,7 @@ index 0bbb3f6298..3dc494dbfb 100644
int touch_file(const char *path, bool parents, usec_t stamp, uid_t uid, gid_t gid, mode_t mode);
int touch(const char *path);
diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
-index 5f5328c8cf..d396bc99fe 100644
+index 2847bcb0fb..fc534435d3 100644
--- a/src/shared/base-filesystem.c
+++ b/src/shared/base-filesystem.c
@@ -117,7 +117,7 @@ int base_filesystem_create(const char *root, uid_t uid, gid_t gid) {
@@ -1,4 +1,4 @@
-From d0bdce977b7acc5e45e82cf84256c4bedc0e74c4 Mon Sep 17 00:00:00 2001
+From 1a1ae5dfb989af0e5f6294e26e0c12f49705860b Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Sun, 27 May 2018 08:36:44 -0700
Subject: [PATCH] Define glibc compatible basename() for non-glibc systems
@@ -1,4 +1,4 @@
-From e480d28305907c3874f4e58b722b8aa43c3ac7a2 Mon Sep 17 00:00:00 2001
+From 61158232373ec55693e8fa4513b8fcdfb875ecda Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Wed, 4 Jul 2018 15:00:44 +0800
Subject: [PATCH] Do not disable buffering when writing to oom_score_adj
@@ -25,10 +25,10 @@ Signed-off-by: Scott Murray <scott.murray@konsulko.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
-index df6e85b1fc..635dbb5d26 100644
+index db252b8dfe..66bdc74b3f 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
-@@ -1489,7 +1489,7 @@ int set_oom_score_adjust(int value) {
+@@ -1493,7 +1493,7 @@ int set_oom_score_adjust(int value) {
xsprintf(t, "%i", value);
return write_string_file("/proc/self/oom_score_adj", t,
@@ -1,4 +1,4 @@
-From 0542d27ebbb250c09bdcfcf9f2ea3d27426fe522 Mon Sep 17 00:00:00 2001
+From 3a3c61daffa79ce7b70b6b851110ce13c652d731 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Tue, 10 Jul 2018 15:40:17 +0800
Subject: [PATCH] distinguish XSI-compliant strerror_r from GNU-specifi
@@ -1,4 +1,4 @@
-From e1d0210b47906dd121f936f3181092835df6a95c Mon Sep 17 00:00:00 2001
+From b90e69cab3da08fa890e8d276be4d02e39cd83aa Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 15:44:54 +0800
Subject: [PATCH] avoid redefinition of prctl_mm_map structure
@@ -1,4 +1,4 @@
-From e10a73de254b570bbc29b26423dbb86b4265bb05 Mon Sep 17 00:00:00 2001
+From 4f39aa56e738d99ac04e73ba75713db7e05f7252 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Mon, 25 Feb 2019 16:53:06 +0800
Subject: [PATCH] test-json.c: define M_PIl
@@ -19,7 +19,7 @@ Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
1 file changed, 4 insertions(+)
diff --git a/src/test/test-json.c b/src/test/test-json.c
-index b385edc269..5e5830238c 100644
+index 2aecbe3557..f7112dc374 100644
--- a/src/test/test-json.c
+++ b/src/test/test-json.c
@@ -14,6 +14,10 @@
@@ -1,4 +1,4 @@
-From 414e2f97008a1f3c26a260a6dc4d51a8c1fa6900 Mon Sep 17 00:00:00 2001
+From e79028fbfcc3036df8c2de9d199e4d89cbfff017 Mon Sep 17 00:00:00 2001
From: Chen Qi <Qi.Chen@windriver.com>
Date: Fri, 1 Mar 2019 15:22:15 +0800
Subject: [PATCH] do not disable buffer in writing files
@@ -44,10 +44,10 @@ Signed-off-by: Scott Murray <scott.murray@konsulko.com>
21 files changed, 39 insertions(+), 40 deletions(-)
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
-index f7dc6c8421..5f7a27c2c4 100644
+index d3bed80620..9af2339353 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
-@@ -390,7 +390,7 @@ int cg_kill_kernel_sigkill(const char *controller, const char *path) {
+@@ -399,7 +399,7 @@ int cg_kill_kernel_sigkill(const char *controller, const char *path) {
if (r < 0)
return r;
@@ -56,7 +56,7 @@ index f7dc6c8421..5f7a27c2c4 100644
if (r < 0)
return r;
-@@ -803,7 +803,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
+@@ -812,7 +812,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
sc = strstrip(contents);
if (isempty(sc)) {
@@ -65,7 +65,7 @@ index f7dc6c8421..5f7a27c2c4 100644
if (r < 0)
return r;
} else if (!path_equal(sc, agent))
-@@ -821,7 +821,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
+@@ -830,7 +830,7 @@ int cg_install_release_agent(const char *controller, const char *agent) {
sc = strstrip(contents);
if (streq(sc, "0")) {
@@ -74,7 +74,7 @@ index f7dc6c8421..5f7a27c2c4 100644
if (r < 0)
return r;
-@@ -848,7 +848,7 @@ int cg_uninstall_release_agent(const char *controller) {
+@@ -857,7 +857,7 @@ int cg_uninstall_release_agent(const char *controller) {
if (r < 0)
return r;
@@ -83,7 +83,7 @@ index f7dc6c8421..5f7a27c2c4 100644
if (r < 0)
return r;
-@@ -858,7 +858,7 @@ int cg_uninstall_release_agent(const char *controller) {
