summaryrefslogtreecommitdiff
path: root/sys-apps/systemd
diff options
context:
space:
mode:
Diffstat (limited to 'sys-apps/systemd')
-rw-r--r--sys-apps/systemd/Manifest11
-rw-r--r--sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch76
-rw-r--r--sys-apps/systemd/files/242-network-domains.patch57
-rw-r--r--sys-apps/systemd/files/242-networkd-ipv6-token.patch152
-rw-r--r--sys-apps/systemd/files/242-rdrand-ryzen.patch353
-rw-r--r--sys-apps/systemd/files/CVE-2019-6454.patch198
-rw-r--r--sys-apps/systemd/systemd-241-r4.ebuild (renamed from sys-apps/systemd/systemd-241-r2.ebuild)4
-rw-r--r--sys-apps/systemd/systemd-242-r6.ebuild (renamed from sys-apps/systemd/systemd-242-r3.ebuild)52
-rw-r--r--sys-apps/systemd/systemd-9999.ebuild47
9 files changed, 693 insertions, 257 deletions
diff --git a/sys-apps/systemd/Manifest b/sys-apps/systemd/Manifest
index 330e9045301a..71f2d463071b 100644
--- a/sys-apps/systemd/Manifest
+++ b/sys-apps/systemd/Manifest
@@ -1,9 +1,12 @@
AUX 241-version-dep.patch 5015 BLAKE2B 63a2f591c6199787cabc5af4c0df14c76e8dba189ca2d69cf539b13a0187fb7f29f7d6a2550b7eee046859d99c9b4de4af11573c624787968a8041e210d8bc75 SHA512 22667683fdec5b92d9dd7afe40930d7483f3025b24152a6d0f9497ac81e9e2a75b467d2b02770d2321ea53236444b5d01217b6f97d725913974ebd2522c6ac58
+AUX 241-wrapper-msan-unpoinson.patch 2248 BLAKE2B fe5ae8e9b770ff973b6a8ac6afa694a920ff1f731b97b93198307c8d0068571e799f21d53acf4c1c5d8b50562a4c1aaa0d176ad7d56eab6fd4fefec9f63c8483 SHA512 93719736a4847d210dc57f92c10b6dd1b18c2ddf0c9885c83ba729466088a54df9709605e5c81e2bb7c528e03523ba5f2af08682cc9e8af1cd9d750c63d4c578
AUX 242-file-max.patch 1314 BLAKE2B 3057d95ff701e188da4fba3b72b8a6e17dec2350a67e056cf1a2e0fa216d0b3aec22cbfbacd11e6ee17331cbda27dbf201fbc9ba2aa794fec9efbe0f612b3b43 SHA512 508a0b56b55839bccef3b3dc48f054e3d2876936cd8a36009dbadaa9a0ae85a5897f95de5c9c4b0e48d80d176e788fa342bd4235224e8cf3adacbe04dfbcebd0
AUX 242-gcc-9.patch 7672 BLAKE2B 1cd98213f70e6813582706e7b523925fd7956507bd5bf113889189d3a5da3e0eb287163449d023755269827e3b5dc8db758a51cd9f37c3f3a69510de31b43109 SHA512 57add7e3215f25ec5547a905c7257ca06adca30d2f4a031eee9882ac16586ea5c5c9d3b50206674dffdb182c78f048834b6c73ab1490253a1ddae15c35878554
+AUX 242-network-domains.patch 2373 BLAKE2B cc9253d3d8f579ef61c2eae0e5e2446afa68a339233b10b3d184cfaa21e6b6c7c53e9d2aa824b80f46ba31a9bded0b55b9a84a8463806edf9ebed0de13f937f5 SHA512 9a3f86e306f69237ae2e3572ac2f0eba1603adff622304e676a06b51ae6f41f68e269f69bdcbbdf537c99b6a9decfdfebe0527d7c500566ae72b8170011f2e26
+AUX 242-networkd-ipv6-token.patch 6525 BLAKE2B 4bbf64154f96419df91caf03f827f37bfb84db6367cb0e618d4a1f34910c3e84793b188d85330c21005dc25300f4b7ae7182d95fe1e0b6c61168dd9d63b2a36d SHA512 e1d230c9b2f1938ff9ca22452ba88ec71454eab6d797f51110d1e80719900dbc7fcb81baced914ac2499878340723183694aca3bb00c956d8fee5cf3f0ad841c
+AUX 242-rdrand-ryzen.patch 16177 BLAKE2B 7d1d3709098a233ba58727788b77c30025c0497fff9abb1df007e21160da3f93a7e9d14b0eeb7e6855bbe5fa93abfeda118156cbba355fc2976c83debcbb91d4 SHA512 38d00535a118b060accb8ed4e87681bab5e547270ef7e0abcdcf4766367e22761ffc35d0db7c829e86e0ad45f13cf4c761e71cfdfc70c2675056ef217c85618d
AUX 242-socket-util-flush-accept.patch 2123 BLAKE2B 74bfbe440ae548b96d90b41ac45c440b21a63c61ae75a9d2b725d2bdec74a03aeca7b673a656821eb925e6740d6728a41d0dc30275287a92519b47d9c477c487 SHA512 7dd0daa70de4ee264d0b3dfe6f80b5e0c563e5bb5255ca2a92f26c4a993fca178f275f85c9048305b82b258d41c9bcbb28d74f9e2b6c2a0e77748464890cb907
AUX 242-wireguard-listenport.patch 1598 BLAKE2B 3266fe600db530ebb5b8eb726822daf14ee87292b035c09a1eb9a46638cc2dc3b8a3f11dd74684a79f3e521d3999b6b8c3a641f8f7475a5d45706567e00d26f6 SHA512 69e047000eb5ed36850bcbc6b8ef37a646b60a642a07a68547624e81aa6e49c77b848745ca4daad883151ddcaee9e7957ea6430f5a0c0c67ffc7887778f536e9
-AUX CVE-2019-6454.patch 6017 BLAKE2B 8feefe11f44e4136c5fcf87160197bfbc0557d5097bc12275411887005bed1fe56a532d114e2e49527a7f35016a6b5fc04cb1086b33445402ace21eb880c02e9 SHA512 ff84ae9a043f17fd78c7fc499fe532c4d3b46dbe34f24c8289c209a026c1eda20de3ba46b67c8a5b14e9889e6362a4fb2097d550e6bcdb5182455fc569e23224
AUX CVE-2019-6454/0001-Refuse-dbus-message-paths-longer-than-BUS_PATH_SIZE_.patch 1848 BLAKE2B 348c35881ce039f92d8fc8dc8c87af2efa95696afbe79ad8fc4e01129524bdf28b529ab86ec611d08446e589176c0678018d94d8c5fc068c65ab4eb429746cf9 SHA512 693afe328ebc20d34cbf07c632a8da90ee293147e793a599a4d2aac6f757738bfab93048a2f8ed6e68d16f865e9b4112e737c692ad01c7d4946f8c430714161d
