sys-apps/systemd: backport tmpfiles/udev permissions race fix

Closes: https://bugs.gentoo.org/911723
Signed-off-by: Sam James <sam@gentoo.org>

1 files changed, 88 insertions, 0 deletions

diff --git a/sys-apps/systemd/files/systemd-254-tmpfiles-udev.patch b/sys-apps/systemd/files/systemd-254-tmpfiles-udev.patch
new file mode 100644
index 000000000000..04dd166310c8
--- /dev/null
+++ b/sys-apps/systemd/files/systemd-254-tmpfiles-udev.patch
@@ -0,0 +1,88 @@
+https://bugs.gentoo.org/911723
+https://github.com/systemd/systemd/issues/28588
+https://github.com/systemd/systemd/issues/28653
+https://github.com/systemd/systemd/pull/28681
+
+(Skipped first commit as it was a revert of https://github.com/systemd/systemd/commit/a3d610998ad3b4c88224fe89a048a84dbceb652b.patc
+which wasn't in 254.)
+
+From 31845ef554877525dc4ff4f25ad11ad805ebf81c Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sat, 5 Aug 2023 04:37:19 +0900
+Subject: [PATCH 2/4] unit: make udev rules take precesence over tmpfiles
+
+Without this change, there are no ordering between udevd and tmpfiles,
+and if tmpfiles is invoked later it may discard the permission set by
+udevd.
+
+Fixes an issue introduced by b42482af904ae0b94a6e4501ec595448f0ba1c06.
+
+Fixes #28588 and #28653.
+--- a/units/systemd-udevd.service.in
++++ b/units/systemd-udevd.service.in
+@@ -12,6 +12,7 @@ Description=Rule-based Manager for Device Events and Files
+ Documentation=man:systemd-udevd.service(8) man:udev(7)
+ DefaultDependencies=no
+ After=systemd-sysusers.service systemd-hwdb-update.service
++After=systemd-tmpfiles-setup-dev.service
+ Before=sysinit.target
+ ConditionPathIsReadWrite=/sys
+ 
+
+From b768379e8b494b025f41946205944a6f3a1a553f Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sat, 5 Aug 2023 04:52:16 +0900
+Subject: [PATCH 3/4] test: add short test for device node permission
+
+--- /dev/null
++++ b/test/units/testsuite-17.00.sh
+@@ -0,0 +1,18 @@
++#!/usr/bin/env bash
++# SPDX-License-Identifier: LGPL-2.1-or-later
++set -ex
++set -o pipefail
++
++# shellcheck source=test/units/util.sh
++. "$(dirname "$0")"/util.sh
++
++# Tests for issue #28588 and #28653.
++
++assert_in "systemd-tmpfiles-setup-dev.service" "$(systemctl show --property After --value systemd-udevd.service)"
++assert_in "systemd-udevd.service" "$(systemctl show --property Before --value systemd-tmpfiles-setup-dev.service)"
++
++if [[ -f /dev/vfio/vfio ]]; then
++   assert_in "crw-rw-rw-" "$(stat --format=%A /dev/vfio/vfio)"
++fi
++
++exit 0
+
+From 23acdb8d0b04d46ecdc88a45594135c321dbfd5b Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sat, 5 Aug 2023 05:03:16 +0900
+Subject: [PATCH 4/4] test: shorten timeout for 'udevadm monitor'
+
+The command should never finish, it is not necessary to wait so long.
+--- a/test/units/testsuite-17.10.sh
++++ b/test/units/testsuite-17.10.sh
+@@ -79,13 +79,13 @@ udevadm info -w /sys/class/net/$netdev
+ udevadm info --wait-for-initialization=5 /sys/class/net/$netdev
+ udevadm info -h
+ 
+-assert_rc 124 timeout 5 udevadm monitor
+-assert_rc 124 timeout 5 udevadm monitor -k
+-assert_rc 124 timeout 5 udevadm monitor -u
+-assert_rc 124 timeout 5 udevadm monitor -s net
+-assert_rc 124 timeout 5 udevadm monitor --subsystem-match net/$netdev
+-assert_rc 124 timeout 5 udevadm monitor -t systemd
+-assert_rc 124 timeout 5 udevadm monitor --tag-match hello
++assert_rc 124 timeout 1 udevadm monitor
++assert_rc 124 timeout 1 udevadm monitor -k
++assert_rc 124 timeout 1 udevadm monitor -u
++assert_rc 124 timeout 1 udevadm monitor -s net
++assert_rc 124 timeout 1 udevadm monitor --subsystem-match net/$netdev
++assert_rc 124 timeout 1 udevadm monitor -t systemd
++assert_rc 124 timeout 1 udevadm monitor --tag-match hello
+ udevadm monitor -h
+ 
+ udevadm settle
+