+@@ -867,7 +867,7 @@ int cg_uninstall_release_agent(const char *controller) {
if (r < 0)
return r;
@@ -92,7 +92,7 @@ index f7dc6c8421..5f7a27c2c4 100644
if (r < 0)
return r;
-@@ -1704,7 +1704,7 @@ int cg_set_attribute(const char *controller, const char *path, const char *attri
+@@ -1713,7 +1713,7 @@ int cg_set_attribute(const char *controller, const char *path, const char *attri
if (r < 0)
return r;
@@ -198,7 +198,7 @@ index 18231c2618..6c598d55c8 100644
log_warning_errno(r, "Failed to flush binfmt_misc rules, ignoring: %m");
else
diff --git a/src/core/cgroup.c b/src/core/cgroup.c
-index f58de95a49..7a97ab6f99 100644
+index 79681c65be..a346e5d35c 100644
--- a/src/core/cgroup.c
+++ b/src/core/cgroup.c
@@ -4140,7 +4140,7 @@ int unit_cgroup_freezer_action(Unit *u, FreezerAction action) {
@@ -211,10 +211,10 @@ index f58de95a49..7a97ab6f99 100644
return r;
diff --git a/src/core/main.c b/src/core/main.c
-index 57aedb9b93..7ef36d22f5 100644
+index 5914be6a83..a4706203f1 100644
--- a/src/core/main.c
+++ b/src/core/main.c
-@@ -1466,7 +1466,7 @@ static int bump_unix_max_dgram_qlen(void) {
+@@ -1468,7 +1468,7 @@ static int bump_unix_max_dgram_qlen(void) {
if (v >= DEFAULT_UNIX_MAX_DGRAM_QLEN)
return 0;
@@ -223,7 +223,7 @@ index 57aedb9b93..7ef36d22f5 100644
"%lu", DEFAULT_UNIX_MAX_DGRAM_QLEN);
if (r < 0)
return log_full_errno(IN_SET(r, -EROFS, -EPERM, -EACCES) ? LOG_DEBUG : LOG_WARNING, r,
-@@ -1737,7 +1737,7 @@ static void initialize_core_pattern(bool skip_setup) {
+@@ -1739,7 +1739,7 @@ static void initialize_core_pattern(bool skip_setup) {
if (getpid_cached() != 1)
return;
@@ -285,10 +285,10 @@ index 9fdc74b775..9858a2b415 100644
log_warning_errno(r, "Failed to drop caches, ignoring: %m");
else
diff --git a/src/libsystemd/sd-device/sd-device.c b/src/libsystemd/sd-device/sd-device.c
-index b163a0fb6b..fd6c5301d6 100644
+index 718a92549d..104222bb16 100644
--- a/src/libsystemd/sd-device/sd-device.c
+++ b/src/libsystemd/sd-device/sd-device.c
-@@ -2108,7 +2108,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr,
+@@ -2111,7 +2111,7 @@ _public_ int sd_device_set_sysattr_value(sd_device *device, const char *sysattr,
if (!value)
return -ENOMEM;
@@ -311,10 +311,10 @@ index d472e80c03..c7780c7fc6 100644
log_error_errno(r, "Failed to move process: %m");
goto finish;
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
-index fb6af295b5..0d83f1e4d2 100644
+index 573419d7f3..97a81ff8f8 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
-@@ -2759,7 +2759,7 @@ static int reset_audit_loginuid(void) {
+@@ -2768,7 +2768,7 @@ static int reset_audit_loginuid(void) {
if (streq(p, "4294967295"))
return 0;
@@ -323,7 +323,7 @@ index fb6af295b5..0d83f1e4d2 100644
if (r < 0) {
log_error_errno(r,
"Failed to reset audit login UID. This probably means that your kernel is too\n"
-@@ -4175,7 +4175,7 @@ static int setup_uid_map(
+@@ -4184,7 +4184,7 @@ static int setup_uid_map(
return log_oom();
xsprintf(uid_map, "/proc/" PID_FMT "/uid_map", pid);
@@ -332,7 +332,7 @@ index fb6af295b5..0d83f1e4d2 100644
if (r < 0)
return log_error_errno(r, "Failed to write UID map: %m");
-@@ -4185,7 +4185,7 @@ static int setup_uid_map(
+@@ -4194,7 +4194,7 @@ static int setup_uid_map(
return log_oom();
xsprintf(uid_map, "/proc/" PID_FMT "/gid_map", pid);
@@ -441,7 +441,7 @@ index 7064f3a905..8f2a7d9da2 100644
return 0;
log_debug_errno(k, "Failed to write '%s' to /sys/power/state: %m", *state);
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
-index 0089833e3f..0a6a3abbb4 100644
+index 9d6431d865..c162b6dbfe 100644
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@@ -2181,7 +2181,6 @@ static int udev_rule_apply_token_to_event(
@@ -1,4 +1,4 @@
-From 8871f78c559f37169c0cfaf20b0af1dbec0399af Mon Sep 17 00:00:00 2001
+From 7a270f66384e95635ac512429b4cd51f817e3494 Mon Sep 17 00:00:00 2001
From: Scott Murray <scott.murray@konsulko.com>
Date: Fri, 13 Sep 2019 19:26:27 -0400
Subject: [PATCH] Handle __cpu_mask usage
@@ -1,4 +1,4 @@
-From ec519727bb1ceda6e7787ccf86237a6aad07137c Mon Sep 17 00:00:00 2001
+From cac47a8efdf76eec005275162fbf28300dffc13c Mon Sep 17 00:00:00 2001
From: Alex Kiernan <alex.kiernan@gmail.com>
Date: Tue, 10 Mar 2020 11:05:20 +0000
Subject: [PATCH] Handle missing gshadow
@@ -139,7 +139,7 @@ index 22ab04d6ee..4e52e7a911 100644
#include <shadow.h>
diff --git a/src/shared/userdb.c b/src/shared/userdb.c
-index 0eddd382e6..d506b8e263 100644