AUX CVE-2019-6454/0002-Allocate-temporary-strings-to-hold-dbus-paths-on-the.patch 6660 BLAKE2B 45acb2595245a5cbd10c2a9c7ffa2db0c4bd5b03ef8dc25eb51fc35dd51a49b3acd18bf4cf8db7f639e7a4e61592f3ce0bcb031bf27b0bf3ae6fc96c74445f77 SHA512 7c082ab4effc36543bab08700b84a3ccddfba5d5e87b324d6b935d75f5debb7a5f7be1c2e21208e8d1715f5d40619c8f775629acdde40d3c7b2f406b5c6d9460
AUX gentoo-Dont-enable-audit-by-default.patch 1027 BLAKE2B 9193a409db4e5c1dec6f6b66ee6e0a4cc1ada49d41ab758c788cf12534fffb67bd7370b8558a6af56572d7f2b73cf47db255fef105e56362c15f0a426f80b256 SHA512 44e512d8bbadbc5714192896a3ba262e460af034846e4e9b9832b4143fff772e2734e655316fd88d1ef386509bd234c195dce2087348f220836b3bf4f26790e0
@@ -13,7 +16,7 @@ AUX gentoo-uucp-group-r1.patch 562 BLAKE2B 98b629d9b20e4fedfb017864dca1346aa1766
AUX nsswitch.conf 734 BLAKE2B 5f5a7821a84f6c8aa31fe9a68c29a1a0f24be578d427a623f14a9ef795e7da481f226efe5511d92932b5edf5638fa719808a0c3a0b8fd340799dd6bcb703a0a1 SHA512 dcbd51dacaaebdff32edb3840cc7b9b47b6521009b8786690e3673a2e78bc60bfd8e591b1048c5d452117c6659b9917ae2864462f5057cc39b704b0130522e60
DIST systemd-241.tar.gz 7640538 BLAKE2B 69d7196fee0d0ad06ea8d7c78b0299cc17517ecce3ca4c0b1181a3fbb13bc2627629156785051e2ff427dcc21414f7a078724c6409ebaa431618e4799ebcd50a SHA512 a7757574590e8aa37e1291ea0b2c5eb03a8d8062fe9462fa5b0bf50830c933e2b301d106c70d904f94afc0aa8e43a8acfd11926dfa25b1b89174580e491e545e
DIST systemd-242.tar.gz 7831435 BLAKE2B 288e65d0a8e133ef5885689eb16118a83d93c730e342da63115cea0892fc999104c3a4856c83f3e7ef909ba2f3311146730b05ee02d84cc0400851ccbdcd54cd SHA512 578f68a3c8f2d454198fc04ff8d943abcfb390531d57f9603d185857f7afa7f4dc641dafecf49ce50fe22f5837b252b181400891e8efd4459fd4f69bb4283cb4
-EBUILD systemd-241-r2.ebuild 13842 BLAKE2B b5d00f7241a5481fc7201675c3a7e5bf03f4689d6e9128d1236134e576faed3db92c7eb813ad334ed7b00d9e3c5f3796f1d43181c1f29e7db86e8cf5eaafbc28 SHA512 1216ae355a4c122feeafb1f66900de82c641d0ac5d087695531f558deb4a44bdc29b8a37f5c2521e1db71b2d1fbf0c2287f50a43215710f52f556b2a031f88d5
-EBUILD systemd-242-r3.ebuild 13838 BLAKE2B 41bb4c44967ef31883d455e0ef49ee6dca5f210882043c8db2b82c33fc117a26f945ee6283aef6feea2ab2e0238521113d29e1d612a189575be29d6a498737b8 SHA512 c7bf697a8c24af40807efb4d4d5baf9de65d1c3ff460dee1956557f2ca04941ca1be2425290e23b525301ee8749d68d9a453830ac25a00dc0ce29bd5e8defc80
-EBUILD systemd-9999.ebuild 13673 BLAKE2B d23c5d7f2963f102d98d388ba249400f52a96c95bf6d0e7471f4cae627ac5120289d5cb8c06c4d0c21667d513ac86fbaf4e4ec2bb274c37cc564b32afa239af4 SHA512 9ab3f1e0f6a7735a08dea7df7902427b9318b0edb2d4ed2c6717fb08c06bddd6b7ae7365dd2c88cbc8a36e2f93851769302e2deb2b6c6112affb9d4bdd871565
+EBUILD systemd-241-r4.ebuild 14022 BLAKE2B 673468293f5e17f4342b328f04328cbeff4e0a36c6c72c20a279c2cdd14f31c02d6488d0ad3e92cd95a48d0525c56e0c886522ff1ff8f4d6f2603ec5cd5f178d SHA512 1c92a1c62a282258be1bbb1086cd67a2c01c2b7793239a8bc6c5f01886984eaa65b84a9802efa76548b7cead099808f63168aebc85a4d7a941da9284bc86edd6
+EBUILD systemd-242-r6.ebuild 13934 BLAKE2B 49b1d29b1db73e622d25f3b3e451da57cca6abdb8e9a9c6afb24defd660c30d1842d6c61a86a844c9db7d5e17bb20de1a6c98b9f422efebf51b800b5202223e3 SHA512 caaad0318cab70e09eaf0bceb1aef00641ac721c8494aa756653fe8b50c4888d1407b182dd9ab98159dbd7b2d1a45b4165bd8f35768fae91b683cad20ea93016
+EBUILD systemd-9999.ebuild 13643 BLAKE2B 1651cf9850198e9b5222da34d5bbedbee838fe318bfc3eb752deed3164f10e6a8c4165d77458bef6c24234232d4bccccad44670b597e2c4e0ab30bdeac92df08 SHA512 5cac3833cbb0437878250df43050b2db5ddbd7792b75ff5cb79288f4d67d404df2ad66d7320d153ee056e4c730ec68a232b3b3ba720fc66cdae57798b2a7fa14
MISC metadata.xml 2125 BLAKE2B fed24f3b56a79016c4df8554626c7ae67ff50f97adb9af809a726b226c52690642f9df71b22eab320d3964d764dec1439009d8b8bf6979e407a5704e843829d2 SHA512 414d069185451f72eb1e803da7019da8800b08eade46824620632d795007bdec0e9201af93bb895674e3c48907593062610eb2f22f20ac15d099a593b450b8de
diff --git a/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch b/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch
new file mode 100644
index 000000000000..e337b4f4ca52
--- /dev/null
+++ b/sys-apps/systemd/files/241-wrapper-msan-unpoinson.patch
@@ -0,0 +1,76 @@
+From c322f379e6ca972f1c4d3409ac97828b1b838d5d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Fri, 22 Feb 2019 13:07:00 +0100
+Subject: [PATCH] Add wrapper for __msan_unpoinson() to reduce #ifdeffery
+
+This isn't really necessary for the subsequent commit, but I expect that we'll
+need to unpoison more often once we turn on msan in CI, so I think think this
+change makes sense in the long run.
