openssh: systemd notification was implemented upstream

Drop our sd-notify patch and switch to the upstream standalone implementation that does not depend on libsystemd. (From OE-Core rev: 1c9d3c22718bf49ae85c2d06e0ee60ebdc2fd0c1) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 07522f85a987b673b0a3c98690c3c17ab0c4b608) Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Jose Quaresma <quaresma.jose@gmail.com> 2024-07-26 16:48:38 +0100
committer: Steve Sakoman <steve@sakoman.com> 2024-08-01 06:08:09 -0700
commit: f43f393ef0246b7bee6eed8bcf8271cf2b8cdf40 (patch)
tree: ed05b2a06b513fb703be3290d50bef909a2425a9
parent: 0d70afb10742a2f6ee9dfcd53067bb729032d628 (diff)
download: poky-f43f393ef0246b7bee6eed8bcf8271cf2b8cdf40.tar.gz
4 files changed, 227 insertions, 103 deletions
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch
new file mode 100644
index 0000000000..4925c969fe
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch
@@ -0,0 +1,225 @@
+From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001
+From: Damien Miller <djm@mindrot.org>
+Date: Wed, 3 Apr 2024 14:40:32 +1100
+Subject: [PATCH] notify systemd on listen and reload
+Standalone implementation that does not depend on libsystemd.
+With assistance from Luca Boccassi, and feedback/testing from Colin
+Watson. bz2641
+Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c]
+Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
+---
+ configure.ac                |  1 +
+ openbsd-compat/port-linux.c | 97 ++++++++++++++++++++++++++++++++++++-
+ openbsd-compat/port-linux.h |  5 ++
+ platform.c                  | 11 +++++
+ platform.h                  |  1 +
+ sshd.c                      |  2 +
+ 6 files changed, 115 insertions(+), 2 deletions(-)
+diff --git a/configure.ac b/configure.ac
+index 82e8bb7c1..854f92b5b 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
+        AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
+        AC_DEFINE([USE_BTMP])
+        AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
+       AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
+        inet6_default_4in6=yes
+        case `uname -r` in
+        1.*|2.0.*)
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 0457e28d0..df7290246 100644
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -21,16 +21,23 @@
+ 
+ #include "includes.h"
+ 
+-#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST)
+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) || \
+    defined(SYSTEMD_NOTIFY)
+#include <sys/socket.h>
+#include <sys/un.h>
+
+ #include <errno.h>
+#include <inttypes.h>
+ #include <stdarg.h>
+ #include <string.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+#include <time.h>
+ 
+ #include "log.h"
+ #include "xmalloc.h"
+ #include "port-linux.h"
+#include "misc.h"
+ 
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+@@ -310,4 +317,90 @@ oom_adjust_restore(void)
+        return;
+ }
+ #endif /* LINUX_OOM_ADJUST */
+-#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
+
+#ifdef SYSTEMD_NOTIFY
+
+static void ssh_systemd_notify(const char *, ...)
+    __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
+
+static void
+ssh_systemd_notify(const char *fmt, ...)
+{
+       char *s = NULL;
+       const char *path;
+       struct stat sb;
+       struct sockaddr_un addr;
+       int fd = -1;
+       va_list ap;
+
+       if ((path = getenv("NOTIFY_SOCKET")) == NULL || strlen(path) == 0)
+               return;
+
+       va_start(ap, fmt);
+       xvasprintf(&s, fmt, ap);
+       va_end(ap);
+
+       /* Only AF_UNIX is supported, with path or abstract sockets */
+       if (path[0] != '/' && path[0] != '@') {
+               error_f("socket \"%s\" is not compatible with AF_UNIX", path);
+               goto out;
+       }
+
+       if (path[0] == '/' && stat(path, &sb) != 0) {
+               error_f("socket \"%s\" stat: %s", path, strerror(errno));
+               goto out;
+       }
+
+       memset(&addr, 0, sizeof(addr));
+       addr.sun_family = AF_UNIX;
+       if (strlcpy(addr.sun_path, path,
+           sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
+               error_f("socket path \"%s\" too long", path);
+               goto out;
+       }
+       /* Support for abstract socket */
+       if (addr.sun_path[0] == '@')
+               addr.sun_path[0] = 0;
+       if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
+               error_f("socket \"%s\": %s", path, strerror(errno));
+               goto out;
+       }
