diff options
author | Jose Quaresma <quaresma.jose@gmail.com> | 2024-07-25 14:23:11 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-07-26 12:28:42 +0100 |
commit | 0c03d6aeb7b21c604278cfad272dd7beb1d3e10f (patch) | |
tree | c27f141faa629bdcf04d9843c668d2fa0495c9e7 | |
parent | b33830b4f60187f928a413556423b3de2add9ef2 (diff) | |
download | poky-0c03d6aeb7b21c604278cfad272dd7beb1d3e10f.tar.gz |
openssh: systemd notification was implemented upstream
Drop our sd-notify patch and switch to the upstream standalone
implementation that does not depend on libsystemd.
(From OE-Core rev: 07522f85a987b673b0a3c98690c3c17ab0c4b608)
Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
4 files changed, 227 insertions, 100 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch new file mode 100644 index 0000000000..4925c969fe --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch | |||
@@ -0,0 +1,225 @@ | |||
1 | From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001 | ||
2 | From: Damien Miller <djm@mindrot.org> | ||
3 | Date: Wed, 3 Apr 2024 14:40:32 +1100 | ||
4 | Subject: [PATCH] notify systemd on listen and reload | ||
5 | |||
6 | Standalone implementation that does not depend on libsystemd. | ||
7 | With assistance from Luca Boccassi, and feedback/testing from Colin | ||
8 | Watson. bz2641 | ||
9 | |||
10 | Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c] | ||
11 | |||
12 | Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> | ||
13 | --- | ||
14 | configure.ac | 1 + | ||
15 | openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++- | ||
16 | openbsd-compat/port-linux.h | 5 ++ | ||
17 | platform.c | 11 +++++ | ||
18 | platform.h | 1 + | ||
19 | sshd.c | 2 + | ||
20 | 6 files changed, 115 insertions(+), 2 deletions(-) | ||
21 | |||
22 | diff --git a/configure.ac b/configure.ac | ||
23 | index 82e8bb7c1..854f92b5b 100644 | ||
24 | --- a/configure.ac | ||
25 | +++ b/configure.ac | ||
26 | @@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) | ||
27 | AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts]) | ||
28 | AC_DEFINE([USE_BTMP]) | ||
29 | AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer]) | ||
30 | + AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload]) | ||
31 | inet6_default_4in6=yes | ||
32 | case `uname -r` in | ||
33 | 1.*|2.0.*) | ||
34 | diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c | ||
35 | index 0457e28d0..df7290246 100644 | ||
36 | --- a/openbsd-compat/port-linux.c | ||
37 | +++ b/openbsd-compat/port-linux.c | ||
38 | @@ -21,16 +21,23 @@ | ||
39 | |||
40 | #include "includes.h" | ||
41 | |||
42 | -#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) | ||
43 | +#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \ | ||
44 | + defined(SYSTEMD_NOTIFY) | ||
45 | +#include <sys/socket.h> | ||
46 | +#include <sys/un.h> | ||
47 | + | ||
48 | #include <errno.h> | ||
49 | +#include <inttypes.h> | ||
50 | #include <stdarg.h> | ||
51 | #include <string.h> | ||
52 | #include <stdio.h> | ||
53 | #include <stdlib.h> | ||
54 | +#include <time.h> | ||
55 | |||
56 | #include "log.h" | ||
57 | #include "xmalloc.h" | ||
58 | #include "port-linux.h" | ||
59 | +#include "misc.h" | ||
60 | |||
61 | #ifdef WITH_SELINUX | ||
62 | #include <selinux/selinux.h> | ||
63 | @@ -310,4 +317,90 @@ oom_adjust_restore(void) | ||
64 | return; | ||
65 | } | ||
66 | #endif /* LINUX_OOM_ADJUST */ | ||
67 | -#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */ | ||
68 | + | ||
69 | +#ifdef SYSTEMD_NOTIFY | ||
70 | + | ||
71 | +static void ssh_systemd_notify(const char *, ...) | ||
72 | + __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1))); | ||
73 | + | ||
74 | +static void | ||
75 | +ssh_systemd_notify(const char *fmt, ...) | ||
76 | +{ | ||
77 | + char *s = NULL; | ||
78 | + const char *path; | ||
79 | + struct stat sb; | ||
80 | + struct sockaddr_un addr; | ||
81 | + int fd = -1; | ||
82 | + va_list ap; | ||
83 | + | ||