+---
+ src/basic/alloc-util.h | 10 ++++++++++
+ src/basic/random-util.c | 11 ++---------
+ 2 files changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h
+index 893a1238ff..78ee34bb71 100644
+--- a/src/basic/alloc-util.h
++++ b/src/basic/alloc-util.h
+@@ -8,6 +8,10 @@
+
+ #include "macro.h"
+
++#if HAS_FEATURE_MEMORY_SANITIZER
++# include <sanitizer/msan_interface.h>
++#endif
++
+ typedef void (*free_func_t)(void *p);
+
+ /* If for some reason more than 4M are allocated on the stack, let's abort immediately. It's better than
+@@ -160,3 +164,9 @@ void* greedy_realloc0(void **p, size_t *allocated, size_t need, size_t size);
+ (ptr) = NULL; \
+ _ptr_; \
+ })
++
++#if HAS_FEATURE_MEMORY_SANITIZER
++# define msan_unpoison(r, s) __msan_unpoison(r, s)
++#else
++# define msan_unpoison(r, s)
++#endif
+diff --git a/src/basic/random-util.c b/src/basic/random-util.c
+index f7decf60b6..ca25fd2420 100644
+--- a/src/basic/random-util.c
++++ b/src/basic/random-util.c
+@@ -23,16 +23,13 @@
+ # include <linux/random.h>
+ #endif
+
++#include "alloc-util.h"
+ #include "fd-util.h"
+ #include "io-util.h"
+ #include "missing.h"
+ #include "random-util.h"
+ #include "time-util.h"
+
+-#if HAS_FEATURE_MEMORY_SANITIZER
+-#include <sanitizer/msan_interface.h>
+-#endif
+-
+ int rdrand(unsigned long *ret) {
+
+ #if defined(__i386__) || defined(__x86_64__)
+@@ -58,11 +55,7 @@ int rdrand(unsigned long *ret) {
+ "setc %1"
+ : "=r" (*ret),
+ "=qm" (err));
+-
+-#if HAS_FEATURE_MEMORY_SANITIZER
+- __msan_unpoison(&err, sizeof(err));
+-#endif
+-
++ msan_unpoison(&err, sizeof(err));
+ if (!err)
+ return -EAGAIN;
+
+--
+2.22.0
+
diff --git a/sys-apps/systemd/files/242-network-domains.patch b/sys-apps/systemd/files/242-network-domains.patch
new file mode 100644
index 000000000000..166a8ee5b76f
--- /dev/null
+++ b/sys-apps/systemd/files/242-network-domains.patch
@@ -0,0 +1,57 @@
+From fe0e16db093a7da09fcb52a2bc7017197047443d Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Mon, 13 May 2019 05:40:31 +0900
+Subject: [PATCH] network: do not use ordered_set_printf() for DOMAINS= or
+ ROUTE_DOMAINS=
+
+This partially reverts 5e2a51d588dde4b52c6017ea80b75c16e6e23431.
+
+Fixes #12531.
+---
+ src/network/networkd-link.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index f8ee48802cb..1dc10c65a1b 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -3495,12 +3495,11 @@ int link_save(Link *link) {
+ admin_state, oper_state);
+
+ if (link->network) {
+- bool space;
++ char **dhcp6_domains = NULL, **dhcp_domains = NULL;
++ const char *dhcp_domainname = NULL, *p;
+ sd_dhcp6_lease *dhcp6_lease = NULL;
+- const char *dhcp_domainname = NULL;
+- char **dhcp6_domains = NULL;
+- char **dhcp_domains = NULL;
+ unsigned j;
++ bool space;
+
+ fprintf(f, "REQUIRED_FOR_ONLINE=%s\n",
+ yes_no(link->network->required_for_online));
+@@ -3617,7 +3616,10 @@ int link_save(Link *link) {
+ (void) sd_dhcp6_lease_get_domains(dhcp6_lease, &dhcp6_domains);
+ }
+
+- ordered_set_print(f, "DOMAINS=", link->network->search_domains);
++ fputs("DOMAINS=", f);
++ space = false;
++ ORDERED_SET_FOREACH(p, link->network->search_domains, i)
++ fputs_with_space(f, p, NULL, &space);
+
+ if (link->network->dhcp_use_domains == DHCP_USE_DOMAINS_YES) {
+ NDiscDNSSL *dd;
+@@ -3635,7 +3637,10 @@ int link_save(Link *link) {
+
+ fputc('\n', f);
+
+- ordered_set_print(f, "ROUTE_DOMAINS=", link->network->route_domains);
++ fputs("ROUTE_DOMAINS=", f);
++ space = false;
++ ORDERED_SET_FOREACH(p, link->network->route_domains, i)
++ fputs_with_space(f, p, NULL, &space);
+
+ if (link->network->dhcp_use_domains == DHCP_USE_DOMAINS_ROUTE) {
+ NDiscDNSSL *dd;
diff --git a/sys-apps/systemd/files/242-networkd-ipv6-token.patch b/sys-apps/systemd/files/242-networkd-ipv6-token.patch
new file mode 100644
index 000000000000..87a85f6f6ab0
--- /dev/null
+++ b/sys-apps/systemd/files/242-networkd-ipv6-token.patch
@@ -0,0 +1,152 @@
+From 4eb086a38712ea98faf41e075b84555b11b54362 Mon Sep 17 00:00:00 2001
+From: Susant Sahani <ssahani@gmail.com>
+Date: Thu, 9 May 2019 07:35:35 +0530
+Subject: [PATCH] networkd: fix link_up() (#12505)
+
+Fillup IFLA_INET6_ADDR_GEN_MODE while we do link_up.
+
+Fixes the following error:
+```
+dummy-test: Could not bring up interface: Invalid argument
+```
+
+After reading the kernel code when we do a link up
+```
+net/core/rtnetlink.c
+IFLA_AF_SPEC
+ af_ops->set_link_af(dev, af);
+ inet6_set_link_af
+ if (tb[IFLA_INET6_ADDR_GEN_MODE])
+ Here it looks for IFLA_INET6_ADDR_GEN_MODE
+```
+Since link up we didn't filling up that it's failing.
+
+Closes #12504.
+---
+ src/network/networkd-link.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 3c8b5c5cb43..4db9f3f980f 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -2031,6 +2031,8 @@ static int link_up(Link *link) {
+ }
+
+ if (link_ipv6_enabled(link)) {
++ uint8_t ipv6ll_mode;
++
+ r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
+ if (r < 0)
+ return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
+@@ -2046,6 +2048,19 @@ static int link_up(Link *link) {
+ return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
+ }
+
++ if (!link_ipv6ll_enabled(link))
++ ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
++ else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
++ /* The file may not exist. And event if it exists, when stable_secret is unset,
++ * reading the file fails with EIO. */
++ ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
++ else
++ ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
++
++ r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
++ if (r < 0)
++ return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
++
+ r = sd_netlink_message_close_container(req);
+ if (r < 0)
+ return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
+From 9f6e82e6eb3b6e73d66d00d1d6eee60691fb702f Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 9 May 2019 14:39:46 +0900
+Subject: [PATCH] network: do not send ipv6 token to kernel
+
+We disabled kernel RA support. Then, we should not send
+IFLA_INET6_TOKEN.
+Thus, we do not need to send IFLA_INET6_ADDR_GEN_MODE twice.
+
+Follow-up for 0e2fdb83bb5e22047e0c7cc058b415d0e93f02cf and
+4eb086a38712ea98faf41e075b84555b11b54362.