+       if (connect(fd, &addr, sizeof(addr)) != 0) {
+               error_f("socket \"%s\" connect: %s", path, strerror(errno));
+               goto out;
+       }
+       if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
+               error_f("socket \"%s\" write: %s", path, strerror(errno));
+               goto out;
+       }
+       debug_f("socket \"%s\" notified %s", path, s);
+ out:
+       if (fd != -1)
+               close(fd);
+       free(s);
+}
+
+void
+ssh_systemd_notify_ready(void)
+{
+       ssh_systemd_notify("READY=1");
+}
+
+void
+ssh_systemd_notify_reload(void)
+{
+       struct timespec now;
+
+       monotime_ts(&now);
+       if (now.tv_sec < 0 || now.tv_nsec < 0) {
+               error_f("monotime returned negative value");
+               ssh_systemd_notify("RELOADING=1");
+       } else {
+               ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
+                   ((uint64_t)now.tv_sec * 1000000ULL) +
+                   ((uint64_t)now.tv_nsec / 1000ULL));
+       }
+}
+#endif /* SYSTEMD_NOTIFY */
+
+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST || SYSTEMD_NOTIFY */
+diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
+index 3c22a854d..14064f87d 100644
+--- a/openbsd-compat/port-linux.h
+++ b/openbsd-compat/port-linux.h
+@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
+ void oom_adjust_setup(void);
+ #endif
+ 
+#ifdef SYSTEMD_NOTIFY
+void ssh_systemd_notify_ready(void);
+void ssh_systemd_notify_reload(void);
+#endif
+
+ #endif /* ! _PORT_LINUX_H */
+diff --git a/platform.c b/platform.c
+index 4fe8744ee..9cf818153 100644
+--- a/platform.c
+++ b/platform.c
+@@ -44,6 +44,14 @@ platform_pre_listen(void)
+ #endif
+ }
+ 
+void
+platform_post_listen(void)
+{
+#ifdef SYSTEMD_NOTIFY
+       ssh_systemd_notify_ready();
+#endif
+}
+
+ void
+ platform_pre_fork(void)
+ {
+@@ -55,6 +63,9 @@ platform_pre_fork(void)
+ void
+ platform_pre_restart(void)
+ {
+#ifdef SYSTEMD_NOTIFY
+       ssh_systemd_notify_reload();
+#endif
+ #ifdef LINUX_OOM_ADJUST
+        oom_adjust_restore();
+ #endif
+diff --git a/platform.h b/platform.h
+index 7fef8c983..5dec23276 100644
+--- a/platform.h
+++ b/platform.h
+@@ -21,6 +21,7 @@
+ void platform_pre_listen(void);
+ void platform_pre_fork(void);
+ void platform_pre_restart(void);
+void platform_post_listen(void);
+ void platform_post_fork_parent(pid_t child_pid);
+ void platform_post_fork_child(void);
+ int  platform_privileged_uidswap(void);
+diff --git a/sshd.c b/sshd.c
+index b4f2b9742..865331b46 100644
+--- a/sshd.c
+++ b/sshd.c
+@@ -2077,6 +2077,8 @@ main(int ac, char **av)
+                ssh_signal(SIGTERM, sigterm_handler);
+                ssh_signal(SIGQUIT, sigterm_handler);
+ 
+               platform_post_listen();
+
+                /*
+                 * Write out the pid file after the sigterm handler
+                 * is setup and the listen sockets are bound
+-- 
+2.45.2
diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
deleted file mode 100644
index f7a1d12e8d..0000000000
--- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch
+++ /dev/null
@@ -1,99 +0,0 @@
-From be187435911cde6cc3cef6982a508261074f1e56 Mon Sep 17 00:00:00 2001
-From: Matt Jolly <Matt.Jolly@footclan.ninja>
-Date: Thu, 2 Feb 2023 21:05:40 +1100
-Subject: [PATCH] systemd: Add optional support for systemd `sd_notify`
-This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org>
-patch based on Jakub Jelen's <jjelen@redhat.com> original patch
-Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56]
-Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
---
- configure.ac | 24 ++++++++++++++++++++++++
- sshd.c       | 13 +++++++++++++
- 2 files changed, 37 insertions(+)
-diff --git a/configure.ac b/configure.ac
-index 22fee70f..486c189f 100644
--- a/configure.ac
-+++ b/configure.ac
-@@ -4835,6 +4835,29 @@ AC_SUBST([GSSLIBS])
- AC_SUBST([K5LIBS])
- AC_SUBST([CHANNELLIBS])
- 
-+# Check whether user wants systemd support
-+SYSTEMD_MSG="no"
-+AC_ARG_WITH(systemd,
-+       [  --with-systemd          Enable systemd support],
-+       [ if test "x$withval" != "xno" ; then
-+               AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
-+               if test "$PKGCONFIG" != "no"; then
-+                       AC_MSG_CHECKING([for libsystemd])
-+                       if $PKGCONFIG --exists libsystemd; then
-+                               SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
-+                               SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