+index ec0c835cad..5e4b1028c6 100644
--- a/src/shared/userdb.c
+++ b/src/shared/userdb.c
@@ -1046,13 +1046,15 @@ int groupdb_iterator_get(UserDBIterator *iterator, GroupRecord **ret) {
@@ -1,4 +1,4 @@
-From 754a16eeb255c06dbdd4655632276573f0f075ec Mon Sep 17 00:00:00 2001
+From bf6d00a780db808de6a5dfc28e24906f699fd60e Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Mon, 12 Apr 2021 23:44:53 -0700
Subject: [PATCH] missing_syscall.h: Define MIPS ABI defines for musl
@@ -34,7 +34,7 @@ index 793d111c55..9665848b88 100644
#include "missing_keyctl.h"
#include "missing_stat.h"
diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
-index d396bc99fe..7e9c0c3412 100644
+index fc534435d3..5929ca1fce 100644
--- a/src/shared/base-filesystem.c
+++ b/src/shared/base-filesystem.c
@@ -19,6 +19,7 @@
deleted file mode 100644
@@ -1,45 +0,0 @@
-From bff52d96598956163d73b7c7bdec7b0ad5b3c2d4 Mon Sep 17 00:00:00 2001
-From: Hitendra Prajapati <hprajapati@mvista.com>
-Date: Tue, 15 Nov 2022 16:52:03 +0530
-Subject: [PATCH] CVE-2022-3821
-
-Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/72d4c15a946d20143cd4c6783c802124bc894dc7]
-CVE: CVE-2022-3821
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- src/basic/time-util.c | 2 +-
- src/test/test-time-util.c | 5 +++++
- 2 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/basic/time-util.c b/src/basic/time-util.c
-index b659d6905d..89dc593d44 100644
---- a/src/basic/time-util.c
-+++ b/src/basic/time-util.c
-@@ -588,7 +588,7 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) {
- t = b;
- }
-
-- n = MIN((size_t) k, l);
-+ n = MIN((size_t) k, l-1);
-
- l -= n;
- p += n;
-diff --git a/src/test/test-time-util.c b/src/test/test-time-util.c
-index 4d0131827e..8db6b25279 100644
---- a/src/test/test-time-util.c
-+++ b/src/test/test-time-util.c
-@@ -238,6 +238,11 @@ TEST(format_timespan) {
- test_format_timespan_accuracy(1);
- test_format_timespan_accuracy(USEC_PER_MSEC);
- test_format_timespan_accuracy(USEC_PER_SEC);
-+
-+ /* See issue #23928. */
-+ _cleanup_free_ char *buf;
-+ assert_se(buf = new(char, 5));
-+ assert_se(buf == format_timespan(buf, 5, 100005, 1000));
- }
-
- TEST(verify_timezone) {
-2.25.1
-
deleted file mode 100644
@@ -1,109 +0,0 @@
-From 45d323fc889a55fae400a5b08a56273d5724ef4a Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 29 Nov 2022 09:00:16 +0100
-Subject: [PATCH 1/2] coredump: adjust whitespace
-
-(cherry picked from commit 510a146634f3e095b34e2a26023b1b1f99dcb8c0)
-(cherry picked from commit cc2eb7a9b5fd6d9dd8ea35fb045ce6e5e16e1187)
-(cherry picked from commit cb044d734c44cd3c05a6e438b5b995b2a9cfa73c)
-
-Preparation to avoid conflicts when applying CVE CVE-2022-4415
-Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/45d323fc889a55fae400a5b08a56273d5724ef4a]
-
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/coredump/coredump.c | 56 ++++++++++++++++++++---------------------
- 1 file changed, 28 insertions(+), 28 deletions(-)
-
-diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
-index eaea63f682..8295b03ac7 100644
---- a/src/coredump/coredump.c
-+++ b/src/coredump/coredump.c
-@@ -103,16 +103,16 @@ enum {
- };
-
- static const char * const meta_field_names[_META_MAX] = {
-- [META_ARGV_PID] = "COREDUMP_PID=",
-- [META_ARGV_UID] = "COREDUMP_UID=",
-- [META_ARGV_GID] = "COREDUMP_GID=",
-- [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=",
-- [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=",
-- [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=",
-- [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=",
-- [META_COMM] = "COREDUMP_COMM=",
-- [META_EXE] = "COREDUMP_EXE=",
-- [META_UNIT] = "COREDUMP_UNIT=",
-+ [META_ARGV_PID] = "COREDUMP_PID=",
-+ [META_ARGV_UID] = "COREDUMP_UID=",
-+ [META_ARGV_GID] = "COREDUMP_GID=",
-+ [META_ARGV_SIGNAL] = "COREDUMP_SIGNAL=",
-+ [META_ARGV_TIMESTAMP] = "COREDUMP_TIMESTAMP=",
-+ [META_ARGV_RLIMIT] = "COREDUMP_RLIMIT=",
-+ [META_ARGV_HOSTNAME] = "COREDUMP_HOSTNAME=",
-+ [META_COMM] = "COREDUMP_COMM=",
-+ [META_EXE] = "COREDUMP_EXE=",
-+ [META_UNIT] = "COREDUMP_UNIT=",
- };
-
- typedef struct Context {
-@@ -131,9 +131,9 @@ typedef enum CoredumpStorage {
- } CoredumpStorage;
-
- static const char* const coredump_storage_table[_COREDUMP_STORAGE_MAX] = {
-- [COREDUMP_STORAGE_NONE] = "none",
-+ [COREDUMP_STORAGE_NONE] = "none",
- [COREDUMP_STORAGE_EXTERNAL] = "external",