+---
+ src/network/networkd-link.c | 51 +++++--------------------------------
+ 1 file changed, 6 insertions(+), 45 deletions(-)
+
+diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c
+index 2b6ff2b6c58..b6da4ea70b7 100644
+--- a/src/network/networkd-link.c
++++ b/src/network/networkd-link.c
+@@ -1954,6 +1954,9 @@ static int link_configure_addrgen_mode(Link *link) {
+ assert(link->manager);
+ assert(link->manager->rtnl);
+
++ if (!socket_ipv6_is_supported())
++ return 0;
++
+ log_link_debug(link, "Setting address genmode for link");
+
+ r = sd_rtnl_message_new_link(link->manager->rtnl, &req, RTM_SETLINK, link->ifindex);
+@@ -2047,46 +2050,6 @@ static int link_up(Link *link) {
+ return log_link_error_errno(link, r, "Could not set MAC address: %m");
+ }
+
+- if (link_ipv6_enabled(link)) {
+- uint8_t ipv6ll_mode;
+-
+- r = sd_netlink_message_open_container(req, IFLA_AF_SPEC);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not open IFLA_AF_SPEC container: %m");
+-
+- /* if the kernel lacks ipv6 support setting IFF_UP fails if any ipv6 options are passed */
+- r = sd_netlink_message_open_container(req, AF_INET6);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not open AF_INET6 container: %m");
+-
+- if (!in_addr_is_null(AF_INET6, &link->network->ipv6_token)) {
+- r = sd_netlink_message_append_in6_addr(req, IFLA_INET6_TOKEN, &link->network->ipv6_token.in6);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not append IFLA_INET6_TOKEN: %m");
+- }
+-
+- if (!link_ipv6ll_enabled(link))
+- ipv6ll_mode = IN6_ADDR_GEN_MODE_NONE;
+- else if (sysctl_read_ip_property(AF_INET6, link->ifname, "stable_secret", NULL) < 0)
+- /* The file may not exist. And event if it exists, when stable_secret is unset,
+- * reading the file fails with EIO. */
+- ipv6ll_mode = IN6_ADDR_GEN_MODE_EUI64;
+- else
+- ipv6ll_mode = IN6_ADDR_GEN_MODE_STABLE_PRIVACY;
+-
+- r = sd_netlink_message_append_u8(req, IFLA_INET6_ADDR_GEN_MODE, ipv6ll_mode);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not append IFLA_INET6_ADDR_GEN_MODE: %m");
+-
+- r = sd_netlink_message_close_container(req);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not close AF_INET6 container: %m");
+-
+- r = sd_netlink_message_close_container(req);
+- if (r < 0)
+- return log_link_error_errno(link, r, "Could not close IFLA_AF_SPEC container: %m");
+- }
+-
+ r = netlink_call_async(link->manager->rtnl, NULL, req, link_up_handler,
+ link_netlink_destroy_callback, link);
+ if (r < 0)
+@@ -3226,11 +3189,9 @@ static int link_configure(Link *link) {
+ if (r < 0)
+ return r;
+
+- if (socket_ipv6_is_supported()) {
+- r = link_configure_addrgen_mode(link);
+- if (r < 0)
+- return r;
+- }
++ r = link_configure_addrgen_mode(link);
++ if (r < 0)
++ return r;
+
+ return link_configure_after_setting_mtu(link);
+ }
diff --git a/sys-apps/systemd/files/242-rdrand-ryzen.patch b/sys-apps/systemd/files/242-rdrand-ryzen.patch
new file mode 100644
index 000000000000..ec690c1b3f6c
--- /dev/null
+++ b/sys-apps/systemd/files/242-rdrand-ryzen.patch
@@ -0,0 +1,353 @@
+From d351699739471734666230ae3c6f9ba56ce5ce45 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 7 May 2019 16:18:13 -0400
+Subject: [PATCH 1/6] =?UTF-8?q?random-util:=20rename=20RANDOM=5FDONT=5FDRA?=
+ =?UTF-8?q?IN=20=E2=86=92=20RANDOM=5FMAY=5FFAIL?=
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The old flag name was a bit of a misnomer, as /dev/urandom cannot be
+"drained". Once it's initialized it's initialized and then is good
+forever. (Only /dev/random has a concept of 'draining', but we never use
+that, as it's an obsolete interface).
+
+The flag is still useful though, since it allows us to suppress accesses
+to the random pool while it is not initialized, as that trips up the
+kernel and it logs about any such attempts, which we really don't want.
+
+(cherry picked from commit 1a0ffa1e737e65312abac63dcf4b44e1ac0e1642)
+---
+ src/basic/random-util.c | 36 +++++++++++++++++++-----------------
+ src/basic/random-util.h | 4 ++--
+ 2 files changed, 21 insertions(+), 19 deletions(-)
+
+diff --git a/src/basic/random-util.c b/src/basic/random-util.c
+index ca25fd2420..de29e07549 100644
+--- a/src/basic/random-util.c
++++ b/src/basic/random-util.c
+@@ -71,21 +71,22 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
+ bool got_some = false;
+ int r;
+
+- /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This call won't
+- * block, unless the RANDOM_BLOCK flag is set. If RANDOM_DONT_DRAIN is set, an error is returned if the random
+- * pool is not initialized. Otherwise it will always return some data from the kernel, regardless of whether
+- * the random pool is fully initialized or not. */
++ /* Gathers some randomness from the kernel (or the CPU if the RANDOM_ALLOW_RDRAND flag is set). This
++ * call won't block, unless the RANDOM_BLOCK flag is set. If RANDOM_MAY_FAIL is set, an error is
++ * returned if the random pool is not initialized. Otherwise it will always return some data from the
++ * kernel, regardless of whether the random pool is fully initialized or not. */
+
+ if (n == 0)
+ return 0;
+
+ if (FLAGS_SET(flags, RANDOM_ALLOW_RDRAND))
+- /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is not
+- * required, as we don't trust it (who does?). Note that we only do a single iteration of RDRAND here,
+- * even though the Intel docs suggest calling this in a tight loop of 10 invocations or so. That's
+- * because we don't really care about the quality here. We generally prefer using RDRAND if the caller
+- * allows us too, since this way we won't drain the kernel randomness pool if we don't need it, as the
+- * pool's entropy is scarce. */
++ /* Try x86-64' RDRAND intrinsic if we have it. We only use it if high quality randomness is
++ * not required, as we don't trust it (who does?). Note that we only do a single iteration of
++ * RDRAND here, even though the Intel docs suggest calling this in a tight loop of 10
++ * invocations or so. That's because we don't really care about the quality here. We
++ * generally prefer using RDRAND if the caller allows us to, since this way we won't upset
++ * the kernel's random subsystem by accessing it before the pool is initialized (after all it
++ * will kmsg log about every attempt to do so)..*/
+ for (;;) {
+ unsigned long u;
+ size_t m;
+@@ -153,12 +154,13 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
+ break;
+
+ } else if (errno == EAGAIN) {
+- /* The kernel has no entropy whatsoever. Let's remember to use the syscall the next
+- * time again though.
++ /* The kernel has no entropy whatsoever. Let's remember to use the syscall
++ * the next time again though.