84 | + if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0) | ||
85 | + return; | ||
86 | + | ||
87 | + va_start(ap, fmt); | ||
88 | + xvasprintf(&s, fmt, ap); | ||
89 | + va_end(ap); | ||
90 | + | ||
91 | + /* Only AF_UNIX is supported, with path or abstract sockets */ | ||
92 | + if (path[0] != '/' && path[0] != '@') { | ||
93 | + error_f("socket \"%s\" is not compatible with AF_UNIX", path); | ||
94 | + goto out; | ||
95 | + } | ||
96 | + | ||
97 | + if (path[0] == '/' && stat(path, &sb) != 0) { | ||
98 | + error_f("socket \"%s\" stat: %s", path, strerror(errno)); | ||
99 | + goto out; | ||
100 | + } | ||
101 | + | ||
102 | + memset(&addr, 0, sizeof(addr)); | ||
103 | + addr.sun_family = AF_UNIX; | ||
104 | + if (strlcpy(addr.sun_path, path, | ||
105 | + sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) { | ||
106 | + error_f("socket path \"%s\" too long", path); | ||
107 | + goto out; | ||
108 | + } | ||
109 | + /* Support for abstract socket */ | ||
110 | + if (addr.sun_path[0] == '@') | ||
111 | + addr.sun_path[0] = 0; | ||
112 | + if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) { | ||
113 | + error_f("socket \"%s\": %s", path, strerror(errno)); | ||
114 | + goto out; | ||
115 | + } | ||
116 | + if (connect(fd, &addr, sizeof(addr)) != 0) { | ||
117 | + error_f("socket \"%s\" connect: %s", path, strerror(errno)); | ||
118 | + goto out; | ||
119 | + } | ||
120 | + if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) { | ||
121 | + error_f("socket \"%s\" write: %s", path, strerror(errno)); | ||
122 | + goto out; | ||
123 | + } | ||
124 | + debug_f("socket \"%s\" notified %s", path, s); | ||
125 | + out: | ||
126 | + if (fd != -1) | ||
127 | + close(fd); | ||
128 | + free(s); | ||
129 | +} | ||
130 | + | ||
131 | +void | ||
132 | +ssh_systemd_notify_ready(void) | ||
133 | +{ | ||
134 | + ssh_systemd_notify("READY=1"); | ||
135 | +} | ||
136 | + | ||
137 | +void | ||
138 | +ssh_systemd_notify_reload(void) | ||
139 | +{ | ||
140 | + struct timespec now; | ||
141 | + | ||
142 | + monotime_ts(&now); | ||
143 | + if (now.tv_sec < 0 || now.tv_nsec < 0) { | ||
144 | + error_f("monotime returned negative value"); | ||
145 | + ssh_systemd_notify("RELOADING=1"); | ||
146 | + } else { | ||
147 | + ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu", | ||
148 | + ((uint64_t)now.tv_sec * 1000000ULL) + | ||
149 | + ((uint64_t)now.tv_nsec / 1000ULL)); | ||
150 | + } | ||
151 | +} | ||
152 | +#endif /* SYSTEMD_NOTIFY */ | ||
153 | + | ||
154 | +#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */ | ||
155 | diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h | ||
156 | index 3c22a854d..14064f87d 100644 | ||
157 | --- a/openbsd-compat/port-linux.h | ||
158 | +++ b/openbsd-compat/port-linux.h | ||
159 | @@ -30,4 +30,9 @@ void oom_adjust_restore(void); | ||
160 | void oom_adjust_setup(void); | ||
161 | #endif | ||
162 | |||
163 | +#ifdef SYSTEMD_NOTIFY | ||
164 | +void ssh_systemd_notify_ready(void); | ||
165 | +void ssh_systemd_notify_reload(void); | ||
166 | +#endif | ||
167 | + | ||
168 | #endif /* ! _PORT_LINUX_H */ | ||
169 | diff --git a/platform.c b/platform.c | ||
170 | index 4fe8744ee..9cf818153 100644 | ||
171 | --- a/platform.c | ||
172 | +++ b/platform.c | ||
173 | @@ -44,6 +44,14 @@ platform_pre_listen(void) | ||
174 | #endif | ||
175 | } | ||
176 | |||
177 | +void | ||
178 | +platform_post_listen(void) | ||
179 | +{ | ||
180 | +#ifdef SYSTEMD_NOTIFY | ||
181 | + ssh_systemd_notify_ready(); | ||
182 | +#endif | ||
183 | +} | ||
184 | + | ||
185 | void | ||
186 | platform_pre_fork(void) | ||
187 | { | ||
188 | @@ -55,6 +63,9 @@ platform_pre_fork(void) | ||
189 | void | ||
190 | platform_pre_restart(void) | ||
191 | { | ||
192 | +#ifdef SYSTEMD_NOTIFY | ||
193 | + ssh_systemd_notify_reload(); | ||
194 | +#endif | ||
195 | #ifdef LINUX_OOM_ADJUST | ||
196 | oom_adjust_restore(); | ||
197 | #endif | ||
198 | diff --git a/platform.h b/platform.h | ||