-- [COREDUMP_STORAGE_JOURNAL] = "journal",
-+ [COREDUMP_STORAGE_JOURNAL] = "journal",
- };
-
- DEFINE_PRIVATE_STRING_TABLE_LOOKUP(coredump_storage, CoredumpStorage);
-@@ -149,13 +149,13 @@ static uint64_t arg_max_use = UINT64_MAX;
-
- static int parse_config(void) {
- static const ConfigTableItem items[] = {
-- { "Coredump", "Storage", config_parse_coredump_storage, 0, &arg_storage },
-- { "Coredump", "Compress", config_parse_bool, 0, &arg_compress },
-- { "Coredump", "ProcessSizeMax", config_parse_iec_uint64, 0, &arg_process_size_max },
-- { "Coredump", "ExternalSizeMax", config_parse_iec_uint64_infinity, 0, &arg_external_size_max },
-- { "Coredump", "JournalSizeMax", config_parse_iec_size, 0, &arg_journal_size_max },
-- { "Coredump", "KeepFree", config_parse_iec_uint64, 0, &arg_keep_free },
-- { "Coredump", "MaxUse", config_parse_iec_uint64, 0, &arg_max_use },
-+ { "Coredump", "Storage", config_parse_coredump_storage, 0, &arg_storage },
-+ { "Coredump", "Compress", config_parse_bool, 0, &arg_compress },
-+ { "Coredump", "ProcessSizeMax", config_parse_iec_uint64, 0, &arg_process_size_max },
-+ { "Coredump", "ExternalSizeMax", config_parse_iec_uint64_infinity, 0, &arg_external_size_max },
-+ { "Coredump", "JournalSizeMax", config_parse_iec_size, 0, &arg_journal_size_max },
-+ { "Coredump", "KeepFree", config_parse_iec_uint64, 0, &arg_keep_free },
-+ { "Coredump", "MaxUse", config_parse_iec_uint64, 0, &arg_max_use },
- {}
- };
-
-@@ -201,15 +201,15 @@ static int fix_acl(int fd, uid_t uid) {
- static int fix_xattr(int fd, const Context *context) {
-
- static const char * const xattrs[_META_MAX] = {
-- [META_ARGV_PID] = "user.coredump.pid",
-- [META_ARGV_UID] = "user.coredump.uid",
-- [META_ARGV_GID] = "user.coredump.gid",
-- [META_ARGV_SIGNAL] = "user.coredump.signal",
-- [META_ARGV_TIMESTAMP] = "user.coredump.timestamp",
-- [META_ARGV_RLIMIT] = "user.coredump.rlimit",
-- [META_ARGV_HOSTNAME] = "user.coredump.hostname",
-- [META_COMM] = "user.coredump.comm",
-- [META_EXE] = "user.coredump.exe",
-+ [META_ARGV_PID] = "user.coredump.pid",
-+ [META_ARGV_UID] = "user.coredump.uid",
-+ [META_ARGV_GID] = "user.coredump.gid",
-+ [META_ARGV_SIGNAL] = "user.coredump.signal",
-+ [META_ARGV_TIMESTAMP] = "user.coredump.timestamp",
-+ [META_ARGV_RLIMIT] = "user.coredump.rlimit",
-+ [META_ARGV_HOSTNAME] = "user.coredump.hostname",
-+ [META_COMM] = "user.coredump.comm",
-+ [META_EXE] = "user.coredump.exe",
- };
-
- int r = 0;
-2.30.2
-
deleted file mode 100644
@@ -1,391 +0,0 @@
-From 1d5e0e9910500f3c3584485f77bfc35e601036e3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Mon, 28 Nov 2022 12:12:55 +0100
-Subject: [PATCH 2/2] coredump: do not allow user to access coredumps with
- changed uid/gid/capabilities
-
-When the user starts a program which elevates its permissions via setuid,
-setgid, or capabilities set on the file, it may access additional information
-which would then be visible in the coredump. We shouldn't make the the coredump
-visible to the user in such cases.
-
-Reported-by: Matthias Gerstner <mgerstner@suse.de>
-
-This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
-PROC_AUXV. Before the coredump is submitted, it is parsed and if either
-at_secure was set (which the kernel will do for processes that are setuid,
-setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
-is not made accessible to the user. If we can't access this data, we assume the
-file should not be made accessible either. In principle we could also access
-the auxv data from a note in the core file, but that is much more complex and
-it seems better to use the stand-alone file that is provided by the kernel.
-
-Attaching auxv is both convient for this patch (because this way it's passed
-between the stages along with other fields), but I think it makes sense to save
-it in general.
-
-We use the information early in the core file to figure out if the program was
-32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
-whether the format of the auxv structure. This test might reject some cases on
-fringe architecutes. But the impact would be limited: we just won't grant the
-user permissions to view the coredump file. If people report that we're missing
-some cases, we can always enhance this to support more architectures.
-
-I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
-ppc64el, but not the whole coredump handling.