-+                               CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
-+                               SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
-+                               AC_MSG_RESULT([yes])
-+                               AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
-+                               SYSTEMD_MSG="yes"
-+                       else
-+                               AC_MSG_RESULT([no])
-+                       fi
-+               fi
-+       fi ]
-+)
-+
- # Looking for programs, paths and files
- 
- PRIVSEP_PATH=/var/empty
-@@ -5634,6 +5657,7 @@ echo "                   libldns support: $LDNS_MSG"
- echo "  Solaris process contract support: $SPC_MSG"
- echo "           Solaris project support: $SP_MSG"
- echo "         Solaris privilege support: $SPP_MSG"
-+echo "                   systemd support: $SYSTEMD_MSG"
- echo "       IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
- echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
- echo "                  BSD Auth support: $BSD_AUTH_MSG"
-diff --git a/sshd.c b/sshd.c
-index 6321936c..859d6a0b 100644
--- a/sshd.c
-+++ b/sshd.c
-@@ -88,6 +88,10 @@
- #include <prot.h>
- #endif
- 
-+#ifdef HAVE_SYSTEMD
-+#include <systemd/sd-daemon.h>
-+#endif
-+
- #include "xmalloc.h"
- #include "ssh.h"
- #include "ssh2.h"
-@@ -310,6 +314,10 @@ static void
- sighup_restart(void)
- {
-        logit("Received SIGHUP; restarting.");
-+#ifdef HAVE_SYSTEMD
-+       /* Signal systemd that we are reloading */
-+       sd_notify(0, "RELOADING=1");
-+#endif
-        if (options.pid_file != NULL)
-                unlink(options.pid_file);
-        platform_pre_restart();
-@@ -2086,6 +2094,11 @@ main(int ac, char **av)
-                        }
-                }
- 
-+#ifdef HAVE_SYSTEMD
-+               /* Signal systemd that we are ready to accept connections */
-+               sd_notify(0, "READY=1");
-+#endif
-+
-                /* Accept a connection and return in a forked child */
-                server_accept_loop(&sock_in, &sock_out,
-                    &newsock, config_s);
-- 
-2.25.1
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service
index 2a997b656a..24062a6817 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -4,11 +4,11 @@ Wants=sshdgenkeys.service
 After=sshdgenkeys.service
 [Service]
+Type=notify-reload
 Environment="SSHD_OPTS="
 EnvironmentFile=-/etc/default/ssh
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
 ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
-ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
 KillMode=process
 Restart=on-failure
 RestartSec=42s
diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
index c71245b6c0..042acffe6a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -25,7 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           file://sshd_check_keys \
           file://add-test-support-for-busybox.patch \
           file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
-           file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \
+           file://0001-notify-systemd-on-listen-and-reload.patch \
           file://CVE-2024-6387.patch \
           file://CVE-2024-39894.patch \
           "
@@ -54,7 +54,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd"
 SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
 inherit autotools-brokensep ptest pkgconfig
-DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
 # systemd-sshd-socket-mode means installing sshd.socket
 # and systemd-sshd-service-mode corresponding to sshd.service
@@ -77,7 +76,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
                --sysconfdir=${sysconfdir}/ssh \
                --with-xauth=${bindir}/xauth \
                --disable-strip \
-                ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \
                "
 # musl doesn't implement wtmp/utmp and logwtmp
author	Jose Quaresma <quaresma.jose@gmail.com>	2024-07-26 16:48:38 +0100
committer	Steve Sakoman <steve@sakoman.com>	2024-08-01 06:08:09 -0700
commit	f43f393ef0246b7bee6eed8bcf8271cf2b8cdf40 (patch)
tree	ed05b2a06b513fb703be3290d50bef909a2425a9
parent	0d70afb10742a2f6ee9dfcd53067bb729032d628 (diff)
download	poky-f43f393ef0246b7bee6eed8bcf8271cf2b8cdf40.tar.gz

diff --git a/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch new file mode 100644 index 0000000000..4925c969fe --- /dev/null +++ b/meta/recipes-connectivity/openssh/openssh/0001-notify-systemd-on-listen-and-reload.patch