+ *
+- * If RANDOM_DONT_DRAIN is set, return an error so that random_bytes() can produce some
+- * pseudo-random bytes instead. Otherwise, fall back to /dev/urandom, which we know is empty,
+- * but the kernel will produce some bytes for us on a best-effort basis. */
++ * If RANDOM_MAY_FAIL is set, return an error so that random_bytes() can
++ * produce some pseudo-random bytes instead. Otherwise, fall back to
++ * /dev/urandom, which we know is empty, but the kernel will produce some
++ * bytes for us on a best-effort basis. */
+ have_syscall = true;
+
+ if (got_some && FLAGS_SET(flags, RANDOM_EXTEND_WITH_PSEUDO)) {
+@@ -167,7 +169,7 @@ int genuine_random_bytes(void *p, size_t n, RandomFlags flags) {
+ return 0;
+ }
+
+- if (FLAGS_SET(flags, RANDOM_DONT_DRAIN))
++ if (FLAGS_SET(flags, RANDOM_MAY_FAIL))
+ return -ENODATA;
+
+ /* Use /dev/urandom instead */
+@@ -250,7 +252,7 @@ void pseudo_random_bytes(void *p, size_t n) {
+
+ void random_bytes(void *p, size_t n) {
+
+- if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_DONT_DRAIN|RANDOM_ALLOW_RDRAND) >= 0)
++ if (genuine_random_bytes(p, n, RANDOM_EXTEND_WITH_PSEUDO|RANDOM_MAY_FAIL|RANDOM_ALLOW_RDRAND) >= 0)
+ return;
+
+ /* If for some reason some user made /dev/urandom unavailable to us, or the kernel has no entropy, use a PRNG instead. */
+diff --git a/src/basic/random-util.h b/src/basic/random-util.h
+index 3e8c288d3d..148b6c7813 100644
+--- a/src/basic/random-util.h
++++ b/src/basic/random-util.h
+@@ -8,11 +8,11 @@
+ typedef enum RandomFlags {
+ RANDOM_EXTEND_WITH_PSEUDO = 1 << 0, /* If we can't get enough genuine randomness, but some, fill up the rest with pseudo-randomness */
+ RANDOM_BLOCK = 1 << 1, /* Rather block than return crap randomness (only if the kernel supports that) */
+- RANDOM_DONT_DRAIN = 1 << 2, /* If we can't get any randomness at all, return early with -EAGAIN */
++ RANDOM_MAY_FAIL = 1 << 2, /* If we can't get any randomness at all, return early with -ENODATA */
+ RANDOM_ALLOW_RDRAND = 1 << 3, /* Allow usage of the CPU RNG */
+ } RandomFlags;
+
+-int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled upwith pseudo random, if not enough is available */
++int genuine_random_bytes(void *p, size_t n, RandomFlags flags); /* returns "genuine" randomness, optionally filled up with pseudo random, if not enough is available */
+ void pseudo_random_bytes(void *p, size_t n); /* returns only pseudo-randommess (but possibly seeded from something better) */
+ void random_bytes(void *p, size_t n); /* returns genuine randomness if cheaply available, and pseudo randomness if not. */
+
+--
+2.22.0
+
+
+From 1f492b9ecc31aa3782f9ce82058d8fb72a5c323f Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 7 May 2019 16:21:44 -0400
+Subject: [PATCH 2/6] random-util: use gcc's bit_RDRND definition if it exists
+
+(cherry picked from commit cc28145d51f62711fdc4b4c229aecd5778806419)
+---
+ src/basic/random-util.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/random-util.c b/src/basic/random-util.c
+index de29e07549..205d5501e5 100644
+--- a/src/basic/random-util.c
++++ b/src/basic/random-util.c
+@@ -45,7 +45,12 @@ int rdrand(unsigned long *ret) {
+ return -EOPNOTSUPP;
+ }
+
+- have_rdrand = !!(ecx & (1U << 30));
++/* Compat with old gcc where bit_RDRND didn't exist yet */
++#ifndef bit_RDRND
++#define bit_RDRND (1U << 30)
++#endif
++
++ have_rdrand = !!(ecx & bit_RDRND);
+ }
+
+ if (have_rdrand == 0)
+--
+2.22.0
+
+
+From 6460c540e6183dd19de89b7f0672b3b47c4d41cc Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 7 May 2019 17:26:55 -0400
+Subject: [PATCH 3/6] random-util: hash AT_RANDOM getauxval() value before
+ using it
+
+Let's be a bit paranoid and hash the 16 bytes we get from getauxval()
+before using them. AFter all they might be used by other stuff too (in
+particular ASLR), and we probably shouldn't end up leaking that seed
+though our crappy pseudo-random numbers.
+
+(cherry picked from commit 80eb560a5bd7439103036867d5e09a5e0393e5d3)
+---
+ src/basic/random-util.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/src/basic/random-util.c b/src/basic/random-util.c
+index 205d5501e5..40f1928936 100644
+--- a/src/basic/random-util.c
++++ b/src/basic/random-util.c
+@@ -28,6 +28,7 @@
+ #include "io-util.h"
+ #include "missing.h"
+ #include "random-util.h"
++#include "siphash24.h"
+ #include "time-util.h"
+
+ int rdrand(unsigned long *ret) {
+@@ -203,14 +204,19 @@ void initialize_srand(void) {
+ return;
+
+ #if HAVE_SYS_AUXV_H
+- /* The kernel provides us with 16 bytes of entropy in auxv, so let's
+- * try to make use of that to seed the pseudo-random generator. It's
+- * better than nothing... */
++ /* The kernel provides us with 16 bytes of entropy in auxv, so let's try to make use of that to seed
++ * the pseudo-random generator. It's better than nothing... But let's first hash it to make it harder
++ * to recover the original value by watching any pseudo-random bits we generate. After all the
++ * AT_RANDOM data might be used by other stuff too (in particular: ASLR), and we probably shouldn't
++ * leak the seed for that. */
+
+- auxv = (const void*) getauxval(AT_RANDOM);
++ auxv = ULONG_TO_PTR(getauxval(AT_RANDOM));
+ if (auxv) {
+- assert_cc(sizeof(x) <= 16);
+- memcpy(&x, auxv, sizeof(x));
++ static const uint8_t auxval_hash_key[16] = {
++ 0x92, 0x6e, 0xfe, 0x1b, 0xcf, 0x00, 0x52, 0x9c, 0xcc, 0x42, 0xcf, 0xdc, 0x94, 0x1f, 0x81, 0x0f
++ };
++
++ x = (unsigned) siphash24(auxv, 16, auxval_hash_key);
+ } else
+ #endif
+ x = 0;
+--
+2.22.0
+
+
+From 17d52f6320b45d1728af6007b4df4aaccc6fdaf4 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 7 May 2019 18:51:26 -0400
+Subject: [PATCH 4/6] random-util: rename "err" to "success"
+
+After all rdrand returns 1 on success, and 0 on failure, hence let's
+name this accordingly.
+
+(cherry picked from commit 328f850e36e86d14ab06d11fa8f2397e9575a7f9)
+---
+ src/basic/random-util.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/basic/random-util.c b/src/basic/random-util.c
+index 40f1928936..7c64857592 100644
+--- a/src/basic/random-util.c
++++ b/src/basic/random-util.c
+@@ -35,7 +35,7 @@ int rdrand(unsigned long *ret) {
+
+ #if defined(__i386__) || defined(__x86_64__)
+ static int have_rdrand = -1;
+- unsigned char err;
++ uint8_t success;
+
+ if (have_rdrand < 0) {
+ uint32_t eax, ebx, ecx, edx;
+@@ -60,9 +60,9 @@ int rdrand(unsigned long *ret) {
+ asm volatile("rdrand %0;"
+ "setc %1"
+ : "=r" (*ret),
+- "=qm" (err));
+- msan_unpoison(&err, sizeof(err));
+- if (!err)
++ "=qm" (success));
++ msan_unpoison(&success, sizeof(sucess));
++ if (!success)
+ return -EAGAIN;
+
+ return 0;
+--
+2.22.0
+
+
+From a6c72245ba5ba688cd6544650b9c6e313b39b53e Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Wed, 8 May 2019 15:50:53 +0200
+Subject: [PATCH 5/6] util-lib: fix a typo in rdrand
+
+Otherwise, the fuzzers will fail to compile with MSan:
+```
+../../src/systemd/src/basic/random-util.c:64:40: error: use of undeclared identifier 'sucess'; did you mean 'success'?
+ msan_unpoison(&success, sizeof(sucess));
+ ^~~~~~
+ success
+../../src/systemd/src/basic/alloc-util.h:169:50: note: expanded from macro 'msan_unpoison'
+ ^
+../../src/systemd/src/basic/random-util.c:38:17: note: 'success' declared here
+ uint8_t success;
+ ^
+1 error generated.
+[80/545] Compiling C object 'src/basic/a6ba3eb@@basic@sta/process-util.c.o'.
+ninja: build stopped: subcommand failed.
