From d6a2a54e5b20b219ed252dce30784289125e1f39 Mon Sep 17 00:00:00 2001 From: Dan McGregor Date: Wed, 4 Mar 2015 10:22:00 -0600 Subject: systemd: fix systemd-tmpfiles ACL issues On systems where /var/log is not a volatile systemd-tmpfiles creates duplicate ACL entries. This causes systemd-tmpfiles service to fail. Also quietly ignore ACL settings on filesystems that don't support ACLs. Backport the fixes from systemd master to fix these issues. (From OE-Core rev: 73a045a1b52d8260d60517bbb5d4c74132d03b10) Signed-off-by: Dan McGregor Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- ...iles-avoid-creating-duplicate-acl-entries.patch | 134 +++++++++++++++++++++ ...ietly-ignore-ACLs-on-unsupported-filesyst.patch | 86 +++++++++++++ 2 files changed, 220 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-tmpfiles-avoid-creating-duplicate-acl-entries.patch create mode 100644 meta/recipes-core/systemd/systemd/0002-tmpfiles-quietly-ignore-ACLs-on-unsupported-filesyst.patch (limited to 'meta/recipes-core/systemd/systemd') diff --git a/meta/recipes-core/systemd/systemd/0001-tmpfiles-avoid-creating-duplicate-acl-entries.patch b/meta/recipes-core/systemd/systemd/0001-tmpfiles-avoid-creating-duplicate-acl-entries.patch new file mode 100644 index 0000000000..6652e28e23 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-tmpfiles-avoid-creating-duplicate-acl-entries.patch @@ -0,0 +1,134 @@ +Upstream-Status: Backport +Signed-off-by: Dan McGregor + +From 33d36e28b0a23fb7ac33435a1329d65bff1ba4ec Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Mon, 23 Feb 2015 23:19:54 -0500 +Subject: [PATCH] tmpfiles: avoid creating duplicate acl entries + +https://bugs.freedesktop.org/show_bug.cgi?id=89202 +https://bugs.debian.org/778656 + +Status quo ante can be restored with: + getfacl -p /var/log/journal/`cat /etc/machine-id`|grep -v '^#'|sort -u|sudo setfacl --set-file=- /var/log/journal/`cat /etc/machine-id` + +(cherry picked from commit 1c73f3bc29111a00738569c9d40a989b161a0624) +--- + src/shared/acl-util.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++-- + src/shared/acl-util.h | 4 +++ + 2 files changed, 81 insertions(+), 2 deletions(-) + +diff --git a/src/shared/acl-util.c b/src/shared/acl-util.c +index a4ff1ab..cbe09d7 100644 +--- a/src/shared/acl-util.c ++++ b/src/shared/acl-util.c +@@ -282,6 +282,77 @@ int parse_acl(char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask) + return 0; + } + ++static int acl_entry_equal(acl_entry_t a, acl_entry_t b) { ++ acl_tag_t tag_a, tag_b; ++ ++ if (acl_get_tag_type(a, &tag_a) < 0) ++ return -errno; ++ ++ if (acl_get_tag_type(b, &tag_b) < 0) ++ return -errno; ++ ++ if (tag_a != tag_b) ++ return false; ++ ++ switch (tag_a) { ++ case ACL_USER_OBJ: ++ case ACL_GROUP_OBJ: ++ case ACL_MASK: ++ case ACL_OTHER: ++ /* can have only one of those */ ++ return true; ++ case ACL_USER: { ++ _cleanup_(acl_free_uid_tpp) uid_t *uid_a, *uid_b; ++ ++ uid_a = acl_get_qualifier(a); ++ if (!uid_a) ++ return -errno; ++ ++ uid_b = acl_get_qualifier(b); ++ if (!uid_b) ++ return -errno; ++ ++ return *uid_a == *uid_b; ++ } ++ case ACL_GROUP: { ++ _cleanup_(acl_free_gid_tpp) gid_t *gid_a, *gid_b; ++ ++ gid_a = acl_get_qualifier(a); ++ if (!gid_a) ++ return -errno; ++ ++ gid_b = acl_get_qualifier(b); ++ if (!gid_b) ++ return -errno; ++ ++ return *gid_a == *gid_b; ++ } ++ default: ++ assert_not_reached("Unknown acl tag type"); ++ } ++} ++ ++static int find_acl_entry(acl_t acl, acl_entry_t entry, acl_entry_t *out) { ++ acl_entry_t i; ++ int r; ++ ++ for (r = acl_get_entry(acl, ACL_FIRST_ENTRY, &i); ++ r > 0; ++ r = acl_get_entry(acl, ACL_NEXT_ENTRY, &i)) { ++ ++ r = acl_entry_equal(i, entry); ++ if (r < 0) ++ return r; ++ if (r > 0) { ++ *out = i; ++ return 1; ++ } ++ } ++ if (r < 0) ++ return -errno; ++ return 0; ++} ++ + int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) { + _cleanup_(acl_freep) acl_t old; + acl_entry_t i; +@@ -297,8 +368,12 @@ int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) { + + acl_entry_t j; + +- if (acl_create_entry(&old, &j) < 0) +- return -errno; ++ r = find_acl_entry(old, i, &j); ++ if (r < 0) ++ return r; ++ if (r == 0) ++ if (acl_create_entry(&old, &j) < 0) ++ return -errno; + + if (acl_copy_entry(j, i) < 0) + return -errno; +diff --git a/src/shared/acl-util.h b/src/shared/acl-util.h +index 90e88ff..fdb9006 100644 +--- a/src/shared/acl-util.h ++++ b/src/shared/acl-util.h +@@ -41,5 +41,9 @@ int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl); + DEFINE_TRIVIAL_CLEANUP_FUNC(acl_t, acl_free); + #define acl_free_charp acl_free + DEFINE_TRIVIAL_CLEANUP_FUNC(char*, acl_free_charp); ++#define acl_free_uid_tp acl_free ++DEFINE_TRIVIAL_CLEANUP_FUNC(uid_t*, acl_free_uid_tp); ++#define acl_free_gid_tp acl_free ++DEFINE_TRIVIAL_CLEANUP_FUNC(gid_t*, acl_free_gid_tp); + + #endif +-- +2.3.1 + diff --git a/meta/recipes-core/systemd/systemd/0002-tmpfiles-quietly-ignore-ACLs-on-unsupported-filesyst.patch b/meta/recipes-core/systemd/systemd/0002-tmpfiles-quietly-ignore-ACLs-on-unsupported-filesyst.patch new file mode 100644 index 0000000000..c195437ba0 --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0002-tmpfiles-quietly-ignore-ACLs-on-unsupported-filesyst.patch @@ -0,0 +1,86 @@ +Upstream-Status: Backport +Signed-off-by: Dan McGregor + +From 31d05181e3a34c5c0ff6314d8eca1c3b4bb29423 Mon Sep 17 00:00:00 2001 +From: Hans-Peter Deifel +Date: Tue, 3 Mar 2015 00:35:08 +0100 +Subject: [PATCH 2/2] tmpfiles: quietly ignore ACLs on unsupported filesystems + +A warning is printed if ACLs cannot be retrieved for any reason other +than -ENOSYS. For -ENOSYS, debug log is printed. + +(cherry picked from commit d873e8778c92014c02a9122852758b436fa95c0e) +--- + src/tmpfiles/tmpfiles.c | 36 ++++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c +index 88ba7e4..187997e 100644 +--- a/src/tmpfiles/tmpfiles.c ++++ b/src/tmpfiles/tmpfiles.c +@@ -704,6 +704,9 @@ static int path_set_acl(const char *path, acl_type_t type, acl_t acl, bool modif + int r; + _cleanup_(acl_free_charpp) char *t = NULL; + ++ /* Returns 0 for success, positive error if already warned, ++ * negative error otherwise. */ ++ + if (modify) { + r = acls_for_file(path, type, acl, &dup); + if (r < 0) +@@ -731,35 +734,36 @@ static int path_set_acl(const char *path, acl_type_t type, acl_t acl, bool modif + + r = acl_set_file(path, type, dup); + if (r < 0) +- return log_error_errno(-errno, +- "Setting %s ACL \"%s\" on %s failed: %m", +- type == ACL_TYPE_ACCESS ? "access" : "default", +- strna(t), path); ++ return -log_error_errno(errno, ++ "Setting %s ACL \"%s\" on %s failed: %m", ++ type == ACL_TYPE_ACCESS ? "access" : "default", ++ strna(t), path); ++ + return 0; + } + #endif + + static int path_set_acls(Item *item, const char *path) { ++ int r = 0; + #ifdef HAVE_ACL +- int r; +- + assert(item); + assert(path); + +- if (item->acl_access) { ++ if (item->acl_access) + r = path_set_acl(path, ACL_TYPE_ACCESS, item->acl_access, item->force); +- if (r < 0) +- return r; +- } + +- if (item->acl_default) { ++ if (r == 0 && item->acl_default) + r = path_set_acl(path, ACL_TYPE_DEFAULT, item->acl_default, item->force); +- if (r < 0) +- return r; +- } +-#endif + +- return 0; ++ if (r > 0) ++ return -r; /* already warned */ ++ else if (r == -ENOTSUP) { ++ log_debug_errno(r, "ACLs not supported by file system at %s", path); ++ return 0; ++ } else if (r < 0) ++ log_error_errno(r, "ACL operation on \"%s\" failed: %m", path); ++#endif ++ return r; + } + + static int write_one_file(Item *i, const char *path) { +-- +2.3.1 + -- cgit v1.2.3-54-g00ecf