199 | index 7fef8c983..5dec23276 100644 | ||
200 | --- a/platform.h | ||
201 | +++ b/platform.h | ||
202 | @@ -21,6 +21,7 @@ | ||
203 | void platform_pre_listen(void); | ||
204 | void platform_pre_fork(void); | ||
205 | void platform_pre_restart(void); | ||
206 | +void platform_post_listen(void); | ||
207 | void platform_post_fork_parent(pid_t child_pid); | ||
208 | void platform_post_fork_child(void); | ||
209 | int platform_privileged_uidswap(void); | ||
210 | diff --git a/sshd.c b/sshd.c | ||
211 | index b4f2b9742..865331b46 100644 | ||
212 | --- a/sshd.c | ||
213 | +++ b/sshd.c | ||
214 | @@ -2077,6 +2077,8 @@ main(int ac, char **av) | ||
215 | ssh_signal(SIGTERM, sigterm_handler); | ||
216 | ssh_signal(SIGQUIT, sigterm_handler); | ||
217 | |||
218 | + platform_post_listen(); | ||
219 | + | ||
220 | /* | ||
221 | * Write out the pid file after the sigterm handler | ||
222 | * is setup and the listen sockets are bound | ||
223 | -- | ||
224 | 2.45.2 | ||
225 | |||
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch deleted file mode 100644 index a0fe5a2773..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch +++ /dev/null | |||
@@ -1,96 +0,0 @@ | |||
1 | From b02ef7621758f06eb686ef4f620636dbad086eda Mon Sep 17 00:00:00 2001 | ||
2 | From: Matt Jolly <Matt.Jolly@footclan.ninja> | ||
3 | Date: Thu, 2 Feb 2023 21:05:40 +1100 | ||
4 | Subject: [PATCH] systemd: Add optional support for systemd `sd_notify` | ||
5 | |||
6 | This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org> | ||
7 | patch based on Jakub Jelen's <jjelen@redhat.com> original patch | ||
8 | |||
9 | Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56] | ||
10 | |||
11 | Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com> | ||
12 | --- | ||
13 | configure.ac | 24 ++++++++++++++++++++++++ | ||
14 | sshd.c | 13 +++++++++++++ | ||
15 | 2 files changed, 37 insertions(+) | ||
16 | |||
17 | diff --git a/configure.ac b/configure.ac | ||
18 | index 82e8bb7..d1145d3 100644 | ||
19 | --- a/configure.ac | ||
20 | +++ b/configure.ac | ||
21 | @@ -4870,6 +4870,29 @@ AC_SUBST([GSSLIBS]) | ||
22 | AC_SUBST([K5LIBS]) | ||
23 | AC_SUBST([CHANNELLIBS]) | ||
24 | |||
25 | +# Check whether user wants systemd support | ||
26 | +SYSTEMD_MSG="no" | ||
27 | +AC_ARG_WITH(systemd, | ||
28 | + [ --with-systemd Enable systemd support], | ||
29 | + [ if test "x$withval" != "xno" ; then | ||
30 | + AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no]) | ||
31 | + if test "$PKGCONFIG" != "no"; then | ||
32 | + AC_MSG_CHECKING([for libsystemd]) | ||
33 | + if $PKGCONFIG --exists libsystemd; then | ||
34 | + SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd` | ||
35 | + SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` | ||
36 | + CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS" | ||
37 | + SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS" | ||
38 | + AC_MSG_RESULT([yes]) | ||
39 | + AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.]) | ||
40 | + SYSTEMD_MSG="yes" | ||
41 | + else | ||
42 | + AC_MSG_RESULT([no]) | ||
43 | + fi | ||
44 | + fi | ||
45 | + fi ] | ||
46 | +) | ||
47 | + | ||
48 | # Looking for programs, paths and files | ||
49 | |||
50 | PRIVSEP_PATH=/var/empty | ||
51 | @@ -5688,6 +5711,7 @@ echo " libldns support: $LDNS_MSG" | ||
52 | echo " Solaris process contract support: $SPC_MSG" | ||
53 | echo " Solaris project support: $SP_MSG" | ||
54 | echo " Solaris privilege support: $SPP_MSG" | ||
55 | +echo " systemd support: $SYSTEMD_MSG" | ||
56 | echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" | ||
57 | echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" | ||
58 | echo " BSD Auth support: $BSD_AUTH_MSG" | ||
59 | diff --git a/sshd.c b/sshd.c | ||
60 | index b4f2b97..6820a41 100644 | ||
61 | --- a/sshd.c | ||
62 | +++ b/sshd.c | ||
63 | @@ -88,6 +88,10 @@ | ||
64 | #include <prot.h> | ||
65 | #endif | ||
66 | |||
67 | +#ifdef HAVE_SYSTEMD | ||