-
-(cherry picked from commit 3e4d0f6cf99f8677edd6a237382a65bfe758de03)
-(cherry picked from commit 9b75a3d0502d6741c8ecb7175794345f8eb3827c)
-(cherry picked from commit efca5283dc791a07171f80eef84e14fdb58fad57)
-
-CVE: CVE-2022-4415
-Upstream-Status: Backport [https://github.com/systemd/systemd-stable/commit/1d5e0e9910500f3c3584485f77bfc35e601036e3]
-
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
----
- src/basic/io-util.h | 9 ++
- src/coredump/coredump.c | 196 +++++++++++++++++++++++++++++++++++++---
- 2 files changed, 192 insertions(+), 13 deletions(-)
-
-diff --git a/src/basic/io-util.h b/src/basic/io-util.h
-index 39728e06bc..3afb134266 100644
---- a/src/basic/io-util.h
-+++ b/src/basic/io-util.h
-@@ -91,7 +91,16 @@ struct iovec_wrapper *iovw_new(void);
- struct iovec_wrapper *iovw_free(struct iovec_wrapper *iovw);
- struct iovec_wrapper *iovw_free_free(struct iovec_wrapper *iovw);
- void iovw_free_contents(struct iovec_wrapper *iovw, bool free_vectors);
-+
- int iovw_put(struct iovec_wrapper *iovw, void *data, size_t len);
-+static inline int iovw_consume(struct iovec_wrapper *iovw, void *data, size_t len) {
-+ /* Move data into iovw or free on error */
-+ int r = iovw_put(iovw, data, len);
-+ if (r < 0)
-+ free(data);
-+ return r;
-+}
-+
- int iovw_put_string_field(struct iovec_wrapper *iovw, const char *field, const char *value);
- int iovw_put_string_field_free(struct iovec_wrapper *iovw, const char *field, char *value);
- void iovw_rebase(struct iovec_wrapper *iovw, char *old, char *new);
-diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c
-index 8295b03ac7..79280ab986 100644
---- a/src/coredump/coredump.c
-+++ b/src/coredump/coredump.c
-@@ -4,6 +4,7 @@
- #include <stdio.h>
- #include <sys/prctl.h>
- #include <sys/statvfs.h>
-+#include <sys/auxv.h>
- #include <sys/xattr.h>
- #include <unistd.h>
-
-@@ -99,6 +100,7 @@ enum {
-
- META_EXE = _META_MANDATORY_MAX,
- META_UNIT,
-+ META_PROC_AUXV,
- _META_MAX
- };
-
-@@ -113,10 +115,12 @@ static const char * const meta_field_names[_META_MAX] = {
- [META_COMM] = "COREDUMP_COMM=",
- [META_EXE] = "COREDUMP_EXE=",
- [META_UNIT] = "COREDUMP_UNIT=",
-+ [META_PROC_AUXV] = "COREDUMP_PROC_AUXV=",
- };
-
- typedef struct Context {
- const char *meta[_META_MAX];
-+ size_t meta_size[_META_MAX];
- pid_t pid;
- bool is_pid1;
- bool is_journald;
-@@ -178,13 +182,16 @@ static uint64_t storage_size_max(void) {
- return 0;
- }
-
--static int fix_acl(int fd, uid_t uid) {
-+static int fix_acl(int fd, uid_t uid, bool allow_user) {
-+ assert(fd >= 0);
-+ assert(uid_is_valid(uid));
-
- #if HAVE_ACL
- int r;
-
-- assert(fd >= 0);
-- assert(uid_is_valid(uid));
-+ /* We don't allow users to read coredumps if the uid or capabilities were changed. */
-+ if (!allow_user)
-+ return 0;
-
- if (uid_is_system(uid) || uid_is_dynamic(uid) || uid == UID_NOBODY)
- return 0;
-@@ -244,7 +251,8 @@ static int fix_permissions(
- const char *filename,
- const char *target,
- const Context *context,
-- uid_t uid) {
-+ uid_t uid,
-+ bool allow_user) {
-
- int r;
-
-@@ -254,7 +262,7 @@ static int fix_permissions(
-
- /* Ignore errors on these */
- (void) fchmod(fd, 0640);
-- (void) fix_acl(fd, uid);
-+ (void) fix_acl(fd, uid, allow_user);
- (void) fix_xattr(fd, context);
-
- r = fsync_full(fd);
-@@ -324,6 +332,153 @@ static int make_filename(const Context *context, char **ret) {
- return 0;
- }
-
-+static int parse_auxv64(
-+ const uint64_t *auxv,
-+ size_t size_bytes,
-+ int *at_secure,
-+ uid_t *uid,
-+ uid_t *euid,
-+ gid_t *gid,
-+ gid_t *egid) {
-+
-+ assert(auxv || size_bytes == 0);
-+
-+ if (size_bytes % (2 * sizeof(uint64_t)) != 0)
-+ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes);
-+
-+ size_t words = size_bytes / sizeof(uint64_t);
-+
-+ /* Note that we set output variables even on error. */
-+
-+ for (size_t i = 0; i + 1 < words; i += 2)
-+ switch (auxv[i]) {
-+ case AT_SECURE:
-+ *at_secure = auxv[i + 1] != 0;
-+ break;
-+ case AT_UID:
-+ *uid = auxv[i + 1];
-+ break;
-+ case AT_EUID:
-+ *euid = auxv[i + 1];
-+ break;
-+ case AT_GID:
-+ *gid = auxv[i + 1];
-+ break;
-+ case AT_EGID:
-+ *egid = auxv[i + 1];
-+ break;