@@ -0,0 +1,225 @@
		1	From fc73e2405a8ca928465580b74a4d76112919367b Mon Sep 17 00:00:00 2001
		2	From: Damien Miller <djm@mindrot.org>
		3	Date: Wed, 3 Apr 2024 14:40:32 +1100
		4	Subject: [PATCH] notify systemd on listen and reload
		5
		6	Standalone implementation that does not depend on libsystemd.
		7	With assistance from Luca Boccassi, and feedback/testing from Colin
		8	Watson. bz2641
		9
		10	Upstream-Status: Backport [https://github.com/openssh/openssh-portable/commit/08f579231cd38a1c657aaa6ddeb8ab57a1fd4f5c]
		11
		12	Signed-off-by: Jose Quaresma <jose.quaresma@foundries.io>
		13	---
		14	configure.ac \| 1 +
		15	openbsd-compat/port-linux.c \| 97 ++++++++++++++++++++++++++++++++++++-
		16	openbsd-compat/port-linux.h \| 5 ++
		17	platform.c \| 11 +++++
		18	platform.h \| 1 +
		19	sshd.c \| 2 +
		20	6 files changed, 115 insertions(+), 2 deletions(-)
		21
		22	diff --git a/configure.ac b/configure.ac
		23	index 82e8bb7c1..854f92b5b 100644
		24	--- a/configure.ac
		25	+++ b/configure.ac
		26	@@ -915,6 +915,7 @@ int main(void) { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
		27	AC_DEFINE([_PATH_BTMP], ["/var/log/btmp"], [log for bad login attempts])
		28	AC_DEFINE([USE_BTMP])
		29	AC_DEFINE([LINUX_OOM_ADJUST], [1], [Adjust Linux out-of-memory killer])
		30	+ AC_DEFINE([SYSTEMD_NOTIFY], [1], [Have sshd notify systemd on start/reload])
		31	inet6_default_4in6=yes
		32	case `uname -r` in
		33	1.\|2.0.)
		34	diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
		35	index 0457e28d0..df7290246 100644
		36	--- a/openbsd-compat/port-linux.c
		37	+++ b/openbsd-compat/port-linux.c
		38	@@ -21,16 +21,23 @@
		39
		40	#include "includes.h"
		41
		42	-#if defined(WITH_SELINUX) \|\| defined(LINUX_OOM_ADJUST)
		43	+#if defined(WITH_SELINUX) \|\| defined(LINUX_OOM_ADJUST) \|\| \
		44	+ defined(SYSTEMD_NOTIFY)
		45	+#include <sys/socket.h>
		46	+#include <sys/un.h>
		47	+
		48	#include <errno.h>
		49	+#include <inttypes.h>
		50	#include <stdarg.h>
		51	#include <string.h>
		52	#include <stdio.h>
		53	#include <stdlib.h>
		54	+#include <time.h>
		55
		56	#include "log.h"
		57	#include "xmalloc.h"
		58	#include "port-linux.h"
		59	+#include "misc.h"
		60
		61	#ifdef WITH_SELINUX
		62	#include <selinux/selinux.h>
		63	@@ -310,4 +317,90 @@ oom_adjust_restore(void)
		64	return;
		65	}
		66	#endif /* LINUX_OOM_ADJUST */
		67	-#endif /* WITH_SELINUX \|\| LINUX_OOM_ADJUST */
		68	+
		69	+#ifdef SYSTEMD_NOTIFY
		70	+
		71	+static void ssh_systemd_notify(const char *, ...)
		72	+ __attribute__((__format__ (printf, 1, 2))) __attribute__((__nonnull__ (1)));
		73	+
		74	+static void
		75	+ssh_systemd_notify(const char *fmt, ...)