+Fuzzers build failed
+```
+
+(cherry picked from commit 7f2cdceaed4d37c4e601e531c7d863fca1bd1460)
+---
+ src/basic/random-util.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/basic/random-util.c b/src/basic/random-util.c
+index 7c64857592..b8bbf2d418 100644
+--- a/src/basic/random-util.c
++++ b/src/basic/random-util.c
+@@ -61,7 +61,7 @@ int rdrand(unsigned long *ret) {
+ "setc %1"
+ : "=r" (*ret),
+ "=qm" (success));
+- msan_unpoison(&success, sizeof(sucess));
++ msan_unpoison(&success, sizeof(success));
+ if (!success)
+ return -EAGAIN;
+
+--
+2.22.0
+
+
+From 47eec0ae61c887cb8cc05ce8d49b8d151bc4ef25 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 10 May 2019 15:16:16 -0400
+Subject: [PATCH 6/6] random-util: eat up bad RDRAND values seen on AMD CPUs
+
+An ugly, ugly work-around for #11810. And no, we shouldn't have to do
+this. This is something for AMD, the firmware or the kernel to
+fix/work-around, not us. But nonetheless, this should do it for now.
+
+Fixes: #11810
+(cherry picked from commit 1c53d4a070edbec8ad2d384ba0014d0eb6bae077)
+---
+ src/basic/random-util.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/basic/random-util.c b/src/basic/random-util.c
+index b8bbf2d418..0561f0cb22 100644
+--- a/src/basic/random-util.c
++++ b/src/basic/random-util.c
+@@ -35,6 +35,7 @@ int rdrand(unsigned long *ret) {
+
+ #if defined(__i386__) || defined(__x86_64__)
+ static int have_rdrand = -1;
++ unsigned long v;
+ uint8_t success;
+
+ if (have_rdrand < 0) {
+@@ -59,12 +60,24 @@ int rdrand(unsigned long *ret) {
+
+ asm volatile("rdrand %0;"
+ "setc %1"
+- : "=r" (*ret),
++ : "=r" (v),
+ "=qm" (success));
+ msan_unpoison(&success, sizeof(success));
+ if (!success)
+ return -EAGAIN;
+
++ /* Apparently on some AMD CPUs RDRAND will sometimes (after a suspend/resume cycle?) report success
++ * via the carry flag but nonetheless return the same fixed value -1 in all cases. This appears to be
++ * a bad bug in the CPU or firmware. Let's deal with that and work-around this by explicitly checking
++ * for this special value (and also 0, just to be sure) and filtering it out. This is a work-around
++ * only however and something AMD really should fix properly. The Linux kernel should probably work
++ * around this issue by turning off RDRAND altogether on those CPUs. See:
++ * https://github.com/systemd/systemd/issues/11810 */
++ if (v == 0 || v == ULONG_MAX)
++ return log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
++ "RDRAND returned suspicious value %lx, assuming bad hardware RNG, not using value.", v);
++
++ *ret = v;
+ return 0;
+ #else
+ return -EOPNOTSUPP;
+--
+2.22.0
+
diff --git a/sys-apps/systemd/files/CVE-2019-6454.patch b/sys-apps/systemd/files/CVE-2019-6454.patch
deleted file mode 100644
index 97b7d635e7d6..000000000000
--- a/sys-apps/systemd/files/CVE-2019-6454.patch
+++ /dev/null
@@ -1,198 +0,0 @@
---- a/src/libsystemd/sd-bus/bus-internal.c
-+++ b/src/libsystemd/sd-bus/bus-internal.c
-@@ -45,7 +45,7 @@
- if (slash)
- return false;
-
-- return true;
-+ return (q - p) <= BUS_PATH_SIZE_MAX;
- }
-
- char* object_path_startswith(const char *a, const char *b) {
---- a/src/libsystemd/sd-bus/bus-internal.h
-+++ b/src/libsystemd/sd-bus/bus-internal.h
-@@ -333,6 +333,10 @@
-
- #define BUS_MESSAGE_SIZE_MAX (128*1024*1024)
- #define BUS_AUTH_SIZE_MAX (64*1024)
-+/* Note that the D-Bus specification states that bus paths shall have no size limit. We enforce here one
-+ * anyway, since truly unbounded strings are a security problem. The limit we pick is relatively large however,
-+ * to not clash unnecessarily with real-life applications. */
-+#define BUS_PATH_SIZE_MAX (64*1024)
-
- #define BUS_CONTAINER_DEPTH 128
-
---- a/src/libsystemd/sd-bus/bus-objects.c
-+++ b/src/libsystemd/sd-bus/bus-objects.c
-@@ -1134,7 +1134,8 @@
- const char *path,
- sd_bus_error *error) {
-
-- char *prefix;
-+ _cleanup_free_ char *prefix = NULL;
-+ size_t pl;
- int r;
-
- assert(bus);
-@@ -1150,7 +1151,12 @@
- return 0;
-
- /* Second, add fallback vtables registered for any of the prefixes */
-- prefix = alloca(strlen(path) + 1);
-+ pl = strlen(path);
-+ assert(pl <= BUS_PATH_SIZE_MAX);
-+ prefix = new(char, pl + 1);
-+ if (!prefix)
-+ return -ENOMEM;
-+
- OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
- r = object_manager_serialize_path(bus, reply, prefix, path, true, error);
- if (r < 0)
-@@ -1346,6 +1352,7 @@
- }
-
- int bus_process_object(sd_bus *bus, sd_bus_message *m) {
-+ _cleanup_free_ char *prefix = NULL;
- int r;
- size_t pl;
- bool found_object = false;
-@@ -1370,9 +1377,12 @@
- assert(m->member);
-
- pl = strlen(m->path);
-- do {
-- char prefix[pl+1];
-+ assert(pl <= BUS_PATH_SIZE_MAX);
-+ prefix = new(char, pl + 1);
-+ if (!prefix)
-+ return -ENOMEM;
-
-+ do {
- bus->nodes_modified = false;
-
- r = object_find_and_run(bus, m, m->path, false, &found_object);
-@@ -1499,9 +1509,15 @@
-
- n = hashmap_get(bus->nodes, path);
- if (!n) {
-- char *prefix;
-+ _cleanup_free_ char *prefix = NULL;
-+ size_t pl;
-+
-+ pl = strlen(path);
-+ assert(pl <= BUS_PATH_SIZE_MAX);
-+ prefix = new(char, pl + 1);
-+ if (!prefix)
-+ return -ENOMEM;
-
-- prefix = alloca(strlen(path) + 1);
- OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
- n = hashmap_get(bus->nodes, prefix);
- if (n)
-@@ -2091,8 +2107,9 @@
- char **names) {
-
- BUS_DONT_DESTROY(bus);
-+ _cleanup_free_ char *prefix = NULL;
- bool found_interface = false;
-- char *prefix;
-+ size_t pl;
- int r;
-
- assert_return(bus, -EINVAL);
-@@ -2111,6 +2128,12 @@
- if (names && names[0] == NULL)
- return 0;
-
-+ pl = strlen(path);
-+ assert(pl <= BUS_PATH_SIZE_MAX);
-+ prefix = new(char, pl + 1);
-+ if (!prefix)
-+ return -ENOMEM;
-+
- do {
- bus->nodes_modified = false;
-
-@@ -2120,7 +2143,6 @@
- if (bus->nodes_modified)
- continue;
-
-- prefix = alloca(strlen(path) + 1);
- OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
- r = emit_properties_changed_on_interface(bus, prefix, path, interface, true, &found_interface, names);
- if (r != 0)
-@@ -2252,7 +2274,8 @@
-
- static int object_added_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
- _cleanup_set_free_ Set *s = NULL;
-- char *prefix;