-+ case AT_NULL:
-+ if (auxv[i + 1] != 0)
-+ goto error;
-+ return 0;
-+ }
-+ error:
-+ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA),
-+ "AT_NULL terminator not found, cannot parse auxv structure.");
-+}
-+
-+static int parse_auxv32(
-+ const uint32_t *auxv,
-+ size_t size_bytes,
-+ int *at_secure,
-+ uid_t *uid,
-+ uid_t *euid,
-+ gid_t *gid,
-+ gid_t *egid) {
-+
-+ assert(auxv || size_bytes == 0);
-+
-+ size_t words = size_bytes / sizeof(uint32_t);
-+
-+ if (size_bytes % (2 * sizeof(uint32_t)) != 0)
-+ return log_warning_errno(SYNTHETIC_ERRNO(EIO), "Incomplete auxv structure (%zu bytes).", size_bytes);
-+
-+ /* Note that we set output variables even on error. */
-+
-+ for (size_t i = 0; i + 1 < words; i += 2)
-+ switch (auxv[i]) {
-+ case AT_SECURE:
-+ *at_secure = auxv[i + 1] != 0;
-+ break;
-+ case AT_UID:
-+ *uid = auxv[i + 1];
-+ break;
-+ case AT_EUID:
-+ *euid = auxv[i + 1];
-+ break;
-+ case AT_GID:
-+ *gid = auxv[i + 1];
-+ break;
-+ case AT_EGID:
-+ *egid = auxv[i + 1];
-+ break;
-+ case AT_NULL:
-+ if (auxv[i + 1] != 0)
-+ goto error;
-+ return 0;
-+ }
-+ error:
-+ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA),
-+ "AT_NULL terminator not found, cannot parse auxv structure.");
-+}
-+
-+static int grant_user_access(int core_fd, const Context *context) {
-+ int at_secure = -1;
-+ uid_t uid = UID_INVALID, euid = UID_INVALID;
-+ uid_t gid = GID_INVALID, egid = GID_INVALID;
-+ int r;
-+
-+ assert(core_fd >= 0);
-+ assert(context);
-+
-+ if (!context->meta[META_PROC_AUXV])
-+ return log_warning_errno(SYNTHETIC_ERRNO(ENODATA), "No auxv data, not adjusting permissions.");
-+
-+ uint8_t elf[EI_NIDENT];
-+ errno = 0;
-+ if (pread(core_fd, &elf, sizeof(elf), 0) != sizeof(elf))
-+ return log_warning_errno(errno_or_else(EIO),
-+ "Failed to pread from coredump fd: %s", errno != 0 ? strerror_safe(errno) : "Unexpected EOF");
-+
-+ if (elf[EI_MAG0] != ELFMAG0 ||
-+ elf[EI_MAG1] != ELFMAG1 ||
-+ elf[EI_MAG2] != ELFMAG2 ||
-+ elf[EI_MAG3] != ELFMAG3 ||
-+ elf[EI_VERSION] != EV_CURRENT)
-+ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
-+ "Core file does not have ELF header, not adjusting permissions.");
-+ if (!IN_SET(elf[EI_CLASS], ELFCLASS32, ELFCLASS64) ||
-+ !IN_SET(elf[EI_DATA], ELFDATA2LSB, ELFDATA2MSB))
-+ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
-+ "Core file has strange ELF class, not adjusting permissions.");
-+
-+ if ((elf[EI_DATA] == ELFDATA2LSB) != (__BYTE_ORDER == __LITTLE_ENDIAN))
-+ return log_info_errno(SYNTHETIC_ERRNO(EUCLEAN),
-+ "Core file has non-native endianness, not adjusting permissions.");
-+
-+ if (elf[EI_CLASS] == ELFCLASS64)
-+ r = parse_auxv64((const uint64_t*) context->meta[META_PROC_AUXV],
-+ context->meta_size[META_PROC_AUXV],
-+ &at_secure, &uid, &euid, &gid, &egid);
-+ else
-+ r = parse_auxv32((const uint32_t*) context->meta[META_PROC_AUXV],
-+ context->meta_size[META_PROC_AUXV],
-+ &at_secure, &uid, &euid, &gid, &egid);
-+ if (r < 0)
-+ return r;
-+
-+ /* We allow access if we got all the data and at_secure is not set and
-+ * the uid/gid matches euid/egid. */
-+ bool ret =
-+ at_secure == 0 &&
-+ uid != UID_INVALID && euid != UID_INVALID && uid == euid &&
-+ gid != GID_INVALID && egid != GID_INVALID && gid == egid;
-+ log_debug("Will %s access (uid="UID_FMT " euid="UID_FMT " gid="GID_FMT " egid="GID_FMT " at_secure=%s)",
-+ ret ? "permit" : "restrict",
-+ uid, euid, gid, egid, yes_no(at_secure));
-+ return ret;
-+}
-+
- static int save_external_coredump(
- const Context *context,
- int input_fd,
-@@ -446,6 +601,8 @@ static int save_external_coredump(
- context->meta[META_ARGV_PID], context->meta[META_COMM]);
- truncated = r == 1;
-
-+ bool allow_user = grant_user_access(fd, context) > 0;
-+
- #if HAVE_COMPRESSION
- if (arg_compress) {
- _cleanup_(unlink_and_freep) char *tmp_compressed = NULL;
-@@ -483,7 +640,7 @@ static int save_external_coredump(
- uncompressed_size += partial_uncompressed_size;
- }
-
-- r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid);
-+ r = fix_permissions(fd_compressed, tmp_compressed, fn_compressed, context, uid, allow_user);
- if (r < 0)
- return r;
-