68 | +#include <systemd/sd-daemon.h> | ||
69 | +#endif | ||
70 | + | ||
71 | #include "xmalloc.h" | ||
72 | #include "ssh.h" | ||
73 | #include "ssh2.h" | ||
74 | @@ -308,6 +312,10 @@ static void | ||
75 | sighup_restart(void) | ||
76 | { | ||
77 | logit("Received SIGHUP; restarting."); | ||
78 | +#ifdef HAVE_SYSTEMD | ||
79 | + /* Signal systemd that we are reloading */ | ||
80 | + sd_notify(0, "RELOADING=1"); | ||
81 | +#endif | ||
82 | if (options.pid_file != NULL) | ||
83 | unlink(options.pid_file); | ||
84 | platform_pre_restart(); | ||
85 | @@ -2093,6 +2101,11 @@ main(int ac, char **av) | ||
86 | } | ||
87 | } | ||
88 | |||
89 | +#ifdef HAVE_SYSTEMD | ||
90 | + /* Signal systemd that we are ready to accept connections */ | ||
91 | + sd_notify(0, "READY=1"); | ||
92 | +#endif | ||
93 | + | ||
94 | /* Accept a connection and return in a forked child */ | ||
95 | server_accept_loop(&sock_in, &sock_out, | ||
96 | &newsock, config_s); | ||
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service index 3e570ab1e5..c71fff1cc1 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service | |||
@@ -5,11 +5,11 @@ After=sshdgenkeys.service | |||
5 | After=nss-user-lookup.target | 5 | After=nss-user-lookup.target |
6 | 6 | ||
7 | [Service] | 7 | [Service] |
8 | Type=notify-reload | ||
8 | Environment="SSHD_OPTS=" | 9 | Environment="SSHD_OPTS=" |
9 | EnvironmentFile=-/etc/default/ssh | 10 | EnvironmentFile=-/etc/default/ssh |
10 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd | 11 | ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd |
11 | ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS | 12 | ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS |
12 | ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID | ||
13 | KillMode=process | 13 | KillMode=process |
14 | Restart=on-failure | 14 | Restart=on-failure |
15 | RestartSec=42s | 15 | RestartSec=42s |
diff --git a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb index 4f20616295..4680d12be5 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.7p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.7p1.bb | |||
@@ -24,7 +24,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar | |||
24 | file://run-ptest \ | 24 | file://run-ptest \ |
25 | file://sshd_check_keys \ | 25 | file://sshd_check_keys \ |
26 | file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ | 26 | file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \ |
27 | file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \ | 27 | file://0001-notify-systemd-on-listen-and-reload.patch \ |
28 | file://CVE-2024-6387.patch \ | 28 | file://CVE-2024-6387.patch \ |
29 | " | 29 | " |
30 | SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" | 30 | SRC_URI[sha256sum] = "490426f766d82a2763fcacd8d83ea3d70798750c7bd2aff2e57dc5660f773ffd" |
@@ -52,7 +52,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd" | |||
52 | SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" | 52 | SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}" |
53 | 53 | ||
54 | inherit autotools-brokensep ptest pkgconfig | 54 | inherit autotools-brokensep ptest pkgconfig |
55 | DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}" | ||
56 | 55 | ||
57 | # systemd-sshd-socket-mode means installing sshd.socket | 56 | # systemd-sshd-socket-mode means installing sshd.socket |
58 | # and systemd-sshd-service-mode corresponding to sshd.service | 57 | # and systemd-sshd-service-mode corresponding to sshd.service |
@@ -78,7 +77,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \ | |||
78 | --sysconfdir=${sysconfdir}/ssh \ | 77 | --sysconfdir=${sysconfdir}/ssh \ |
79 | --with-xauth=${bindir}/xauth \ | 78 | --with-xauth=${bindir}/xauth \ |
80 | --disable-strip \ | 79 | --disable-strip \ |
81 | ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \ | ||
82 | " | 80 | " |
83 | 81 | ||
84 | # musl doesn't implement wtmp/utmp and logwtmp | 82 | # musl doesn't implement wtmp/utmp and logwtmp |