-+ _cleanup_free_ char *prefix = NULL;
-+ size_t pl;
- int r;
-
- assert(bus);
-@@ -2297,7 +2320,12 @@
- if (bus->nodes_modified)
- return 0;
-
-- prefix = alloca(strlen(path) + 1);
-+ pl = strlen(path);
-+ assert(pl <= BUS_PATH_SIZE_MAX);
-+ prefix = new(char, pl + 1);
-+ if (!prefix)
-+ return -ENOMEM;
-+
- OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
- r = object_added_append_all_prefix(bus, m, s, prefix, path, true);
- if (r < 0)
-@@ -2436,7 +2464,8 @@
-
- static int object_removed_append_all(sd_bus *bus, sd_bus_message *m, const char *path) {
- _cleanup_set_free_ Set *s = NULL;
-- char *prefix;
-+ _cleanup_free_ char *prefix = NULL;
-+ size_t pl;
- int r;
-
- assert(bus);
-@@ -2468,7 +2497,12 @@
- if (bus->nodes_modified)
- return 0;
-
-- prefix = alloca(strlen(path) + 1);
-+ pl = strlen(path);
-+ assert(pl <= BUS_PATH_SIZE_MAX);
-+ prefix = new(char, pl + 1);
-+ if (!prefix)
-+ return -ENOMEM;
-+
- OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
- r = object_removed_append_all_prefix(bus, m, s, prefix, path, true);
- if (r < 0)
-@@ -2618,7 +2652,8 @@
- const char *path,
- const char *interface) {
-
-- char *prefix;
-+ _cleanup_free_ char *prefix = NULL;
-+ size_t pl;
- int r;
-
- assert(bus);
-@@ -2632,7 +2667,12 @@
- if (bus->nodes_modified)
- return 0;
-
-- prefix = alloca(strlen(path) + 1);
-+ pl = strlen(path);
-+ assert(pl <= BUS_PATH_SIZE_MAX);
-+ prefix = new(char, pl + 1);
-+ if (!prefix)
-+ return -ENOMEM;
-+
- OBJECT_PATH_FOREACH_PREFIX(prefix, path) {
- r = interfaces_added_append_one_prefix(bus, m, prefix, path, interface, true);
- if (r != 0)
-
-
-
diff --git a/sys-apps/systemd/systemd-241-r2.ebuild b/sys-apps/systemd/systemd-241-r4.ebuild
index f1d8b6296e60..9ea26e0dc874 100644
--- a/sys-apps/systemd/systemd-241-r2.ebuild
+++ b/sys-apps/systemd/systemd-241-r4.ebuild
@@ -171,6 +171,9 @@ src_prepare() {
"${FILESDIR}"/241-version-dep.patch
"${FILESDIR}"/242-gcc-9.patch
"${FILESDIR}"/242-file-max.patch
+ "${FILESDIR}"/241-wrapper-msan-unpoinson.patch
+ "${FILESDIR}"/242-rdrand-ryzen.patch
+ "${FILESDIR}"/242-networkd-ipv6-token.patch
)
if ! use vanilla; then
@@ -217,6 +220,7 @@ meson_multilib_native_use() {
multilib_src_configure() {
local myconf=(
--localstatedir="${EPREFIX}/var"
+ -Dsupport-url="https://gentoo.org/support/"
-Dpamlibdir="$(getpam_mod_dir)"
# avoid bash-completion dep
-Dbashcompletiondir="$(get_bashcompdir)"
diff --git a/sys-apps/systemd/systemd-242-r3.ebuild b/sys-apps/systemd/systemd-242-r6.ebuild
index 4af6fc44b6e6..ee5c06d520ae 100644
--- a/sys-apps/systemd/systemd-242-r3.ebuild
+++ b/sys-apps/systemd/systemd-242-r6.ebuild
@@ -11,7 +11,7 @@ else
MY_P=${PN}-${MY_PV}
S=${WORKDIR}/${MY_P}
SRC_URI="https://github.com/systemd/systemd/archive/v${MY_PV}/${MY_P}.tar.gz"
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86"
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 sparc ~x86"
fi
PYTHON_COMPAT=( python{3_5,3_6,3_7} )
@@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
-IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi gnutls http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb"
+IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb"
REQUIRED_USE="importd? ( curl gcrypt lzma )"
RESTRICT="!test? ( test )"
@@ -38,15 +38,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2:0= )
cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= )
curl? ( net-misc/curl:0= )
- dns-over-tls? (
- gnutls? ( >=net-libs/gnutls-3.5.3:0= )
- !gnutls? ( >=dev-libs/openssl-1.1.0:0= )
- )
+ dns-over-tls? ( >=net-libs/gnutls-3.5.3:0= )
elfutils? ( >=dev-libs/elfutils-0.158:0= )
gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
http? (
- >=net-libs/libmicrohttpd-0.9.33:0=
- gnutls? ( >=net-libs/gnutls-3.1.4:0= )
+ >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)]
+ >=net-libs/gnutls-3.1.4:0=
)
idn? (
libidn2? ( net-dns/libidn2:= )
@@ -67,6 +64,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
selinux? ( sys-libs/libselinux:0= )
xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )"
+# Newer linux-headers needed by ia64, bug #480218
+DEPEND="${COMMON_DEPEND}
+ >=sys-kernel/linux-headers-${MINKV}
+ gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
+"
+
# baselayout-2.2 has /run
RDEPEND="${COMMON_DEPEND}
>=sys-apps/baselayout-2.2
@@ -91,12 +94,6 @@ PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
policykit? ( sys-auth/polkit )
!vanilla? ( sys-apps/gentoo-systemd-integration )"
-# Newer linux-headers needed by ia64, bug #480218
-DEPEND="
- >=sys-kernel/linux-headers-${MINKV}
- gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
-"
-
BDEPEND="
app-arch/xz-utils:0
dev-util/gperf
@@ -174,6 +171,9 @@ src_prepare() {
"${FILESDIR}"/242-socket-util-flush-accept.patch
"${FILESDIR}"/242-wireguard-listenport.patch
"${FILESDIR}"/242-file-max.patch
+ "${FILESDIR}"/242-rdrand-ryzen.patch
+ "${FILESDIR}"/242-networkd-ipv6-token.patch
+ "${FILESDIR}"/242-network-domains.patch
)
if ! use vanilla; then
@@ -220,6 +220,7 @@ meson_multilib_native_use() {
multilib_src_configure() {
local myconf=(
--localstatedir="${EPREFIX}/var"
+ -Dsupport-url="https://gentoo.org/support/"
-Dpamlibdir="$(getpam_mod_dir)"
# avoid bash-completion dep
-Dbashcompletiondir="$(get_bashcompdir)"
@@ -239,11 +240,11 @@ multilib_src_configure() {
-Daudit=$(meson_multilib_native_use audit)
-Dlibcryptsetup=$(meson_multilib_native_use cryptsetup)
-Dlibcurl=$(meson_multilib_native_use curl)
+ -Ddns-over-tls=$(meson_multilib_native_use dns-over-tls)
-Delfutils=$(meson_multilib_native_use elfutils)
-Dgcrypt=$(meson_use gcrypt)
-Dgnu-efi=$(meson_multilib_native_use gnuefi)
- -Dgnutls=$(meson_multilib_native_use gnutls)
- -Defi-libdir="${EPREFIX}/usr/$(get_libdir)"
+ -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
-Dmicrohttpd=$(meson_multilib_native_use http)
-Dimportd=$(meson_multilib_native_use importd)
-Dbzip2=$(meson_multilib_native_use importd)
@@ -301,15 +302,6 @@ multilib_src_configure() {
)
fi
- if multilib_is_native_abi && use dns-over-tls; then
- myconf+=(
- -Ddns-over-tls=true
- -Dopenssl=$(usex !gnutls true false)
- )
- else
- myconf+=( -Ddns-over-tls=false -Dopenssl=false )
- fi
-
meson_src_configure "${myconf[@]}"
