systemd-selinux 248-5 update

4 files changed, 119 insertions, 45 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 3660b9f957d1..8086803b6498 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,6 +1,6 @@
 pkgbase = systemd-selinux
 	pkgver = 248
-	pkgrel = 2
+	pkgrel = 5
 	url = https://www.github.com/systemd/systemd
 	arch = x86_64
 	groups = selinux
@@ -39,12 +39,14 @@ pkgbase = systemd-selinux
 	makedepends = systemd
 	makedepends = libfido2
 	makedepends = tpm2-tss
+	makedepends = rsync
 	makedepends = libselinux
 	options = strip
 	source = git+https://github.com/systemd/systemd-stable#tag=e13126bd95857eb9344e030edbb4c603aab63884?signed
 	source = git+https://github.com/systemd/systemd#tag=v248?signed
 	source = 0001-Use-Arch-Linux-device-access-groups.patch
 	source = 0002-Disable-SYSTEMD_URLIFY-by-default.patch
+	source = 0003-PARTIAL-REVERT-commit-tree-wide-replace-strverscmp-and-str_verscmp-with-strverscmp_improved.patch
 	source = initcpio-hook-udev
 	source = initcpio-install-systemd
 	source = initcpio-install-udev
@@ -68,8 +70,9 @@ pkgbase = systemd-selinux
 	sha512sums = SKIP
 	sha512sums = 882e486b6d88c8bafc50088845e41a49686e98981967f72ca1fb4ef07a01767400632f4b648fd31857d2a2a24a8fd65bcc2a8983284dd4fff2380732741d4c41
 	sha512sums = 313f3d6cc3d88f718509007e029213a82d84b196afdadc6ef560580acf70ab480aaecd7622f51726cc1af7d7841c6ec5390f72890b055a54fc74722341395651
+	sha512sums = 34541f1967536524329867f9f341f8d9250d9d771c60dc3e6a22ccb82fc01f103cfd3f9903329777591ccbecd2446622a5d6b3804fa0411482b85c70593ee8ad
 	sha512sums = f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73
-	sha512sums = 1c8bdc6ecc3b755b0258faf4cbfac1b5bc25dbcd88c68cbb2ef1c41842ed349cdce84ce3f6f537845e49fab02cb5282504e1f97aa73c163fbc78997f9f00fc61
+	sha512sums = f599e1a35cba2c4e83e37c2299fac23ae128d8f68081283e71e1729384975dee1c4b677787f31a17890aeb98c8d2fc90405a202644290708ef9c027315022b17
 	sha512sums = a25b28af2e8c516c3a2eec4e64b8c7f70c21f974af4a955a4a9d45fd3e3ff0d2a98b4419fe425d47152d5acae77d64e69d8d014a7209524b75a81b0edb10bf3a
 	sha512sums = 61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648
 	sha512sums = c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5
@@ -129,12 +132,12 @@ pkgname = systemd-selinux
 	optdepends = systemd-sysvcompat: symlink package to provide sysvinit binaries
 	optdepends = polkit: allow administration as unprivileged user
 	optdepends = curl: machinectl pull-tar and pull-raw
-	optdepends = libfido2: unlocking LUKS2 volumes
-	optdepends = tpm2-tss: unlocking LUKS2 volumes
+	optdepends = libfido2: unlocking LUKS2 volumes with FIDO2 token
+	optdepends = tpm2-tss: unlocking LUKS2 volumes with TPM2
 	provides = nss-myhostname
 	provides = systemd-tools=248
 	provides = udev=248
-	provides = systemd=248-2
+	provides = systemd=248-5
 	conflicts = nss-myhostname
 	conflicts = systemd-tools
 	conflicts = udev
@@ -148,6 +151,7 @@ pkgname = systemd-selinux
 	backup = etc/systemd/journal-upload.conf
 	backup = etc/systemd/logind.conf
 	backup = etc/systemd/networkd.conf
+	backup = etc/systemd/oomd.conf
 	backup = etc/systemd/pstore.conf
 	backup = etc/systemd/resolved.conf
 	backup = etc/systemd/sleep.conf
@@ -162,6 +166,7 @@ pkgname = systemd-libs-selinux
 	depends = glibc
 	depends = libcap
 	depends = libgcrypt
+	depends = libp11-kit
 	depends = lz4
 	depends = xz
 	depends = zstd
@@ -170,7 +175,7 @@ pkgname = systemd-libs-selinux
 	provides = libsystemd.so
 	provides = libudev.so
 	provides = libsystemd-selinux
-	provides = systemd-libs=248-2
+	provides = systemd-libs=248-5
 	conflicts = libsystemd
 	conflicts = libsystemd-selinux
 	conflicts = systemd-libs
@@ -182,16 +187,16 @@ pkgname = systemd-resolvconf-selinux
 	depends = systemd-selinux
 	provides = openresolv
 	provides = resolvconf
-	provides = systemd-resolvconf=248-2
+	provides = systemd-resolvconf=248-5
 	conflicts = openresolv
-	conflicts = systemd-resolvconf=248-2
+	conflicts = systemd-resolvconf=248-5
 
 pkgname = systemd-sysvcompat-selinux
 	pkgdesc = sysvinit compat for systemd with SELinux support
 	license = GPL2
 	depends = systemd-selinux
-	provides = systemd-sysvcompat=248-2
-	provides = selinux-systemd-sysvcompat=248-2
+	provides = systemd-sysvcompat=248-5
+	provides = selinux-systemd-sysvcompat=248-5
 	conflicts = sysvinit
 	conflicts = systemd-sysvcompat
 	conflicts = selinux-systemd-sysvcompat
diff --git a/0003-PARTIAL-REVERT-commit-tree-wide-replace-strverscmp-and-str_verscmp-with-strverscmp_improved.patch b/0003-PARTIAL-REVERT-commit-tree-wide-replace-strverscmp-and-str_verscmp-with-strverscmp_improved.patch
