Граф коммитов

31 Коммитов

Автор SHA1 Сообщение Дата
nicolas guibourge 9ccf03ebc6
systemd-bootstrap: fix CVE-2022-4415 (#5094)
Co-authored-by: CBL-Mariner Servicing Account <cblmargh@microsoft.com>
2023-03-15 08:06:28 -07:00
Adit Jha 965e06ff6b
Disable systemd-oomd service & socket through 99-mariner.preset file (#4686) 2023-01-30 11:57:31 -08:00
SeanDougherty 7e81d545de
Revert "Disabling systemd-oomd by default in Mariner (#4580)" (#4600)
This reverts commit 1e8d4d920a.
2023-01-13 13:35:31 -08:00
Adit Jha 1e8d4d920a
Disabling systemd-oomd by default in Mariner (#4580) 2023-01-12 17:08:47 -08:00
CBL-Mariner-Bot 52cb0f9c6f
[AUTOPATCHER-CORE] systemd add patch to address CVE-2022-45873 - (#4451)
* systemd: add patch to address CVE-2022-45873

* Add prereq patch, also update bootstrap

* Add additional prereq patch

Co-authored-by: Daniel McIlvaney <damcilva@microsoft.com>
2022-12-14 14:40:24 -08:00
Daniel McIlvaney 855a2b52e2
Gate systemd's preset-all so it runs only on first install (#4249)
* Gate systemd's preset-all so it runs only on first install
2022-12-08 11:56:05 -08:00
Sam Meluch 66e5ee3893
Patched `systemd` to fix CVE-2022-3821 (#4256)
* Add patch for CVE-2022-3821

* Add patch to systemd-bootstrap.spec to mirror changes to systemd.spec

* update systemd-bootstrap version in manifests
2022-11-18 19:01:22 -06:00
Pawel Winogrodzki 96b35817fe
dracut, systemd, systemtap: fix log file paths. (#3922) 2022-10-06 16:23:10 -07:00
Avram Lubkin 301d64af52
systemd: gpt-auto fixes for backing device detection (#3864) 2022-10-05 17:12:35 -04:00
Avram Lubkin 760886bda1
systemd: sysusers fsync patch (#3547)
Patch to fix fsync issue for /etc/passwd in systemd-sysusers
https://github.com/systemd/systemd/pull/24324
2022-08-24 14:38:46 -04:00
jslobodzian cdc67c9fba
Update systemd to build in release mode (#2958)
* Fix systemd to build in release mode

* Fix date to two digits
2022-05-06 14:48:54 -07:00
Cameron E Baird cc262b7b57
[main] [bug] Address Constant Journald crash on Mariner 2.0 (#2731)
* manually backport fix commit for journald assertion bug

* bootstrap package, toolchain manifests

* swap out raw diff for the patch, including more information from upstream

* add newline to patch

* remove redundant comment in specs
2022-04-14 15:08:33 -07:00
Andrew Phelps b6ddd31fdc
use lz4 compression in systemd instead of zstd (#2546) 2022-03-23 11:16:16 -07:00
Henry Beberman 1adf15efc5
[main] Update systemd to v250.3 (#1991) 2022-01-24 23:11:57 -08:00
Pawel Winogrodzki 77153f2702
[main] Removing redundant `%clean` stages from the spec files. (#1782) 2021-12-17 09:46:27 -08:00
Henry Beberman 404ea07fe4
Fix systemd dhcp and cgroups (#1734) 2021-12-08 13:58:33 -08:00
Henry Beberman 7837cec9a2
Update to systemd 249.7 and dracut 055 (#1732) 2021-12-07 19:23:43 -08:00
Pawel Winogrodzki 76188442ca
[dev] `lvm2`: adding the `lvm2-dbusd` package. (#1477) 2021-10-01 00:37:20 -07:00
jslobodzian 17b0e93e71
Merge 1.0 to dev branch
This merge brings the latest SELinux and many packages and CVE fixes from the 1.0 branch.
2021-08-19 13:46:51 -07:00
Thomas Crain 4859da4e1b Merge branch '1.0' into thcrain/pain (March Update) 2021-04-13 15:40:16 -05:00
Thomas Crain eae5b4006f Merge branch '1.0' into thcrain/ever-given 2021-04-06 22:39:22 -05:00
Christopher Co 55e42f31c8
systemd: disallow unprivileged BPFs (#743)
Additional mitigation step for CVE-2021-20194. Our kernels are typically
hardened with CONFIG_HARDENED_USERCOPY=y so we are not exposed to this
vulnerability specifically. But if this ends up not being the case in
the future, we have this mitigation enabled as well.