}
@@ -351,9 +343,14 @@ multilib_src_install_all() {
# Preserve empty dirs in /etc & /var, bug #437008
keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
- keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd
+ keepdir /etc/kernel/install.d
+ keepdir /etc/systemd/{network,user}
keepdir /etc/udev/{hwdb.d,rules.d}
- keepdir /var/log/journal/remote
+ keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
+ keepdir /usr/lib/{binfmt.d,modules-load.d}
+ keepdir /usr/lib/systemd/user-generators
+ keepdir /var/lib/systemd
+ rm -rf "${ED}"/var/log || die
# Symlink /etc/sysctl.conf for easy migration.
dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf
@@ -438,7 +435,6 @@ pkg_postinst() {
enewgroup kvm 78
enewgroup render
enewgroup systemd-journal
- newusergroup systemd-bus-proxy
newusergroup systemd-coredump
newusergroup systemd-journal-gateway
newusergroup systemd-journal-remote
diff --git a/sys-apps/systemd/systemd-9999.ebuild b/sys-apps/systemd/systemd-9999.ebuild
index 201667ade310..27de1bc2e194 100644
--- a/sys-apps/systemd/systemd-9999.ebuild
+++ b/sys-apps/systemd/systemd-9999.ebuild
@@ -23,7 +23,7 @@ HOMEPAGE="https://www.freedesktop.org/wiki/Software/systemd"
LICENSE="GPL-2 LGPL-2.1 MIT public-domain"
SLOT="0/2"
-IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi gnutls http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb"
+IUSE="acl apparmor audit build cryptsetup curl dns-over-tls elfutils +gcrypt gnuefi http idn importd +kmod libidn2 +lz4 lzma nat pam pcre policykit qrcode +resolvconf +seccomp selinux +split-usr +sysv-utils test vanilla xkb"
REQUIRED_USE="importd? ( curl gcrypt lzma )"
RESTRICT="!test? ( test )"
@@ -38,15 +38,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
audit? ( >=sys-process/audit-2:0= )
cryptsetup? ( >=sys-fs/cryptsetup-1.6:0= )
curl? ( net-misc/curl:0= )
- dns-over-tls? (
- gnutls? ( >=net-libs/gnutls-3.5.3:0= )
- !gnutls? ( >=dev-libs/openssl-1.1.0:0= )
- )
+ dns-over-tls? ( >=net-libs/gnutls-3.5.3:0= )
elfutils? ( >=dev-libs/elfutils-0.158:0= )
gcrypt? ( >=dev-libs/libgcrypt-1.4.5:0=[${MULTILIB_USEDEP}] )
http? (
- >=net-libs/libmicrohttpd-0.9.33:0=
- gnutls? ( >=net-libs/gnutls-3.1.4:0= )
+ >=net-libs/libmicrohttpd-0.9.33:0=[epoll(+)]
+ >=net-libs/gnutls-3.1.4:0=
)
idn? (
libidn2? ( net-dns/libidn2:= )
@@ -67,6 +64,12 @@ COMMON_DEPEND=">=sys-apps/util-linux-2.30:0=[${MULTILIB_USEDEP}]
selinux? ( sys-libs/libselinux:0= )
xkb? ( >=x11-libs/libxkbcommon-0.4.1:0= )"
+# Newer linux-headers needed by ia64, bug #480218
+DEPEND="${COMMON_DEPEND}
+ >=sys-kernel/linux-headers-${MINKV}
+ gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
+"
+
# baselayout-2.2 has /run
RDEPEND="${COMMON_DEPEND}
>=sys-apps/baselayout-2.2
@@ -91,12 +94,6 @@ PDEPEND=">=sys-apps/dbus-1.9.8[systemd]
policykit? ( sys-auth/polkit )
!vanilla? ( sys-apps/gentoo-systemd-integration )"
-# Newer linux-headers needed by ia64, bug #480218
-DEPEND="
- >=sys-kernel/linux-headers-${MINKV}
- gnuefi? ( >=sys-boot/gnu-efi-3.0.2 )
-"
-
BDEPEND="
app-arch/xz-utils:0
dev-util/gperf
@@ -216,6 +213,7 @@ meson_multilib_native_use() {
multilib_src_configure() {
local myconf=(
--localstatedir="${EPREFIX}/var"
+ -Dsupport-url="https://gentoo.org/support/"
-Dpamlibdir="$(getpam_mod_dir)"
# avoid bash-completion dep
-Dbashcompletiondir="$(get_bashcompdir)"
@@ -235,11 +233,11 @@ multilib_src_configure() {
-Daudit=$(meson_multilib_native_use audit)
-Dlibcryptsetup=$(meson_multilib_native_use cryptsetup)
-Dlibcurl=$(meson_multilib_native_use curl)
+ -Ddns-over-tls=$(meson_multilib_native_use dns-over-tls)
-Delfutils=$(meson_multilib_native_use elfutils)
-Dgcrypt=$(meson_use gcrypt)
-Dgnu-efi=$(meson_multilib_native_use gnuefi)
- -Dgnutls=$(meson_multilib_native_use gnutls)
- -Defi-libdir="${EPREFIX}/usr/$(get_libdir)"
+ -Defi-libdir="${ESYSROOT}/usr/$(get_libdir)"
-Dmicrohttpd=$(meson_multilib_native_use http)
-Dimportd=$(meson_multilib_native_use importd)
-Dbzip2=$(meson_multilib_native_use importd)
@@ -297,15 +295,6 @@ multilib_src_configure() {
)
fi
- if multilib_is_native_abi && use dns-over-tls; then
- myconf+=(
- -Ddns-over-tls=true
- -Dopenssl=$(usex !gnutls true false)
- )
- else
- myconf+=( -Ddns-over-tls=false -Dopenssl=false )
- fi
-
meson_src_configure "${myconf[@]}"
}
@@ -347,9 +336,14 @@ multilib_src_install_all() {
# Preserve empty dirs in /etc & /var, bug #437008
keepdir /etc/{binfmt.d,modules-load.d,tmpfiles.d}
- keepdir /etc/systemd/{ntp-units.d,user} /var/lib/systemd
+ keepdir /etc/kernel/install.d
+ keepdir /etc/systemd/{network,user}
keepdir /etc/udev/{hwdb.d,rules.d}
- keepdir /var/log/journal/remote
+ keepdir "${rootprefix}"/lib/systemd/{system-sleep,system-shutdown}
+ keepdir /usr/lib/{binfmt.d,modules-load.d}
+ keepdir /usr/lib/systemd/user-generators
+ keepdir /var/lib/systemd
+ rm -rf "${ED}"/var/log || die
# Symlink /etc/sysctl.conf for easy migration.
dosym ../sysctl.conf /etc/sysctl.d/99-sysctl.conf
@@ -434,7 +428,6 @@ pkg_postinst() {
enewgroup kvm 78
enewgroup render
enewgroup systemd-journal
- newusergroup systemd-bus-proxy
newusergroup systemd-coredump
newusergroup systemd-journal-gateway
newusergroup systemd-journal-remote