		76	+{
		77	+ char *s = NULL;
		78	+ const char *path;
		79	+ struct stat sb;
		80	+ struct sockaddr_un addr;
		81	+ int fd = -1;
		82	+ va_list ap;
		83	+
		84	+ if ((path = getenv("NOTIFY_SOCKET")) == NULL \|\| strlen(path) == 0)
		85	+ return;
		86	+
		87	+ va_start(ap, fmt);
		88	+ xvasprintf(&s, fmt, ap);
		89	+ va_end(ap);
		90	+
		91	+ /* Only AF_UNIX is supported, with path or abstract sockets */
		92	+ if (path[0] != '/' && path[0] != '@') {
		93	+ error_f("socket \"%s\" is not compatible with AF_UNIX", path);
		94	+ goto out;
		95	+ }
		96	+
		97	+ if (path[0] == '/' && stat(path, &sb) != 0) {
		98	+ error_f("socket \"%s\" stat: %s", path, strerror(errno));
		99	+ goto out;
		100	+ }
		101	+
		102	+ memset(&addr, 0, sizeof(addr));
		103	+ addr.sun_family = AF_UNIX;
		104	+ if (strlcpy(addr.sun_path, path,
		105	+ sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
		106	+ error_f("socket path \"%s\" too long", path);
		107	+ goto out;
		108	+ }
		109	+ /* Support for abstract socket */
		110	+ if (addr.sun_path[0] == '@')
		111	+ addr.sun_path[0] = 0;
		112	+ if ((fd = socket(PF_UNIX, SOCK_DGRAM, 0)) == -1) {
		113	+ error_f("socket \"%s\": %s", path, strerror(errno));
		114	+ goto out;
		115	+ }
		116	+ if (connect(fd, &addr, sizeof(addr)) != 0) {
		117	+ error_f("socket \"%s\" connect: %s", path, strerror(errno));
		118	+ goto out;
		119	+ }
		120	+ if (write(fd, s, strlen(s)) != (ssize_t)strlen(s)) {
		121	+ error_f("socket \"%s\" write: %s", path, strerror(errno));
		122	+ goto out;
		123	+ }
		124	+ debug_f("socket \"%s\" notified %s", path, s);
		125	+ out:
		126	+ if (fd != -1)
		127	+ close(fd);
		128	+ free(s);
		129	+}
		130	+
		131	+void
		132	+ssh_systemd_notify_ready(void)
		133	+{
		134	+ ssh_systemd_notify("READY=1");
		135	+}
		136	+
		137	+void
		138	+ssh_systemd_notify_reload(void)
		139	+{
		140	+ struct timespec now;
		141	+
		142	+ monotime_ts(&now);
		143	+ if (now.tv_sec < 0 \|\| now.tv_nsec < 0) {
		144	+ error_f("monotime returned negative value");
		145	+ ssh_systemd_notify("RELOADING=1");
		146	+ } else {
		147	+ ssh_systemd_notify("RELOADING=1\nMONOTONIC_USEC=%llu",
		148	+ ((uint64_t)now.tv_sec * 1000000ULL) +
		149	+ ((uint64_t)now.tv_nsec / 1000ULL));
		150	+ }
		151	+}
		152	+#endif /* SYSTEMD_NOTIFY */
		153	+
		154	+#endif /* WITH_SELINUX \|\| LINUX_OOM_ADJUST \|\| SYSTEMD_NOTIFY */
		155	diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
		156	index 3c22a854d..14064f87d 100644
		157	--- a/openbsd-compat/port-linux.h
		158	+++ b/openbsd-compat/port-linux.h
		159	@@ -30,4 +30,9 @@ void oom_adjust_restore(void);
		160	void oom_adjust_setup(void);
		161	#endif
		162
		163	+#ifdef SYSTEMD_NOTIFY
		164	+void ssh_systemd_notify_ready(void);
		165	+void ssh_systemd_notify_reload(void);
		166	+#endif
		167	+
		168	#endif /* ! _PORT_LINUX_H */
		169	diff --git a/platform.c b/platform.c
		170	index 4fe8744ee..9cf818153 100644
		171	--- a/platform.c
		172	+++ b/platform.c
		173	@@ -44,6 +44,14 @@ platform_pre_listen(void)
		174	#endif
		175	}
		176
		177	+void
		178	+platform_post_listen(void)
		179	+{
		180	+#ifdef SYSTEMD_NOTIFY