Signed-off-by: Chris Co <chrco@microsoft.com>
2021-03-16 11:06:33 -07:00
Henry Beberman 84c823f7c1
Enable lz4 compression in systemd (#637)
Enable lz4 compression in systemd so that journalctl can read lz4 compressed journals
2021-02-16 14:42:40 -08:00
Joe Schmitt ef3343d9fd
[dev] Update lib macro and enable python byte compilation (#636) 2021-02-16 10:34:30 -08:00
Nicolas Ontiveros ea706b71aa
Fix systemd CVE-2019-6454 and CVE-2020-1712 patches (#374)
* Fix CVE-2019-6454 patch

* Update toolchain txt files

* Fix CVE-2020-1712 patch

* Update upstream patch info for CVE's 2019-6454/2020-1712

* Fix async_polkit_callback patch
2020-11-16 15:21:50 -08:00
rychenf1 7a714be4d0
[dev] Configure systemd to support merged /usr (#348)
* Configure systemd to support merged /usr

* Update clamav systemd dir

* Update chroot systemd-rpm-macros ver

* systemd changelog

* Lint, excluding systemd scriptlet changes

* Add systemd-rpm-macros in toolchain manifests

* arch correction

* Remove inline hash
2020-11-11 09:36:21 -08:00
Nicolas Ontiveros c98d311027
Patch systemd CVEs: 2019-3842, 2019-3843, 2019-3844, 2019-6454, 2019-20386, 2020-1712, 2020-13776 (#248)
* Patch CVE-2019-3842

* Patch CVE-2019-3843

* Fix URL in CVE-2019-3843.patch

* Patch CVE-2019-3844

* Patch CVE-2019-6454

* Update CVE-2019-6454 patch

* Patch CVE-2019-20386

* Patch CVE-2020-1712

* Patch CVE-2020-13776

* Update toolchain txt files

* Update systemd-bootstrap

* Fix toolchain aarch64

* Fix linting for systemd-bootstrap

* Address more systemd-bootstrap linting

* Addres systemd spec linting

* Add newline at end of systemd spec

* Fix systemd-bootstrap spec
2020-11-03 15:40:13 -08:00
jslobodzian 791c4b9e19
Build Break Fix: Rollback selinux checkins. (#204)
* Revert "Add missing %libsepolver definition in secilc.spec (#192)"

This reverts commit 9cff088bec.

* Revert "Add SELinux packages to Mariner. (#100)"

This reverts commit b2d918efac.
2020-10-13 19:37:01 -07:00
Daniel Burgener b2d918efac
Add SELinux packages to Mariner. (#100)
* Add SELinux packages to Mariner.

This commit add the following packages to Mariner to provide basic
SELinux support:

- checkpolicy
- libsemanage
- mcstrans
- policycoreutils
- secilc
- selinux-policy
- setools

The selinux-policy provided here is a generic base policy, which is not
specifically tuned for Mariner, therefore only permissive mode support
is enabled in this commit.  (Although users could load a custom policy
to run in enforcing mode).  Future phases have been discussed to add
SELinux enforcing mode support.

This commit does not enable SELinux by default.  In order to enable
SELinux support, one must first install necessary packages (libselinux,
policycoreutils, secilc, selinux-policy), and then append "lsm=selinux
selinux=1" to the kernel command line.  This will trigger an initial
boot to relabel the system, at which point the system will reboot, and
boot into an SELinux enabled system.  SELinux state can be queried with
the "getenforce" command line tool.  If SELinux has not been enabled, it
will report "Disabled" (the default).  If SELinux support has been
enabled as described in this paragraph, it will report "permissive".

This commit also modifies the following packages to enabled SELinux
functionality in existing packages:

- coreutils
- cronie
- dbus
- openssh
- pam
- rpm
- shadow-utils
- systemd
- util-linux

This enables them to build with SELinux support so that when SELinux is
enabled, they have SELinux related functionality available.

Because coreutils is a basic package and requires building with
libselinux-devel present in order to enable key SELinux functionality,
several dependencies in other packages that rely on coreutils (namely
python2, python3 and systemd-bootstrap) had to be removed in order to
avoid circular dependencies.  There does not appear to be a functional
impact from this change based on my testing.
2020-10-07 09:13:55 -04:00
Mateusz Malisz b53db7e474 Update systemd-bootstrap spec. 2020-08-11 16:07:40 -07:00
Jon Slobodzian b877013b27 Initial CBL-Mariner commit to GitHub 2020-08-06 20:17:52 -07:00