-@@ -510,7 +667,7 @@ static int save_external_coredump(
- "SIZE_LIMIT=%zu", max_size,
- "MESSAGE_ID=" SD_MESSAGE_TRUNCATED_CORE_STR);
-
-- r = fix_permissions(fd, tmp, fn, context, uid);
-+ r = fix_permissions(fd, tmp, fn, context, uid, allow_user);
- if (r < 0)
- return log_error_errno(r, "Failed to fix permissions and finalize coredump %s into %s: %m", coredump_tmpfile_name(tmp), fn);
-
-@@ -758,7 +915,7 @@ static int change_uid_gid(const Context *context) {
- }
-
- static int submit_coredump(
-- Context *context,
-+ const Context *context,
- struct iovec_wrapper *iovw,
- int input_fd) {
-
-@@ -919,16 +1076,15 @@ static int save_context(Context *context, const struct iovec_wrapper *iovw) {
- struct iovec *iovec = iovw->iovec + n;
-
- for (size_t i = 0; i < ELEMENTSOF(meta_field_names); i++) {
-- char *p;
--
- /* Note that these strings are NUL terminated, because we made sure that a
- * trailing NUL byte is in the buffer, though not included in the iov_len
- * count (see process_socket() and gather_pid_metadata_*()) */
- assert(((char*) iovec->iov_base)[iovec->iov_len] == 0);
-
-- p = startswith(iovec->iov_base, meta_field_names[i]);
-+ const char *p = startswith(iovec->iov_base, meta_field_names[i]);
- if (p) {
- context->meta[i] = p;
-+ context->meta_size[i] = iovec->iov_len - strlen(meta_field_names[i]);
- count++;
- break;
- }
-@@ -1170,6 +1326,7 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) {
- uid_t owner_uid;
- pid_t pid;
- char *t;
-+ size_t size;
- const char *p;
- int r;
-
-@@ -1234,13 +1391,26 @@ static int gather_pid_metadata(struct iovec_wrapper *iovw, Context *context) {
- (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_LIMITS=", t);
-
- p = procfs_file_alloca(pid, "cgroup");
-- if (read_full_virtual_file(p, &t, NULL) >=0)
-+ if (read_full_virtual_file(p, &t, NULL) >= 0)
- (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_CGROUP=", t);
-
- p = procfs_file_alloca(pid, "mountinfo");
-- if (read_full_virtual_file(p, &t, NULL) >=0)
-+ if (read_full_virtual_file(p, &t, NULL) >= 0)
- (void) iovw_put_string_field_free(iovw, "COREDUMP_PROC_MOUNTINFO=", t);
-
-+ /* We attach /proc/auxv here. ELF coredumps also contain a note for this (NT_AUXV), see elf(5). */
-+ p = procfs_file_alloca(pid, "auxv");
-+ if (read_full_virtual_file(p, &t, &size) >= 0) {
-+ char *buf = malloc(strlen("COREDUMP_PROC_AUXV=") + size + 1);
-+ if (buf) {
-+ /* Add a dummy terminator to make save_context() happy. */
-+ *((uint8_t*) mempcpy(stpcpy(buf, "COREDUMP_PROC_AUXV="), t, size)) = '\0';
-+ (void) iovw_consume(iovw, buf, size + strlen("COREDUMP_PROC_AUXV="));
-+ }
-+
-+ free(t);
-+ }
-+
- if (get_process_cwd(pid, &t) >= 0)
- (void) iovw_put_string_field_free(iovw, "COREDUMP_CWD=", t);
-
-2.30.2
-
deleted file mode 100644
@@ -1,124 +0,0 @@
-From 076b807be472630692c5348c60d0c2b7b28ad437 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
-Date: Tue, 18 Oct 2022 18:23:53 +0200
-Subject: [PATCH] coredump: avoid deadlock when passing processed backtrace
- data
-
-We would deadlock when passing the data back from the forked-off process that
-was doing backtrace generation back to the coredump parent. This is because we
-fork the child and wait for it to exit. The child tries to write too much data
-to the output pipe, and and after the first 64k blocks on the parent because
-the pipe is full. The bug surfaced in Fedora because of a combination of four
-factors:
-- 87707784c70dc9894ec613df0a6e75e732a362a3 was backported to v251.5, which
- allowed coredump processing to be successful.
-- 1a0281a3ebf4f8c16d40aa9e63103f16cd23bb2a was NOT backported, so the output
- was very verbose.
-- Fedora has the ELF package metadata available, so a lot of output can be
- generated. Most other distros just don't have the information.
-- gnome-calendar crashes and has a bazillion modules and 69596 bytes of output
- are generated for it.
-
-Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2135778.
-
-The code is changed to try to write data opportunistically. If we get partial
-information, that is still logged. In is generally better to log partial
-backtrace information than nothing at all.