		181	+ ssh_systemd_notify_ready();
		182	+#endif
		183	+}
		184	+
		185	void
		186	platform_pre_fork(void)
		187	{
		188	@@ -55,6 +63,9 @@ platform_pre_fork(void)
		189	void
		190	platform_pre_restart(void)
		191	{
		192	+#ifdef SYSTEMD_NOTIFY
		193	+ ssh_systemd_notify_reload();
		194	+#endif
		195	#ifdef LINUX_OOM_ADJUST
		196	oom_adjust_restore();
		197	#endif
		198	diff --git a/platform.h b/platform.h
		199	index 7fef8c983..5dec23276 100644
		200	--- a/platform.h
		201	+++ b/platform.h
		202	@@ -21,6 +21,7 @@
		203	void platform_pre_listen(void);
		204	void platform_pre_fork(void);
		205	void platform_pre_restart(void);
		206	+void platform_post_listen(void);
		207	void platform_post_fork_parent(pid_t child_pid);
		208	void platform_post_fork_child(void);
		209	int platform_privileged_uidswap(void);
		210	diff --git a/sshd.c b/sshd.c
		211	index b4f2b9742..865331b46 100644
		212	--- a/sshd.c
		213	+++ b/sshd.c
		214	@@ -2077,6 +2077,8 @@ main(int ac, char **av)
		215	ssh_signal(SIGTERM, sigterm_handler);
		216	ssh_signal(SIGQUIT, sigterm_handler);
		217
		218	+ platform_post_listen();
		219	+
		220	/*
		221	* Write out the pid file after the sigterm handler
		222	* is setup and the listen sockets are bound
		223	--
		224	2.45.2
		225


diff --git a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch b/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch deleted file mode 100644 index f7a1d12e8d..0000000000 --- a/meta/recipes-connectivity/openssh/openssh/0001-systemd-Add-optional-support-for-systemd-sd_notify.patch +++ /dev/null
@@ -1,99 +0,0 @@
1	From be187435911cde6cc3cef6982a508261074f1e56 Mon Sep 17 00:00:00 2001
2	From: Matt Jolly <Matt.Jolly@footclan.ninja>
3	Date: Thu, 2 Feb 2023 21:05:40 +1100
4	Subject: [PATCH] systemd: Add optional support for systemd `sd_notify`
5
6	This is a rebase of Dennis Lamm's <expeditioneer@gentoo.org>
7	patch based on Jakub Jelen's <jjelen@redhat.com> original patch
8
9	Upstream-Status: Denied [https://github.com/openssh/openssh-portable/pull/375/commits/be187435911cde6cc3cef6982a508261074f1e56]
10
11	Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
12	---
13	configure.ac \| 24 ++++++++++++++++++++++++
14	sshd.c \| 13 +++++++++++++
15	2 files changed, 37 insertions(+)
16
17	diff --git a/configure.ac b/configure.ac
18	index 22fee70f..486c189f 100644
19	--- a/configure.ac
20	+++ b/configure.ac
21	@@ -4835,6 +4835,29 @@ AC_SUBST([GSSLIBS])
22	AC_SUBST([K5LIBS])
23	AC_SUBST([CHANNELLIBS])
24
25	+# Check whether user wants systemd support
26	+SYSTEMD_MSG="no"
27	+AC_ARG_WITH(systemd,
28	+ [ --with-systemd Enable systemd support],
29	+ [ if test "x$withval" != "xno" ; then
30	+ AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])
31	+ if test "$PKGCONFIG" != "no"; then
32	+ AC_MSG_CHECKING([for libsystemd])
33	+ if $PKGCONFIG --exists libsystemd; then
34	+ SYSTEMD_CFLAGS=`$PKGCONFIG --cflags libsystemd`
35	+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
36	+ CPPFLAGS="$CPPFLAGS $SYSTEMD_CFLAGS"
37	+ SSHDLIBS="$SSHDLIBS $SYSTEMD_LIBS"
38	+ AC_MSG_RESULT([yes])
39	+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if you want systemd support.])