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/076b807be472630692c5348c60d0c2b7b28ad437]
-CVE: CVE-2022-45873
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- src/shared/elf-util.c | 37 +++++++++++++++++++++++++++++++------
- 1 file changed, 31 insertions(+), 6 deletions(-)
-
-diff --git a/src/shared/elf-util.c b/src/shared/elf-util.c
-index 6d9fcfbbf2..bd27507346 100644
---- a/src/shared/elf-util.c
-+++ b/src/shared/elf-util.c
-@@ -30,6 +30,9 @@
- #define THREADS_MAX 64
- #define ELF_PACKAGE_METADATA_ID 0xcafe1a7e
-
-+/* The amount of data we're willing to write to each of the output pipes. */
-+#define COREDUMP_PIPE_MAX (1024*1024U)
-+
- static void *dw_dl = NULL;
- static void *elf_dl = NULL;
-
-@@ -700,13 +703,13 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
- return r;
-
- if (ret) {
-- r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC));
-+ r = RET_NERRNO(pipe2(return_pipe, O_CLOEXEC|O_NONBLOCK));
- if (r < 0)
- return r;
- }
-
- if (ret_package_metadata) {
-- r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC));
-+ r = RET_NERRNO(pipe2(json_pipe, O_CLOEXEC|O_NONBLOCK));
- if (r < 0)
- return r;
- }
-@@ -750,8 +753,24 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
- goto child_fail;
-
- if (buf) {
-- r = loop_write(return_pipe[1], buf, strlen(buf), false);
-- if (r < 0)
-+ size_t len = strlen(buf);
-+
-+ if (len > COREDUMP_PIPE_MAX) {
-+ /* This is iffy. A backtrace can be a few hundred kilobytes, but too much is
-+ * too much. Let's log a warning and ignore the rest. */
-+ log_warning("Generated backtrace is %zu bytes (more than the limit of %u bytes), backtrace will be truncated.",
-+ len, COREDUMP_PIPE_MAX);
-+ len = COREDUMP_PIPE_MAX;
-+ }
-+
-+ /* Bump the space for the returned string.
-+ * Failure is ignored, because partial output is still useful. */
-+ (void) fcntl(return_pipe[1], F_SETPIPE_SZ, len);
-+
-+ r = loop_write(return_pipe[1], buf, len, false);
-+ if (r == -EAGAIN)
-+ log_warning("Write failed, backtrace will be truncated.");
-+ else if (r < 0)
- goto child_fail;
-
- return_pipe[1] = safe_close(return_pipe[1]);
-@@ -760,13 +779,19 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
- if (package_metadata) {
- _cleanup_fclose_ FILE *json_out = NULL;
-
-+ /* Bump the space for the returned string. We don't know how much space we'll need in
-+ * advance, so we'll just try to write as much as possible and maybe fail later. */
-+ (void) fcntl(json_pipe[1], F_SETPIPE_SZ, COREDUMP_PIPE_MAX);
-+
- json_out = take_fdopen(&json_pipe[1], "w");
- if (!json_out) {
- r = -errno;
- goto child_fail;
- }
-
-- json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
-+ r = json_variant_dump(package_metadata, JSON_FORMAT_FLUSH, json_out, NULL);
-+ if (r < 0)
-+ log_warning_errno(r, "Failed to write JSON package metadata, ignoring: %m");
- }
-
- _exit(EXIT_SUCCESS);
-@@ -801,7 +826,7 @@ int parse_elf_object(int fd, const char *executable, bool fork_disable_dump, cha
-
- r = json_parse_file(json_in, NULL, 0, &package_metadata, NULL, NULL);
- if (r < 0 && r != -EINVAL) /* EINVAL: json was empty, so we got nothing, but that's ok */
-- return r;
-+ log_warning_errno(r, "Failed to read or parse json metadata, ignoring: %m");
- }
-
- if (ret)
-2.25.1
-
deleted file mode 100644
@@ -1,40 +0,0 @@
-From 3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1 Mon Sep 17 00:00:00 2001
-From: Michal Sekletar <msekleta@redhat.com>
-Date: Wed, 20 Dec 2023 16:44:14 +0100
-Subject: [PATCH] resolved: actually check authenticated flag of SOA
- transaction
-
-Fixes #25676
-
-Upstream-Status: Backport [https://github.com/systemd/systemd/commit/3b4cc1437b51fcc0b08da8cc3f5d1175eed25eb1]
-CVE: CVE-2023-7008
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
----
- src/resolve/resolved-dns-transaction.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
-index f937f9f7b5..7deb598400 100644
---- a/src/resolve/resolved-dns-transaction.c
-+++ b/src/resolve/resolved-dns-transaction.c
-@@ -2761,7 +2761,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
- if (r == 0)
- continue;
-
-- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
-+ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
- }
-
- return true;
-@@ -2788,7 +2788,7 @@ static int dns_transaction_requires_rrsig(DnsTransaction *t, DnsResourceRecord *
- /* We found the transaction that was supposed to find the SOA RR for us. It was
- * successful, but found no RR for us. This means we are not at a zone cut. In this
- * case, we require authentication if the SOA lookup was authenticated too. */
-- return FLAGS_SET(t->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
-+ return FLAGS_SET(dt->answer_query_flags, SD_RESOLVED_AUTHENTICATED);
- }
-
- return true;
-2.25.1
-
similarity index 99%
rename from meta/recipes-core/systemd/systemd_250.5.bb
rename to meta/recipes-core/systemd/systemd_250.14.bb
@@ -25,15 +25,10 @@ SRC_URI += "file://touchscreen.rules \
file://0003-implment-systemd-sysv-install-for-OE.patch \
file://0001-Move-sysusers.d-sysctl.d-binfmt.d-modules-load.d-to-.patch \
file://0001-resolve-Use-sockaddr-pointer-type-for-bind.patch \
- file://CVE-2022-3821.patch \
- file://CVE-2022-45873.patch \
- file://0001-shared-json-allow-json_variant_dump-to-return-an-err.patch \
- file://CVE-2022-4415-1.patch \
- file://CVE-2022-4415-2.patch \
file://0001-network-remove-only-managed-configs-on-reconfigure-o.patch \
file://0001-nspawn-make-sure-host-root-can-write-to-the-uidmappe.patch \
- file://CVE-2023-7008.patch \
file://fix-vlan-qos-mapping.patch \
+ file://0001-core-fix-build-when-seccomp-is-off.patch \
"
# patches needed by musl