40	+ SYSTEMD_MSG="yes"
41	+ else
42	+ AC_MSG_RESULT([no])
43	+ fi
44	+ fi
45	+ fi ]
46	+)
47	+
48	# Looking for programs, paths and files
49
50	PRIVSEP_PATH=/var/empty
51	@@ -5634,6 +5657,7 @@ echo " libldns support: $LDNS_MSG"
52	echo " Solaris process contract support: $SPC_MSG"
53	echo " Solaris project support: $SP_MSG"
54	echo " Solaris privilege support: $SPP_MSG"
55	+echo " systemd support: $SYSTEMD_MSG"
56	echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG"
57	echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
58	echo " BSD Auth support: $BSD_AUTH_MSG"
59	diff --git a/sshd.c b/sshd.c
60	index 6321936c..859d6a0b 100644
61	--- a/sshd.c
62	+++ b/sshd.c
63	@@ -88,6 +88,10 @@
64	#include <prot.h>
65	#endif
66
67	+#ifdef HAVE_SYSTEMD
68	+#include <systemd/sd-daemon.h>
69	+#endif
70	+
71	#include "xmalloc.h"
72	#include "ssh.h"
73	#include "ssh2.h"
74	@@ -310,6 +314,10 @@ static void
75	sighup_restart(void)
76	{
77	logit("Received SIGHUP; restarting.");
78	+#ifdef HAVE_SYSTEMD
79	+ /* Signal systemd that we are reloading */
80	+ sd_notify(0, "RELOADING=1");
81	+#endif
82	if (options.pid_file != NULL)
83	unlink(options.pid_file);
84	platform_pre_restart();
85	@@ -2086,6 +2094,11 @@ main(int ac, char **av)
86	}
87	}
88
89	+#ifdef HAVE_SYSTEMD
90	+ /* Signal systemd that we are ready to accept connections */
91	+ sd_notify(0, "READY=1");
92	+#endif
93	+
94	/* Accept a connection and return in a forked child */
95	server_accept_loop(&sock_in, &sock_out,
96	&newsock, config_s);
97	--
98	2.25.1
99


diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.service b/meta/recipes-connectivity/openssh/openssh/sshd.service index 2a997b656a..24062a6817 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshd.service +++ b/meta/recipes-connectivity/openssh/openssh/sshd.service
@@ -4,11 +4,11 @@ Wants=sshdgenkeys.service
4	After=sshdgenkeys.service	4	After=sshdgenkeys.service
5		5
6	[Service]	6	[Service]
		7	Type=notify-reload
7	Environment="SSHD_OPTS="	8	Environment="SSHD_OPTS="
8	EnvironmentFile=-/etc/default/ssh	9	EnvironmentFile=-/etc/default/ssh
9	ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd	10	ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
10	ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS	11	ExecStart=-@SBINDIR@/sshd -D $SSHD_OPTS
11	ExecReload=@BASE_BINDIR@/kill -HUP $MAINPID
12	KillMode=process	12	KillMode=process
13	Restart=on-failure	13	Restart=on-failure
14	RestartSec=42s	14	RestartSec=42s


diff --git a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb index c71245b6c0..042acffe6a 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.6p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.6p1.bb
@@ -25,7 +25,7 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
25	file://sshd_check_keys \	25	file://sshd_check_keys \
26	file://add-test-support-for-busybox.patch \	26	file://add-test-support-for-busybox.patch \
27	file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \	27	file://0001-regress-banner.sh-log-input-and-output-files-on-erro.patch \
28	file://0001-systemd-Add-optional-support-for-systemd-sd_notify.patch \	28	file://0001-notify-systemd-on-listen-and-reload.patch \
29	file://CVE-2024-6387.patch \	29	file://CVE-2024-6387.patch \
30	file://CVE-2024-39894.patch \	30	file://CVE-2024-39894.patch \
31	"	31	"
@@ -54,7 +54,6 @@ SYSTEMD_PACKAGES = "${PN}-sshd"
54	SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"	54	SYSTEMD_SERVICE:${PN}-sshd = "${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-socket-mode','sshd.socket', '', d)} ${@bb.utils.contains('PACKAGECONFIG','systemd-sshd-service-mode','sshd.service', '', d)}"
55		55
56	inherit autotools-brokensep ptest pkgconfig	56	inherit autotools-brokensep ptest pkgconfig
57	DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd', '', d)}"
58		57
59	# systemd-sshd-socket-mode means installing sshd.socket	58	# systemd-sshd-socket-mode means installing sshd.socket
60	# and systemd-sshd-service-mode corresponding to sshd.service	59	# and systemd-sshd-service-mode corresponding to sshd.service
@@ -77,7 +76,6 @@ EXTRA_OECONF = "'LOGIN_PROGRAM=${base_bindir}/login' \
77	--sysconfdir=${sysconfdir}/ssh \	76	--sysconfdir=${sysconfdir}/ssh \
78	--with-xauth=${bindir}/xauth \	77	--with-xauth=${bindir}/xauth \
79	--disable-strip \	78	--disable-strip \
80	${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--with-systemd', '--without-systemd', d)} \
81	"	79	"
82		80
83	# musl doesn't implement wtmp/utmp and logwtmp	81	# musl doesn't implement wtmp/utmp and logwtmp