new file mode 100644
index 000000000000..57b9e4dfcae3
--- /dev/null
+++ b/0003-PARTIAL-REVERT-commit-tree-wide-replace-strverscmp-and-str_verscmp-with-strverscmp_improved.patch
@@ -0,0 +1,78 @@
+From 9021729667e019defea0d4c1bdf563d629d7d837 Mon Sep 17 00:00:00 2001
+From: Ernesto Castellotti <mail@ernestocastellotti.it>
+Date: Sat, 10 Apr 2021 18:59:14 +0200
+Subject: [PATCH] PARTIAL REVERT commit tree-wide: replace strverscmp() and
+ str_verscmp() with strverscmp_improved
+
+This is a workaround for the issue https://github.com/systemd/systemd/issues/19191
+---
+ src/boot/efi/boot.c | 49 ++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 48 insertions(+), 1 deletion(-)
+
+diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
+index 35248db009bf..75c7e2c61d19 100644
+--- a/src/boot/efi/boot.c
++++ b/src/boot/efi/boot.c
+@@ -914,6 +914,53 @@ static VOID config_entry_free(ConfigEntry *entry) {
+         FreePool(entry);
+ }
+ 
++static BOOLEAN is_digit(CHAR16 c) {
++        return (c >= '0') && (c <= '9');
++}
++static UINTN c_order(CHAR16 c) {
++        if (c == '\0')
++                return 0;
++        if (is_digit(c))
++                return 0;
++        else if ((c >= 'a') && (c <= 'z'))
++                return c;
++        else
++                return c + 0x10000;
++}
++static INTN str_verscmp(CHAR16 *s1, CHAR16 *s2) {
++        CHAR16 *os1 = s1;
++        CHAR16 *os2 = s2;
++        while (*s1 || *s2) {
++                INTN first;
++                while ((*s1 && !is_digit(*s1)) || (*s2 && !is_digit(*s2))) {
++                        INTN order;
++                        order = c_order(*s1) - c_order(*s2);
++                        if (order != 0)
++                                return order;
++                        s1++;
++                        s2++;
++                }
++                while (*s1 == '0')
++                        s1++;
++                while (*s2 == '0')
++                        s2++;
++                first = 0;
++                while (is_digit(*s1) && is_digit(*s2)) {
++                        if (first == 0)
++                                first = *s1 - *s2;
++                        s1++;
++                        s2++;
++                }
++                if (is_digit(*s1))
++                        return 1;
++                if (is_digit(*s2))
++                        return -1;
++                if (first != 0)
++                        return first;
++        }
++        return StrCmp(os1, os2);
++}
++
+ static CHAR8 *line_get_key_value(
+                 CHAR8 *content,
+                 CHAR8 *sep,
+@@ -1478,7 +1525,7 @@ static INTN config_entry_compare(ConfigEntry *a, ConfigEntry *b) {
+         if (a->tries_left == 0 && b->tries_left != 0)
+                 return -1;
+ 
+-        r = strverscmp_improved(a->id, b->id);
++        r = str_verscmp(a->id, b->id);
+         if (r != 0)
+                 return r;
+ 
diff --git a/PKGBUILD b/PKGBUILD
index ab1f5c9b555e..b9cb5a77ef51 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -11,8 +11,9 @@
 pkgbase=systemd-selinux
 pkgname=('systemd-selinux' 'systemd-libs-selinux' 'systemd-resolvconf-selinux' 'systemd-sysvcompat-selinux')
 _tag='e13126bd95857eb9344e030edbb4c603aab63884' # git rev-parse v${_tag_name}
-pkgver=248
-pkgrel=2
+_tag_name=248
+pkgver="${_tag_name/-/}"
+pkgrel=5
 arch=('x86_64')
 url='https://www.github.com/systemd/systemd'
 groups=('selinux')
@@ -21,14 +22,15 @@ makedepends=('acl' 'cryptsetup' 'docbook-xsl' 'gperf' 'lz4' 'xz' 'pam-selinux' '
              'libmicrohttpd' 'libxcrypt' 'libxslt' 'util-linux' 'linux-api-headers'
              'python-lxml' 'quota-tools' 'shadow-selinux' 'gnu-efi-libs' 'git'
              'meson' 'libseccomp' 'pcre2' 'audit' 'kexec-tools' 'libxkbcommon'
-             'bash-completion' 'p11-kit' 'systemd' 'libfido2' 'tpm2-tss' 'libselinux')
+             'bash-completion' 'p11-kit' 'systemd' 'libfido2' 'tpm2-tss' 'rsync' 'libselinux')
 options=('strip')
 validpgpkeys=('63CDA1E5D3FC22B998D20DD6327F26951A015CC4'  # Lennart Poettering <lennart@poettering.net>
               '5C251B5FC54EB2F80F407AAAC54CA336CFEB557E') # Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
 source=("git+https://github.com/systemd/systemd-stable#tag=${_tag}?signed"
-        "git+https://github.com/systemd/systemd#tag=v${pkgver%.*}?signed"
+        "git+https://github.com/systemd/systemd#tag=v${_tag_name%.*}?signed"
         '0001-Use-Arch-Linux-device-access-groups.patch'
         '0002-Disable-SYSTEMD_URLIFY-by-default.patch'
+        '0003-PARTIAL-REVERT-commit-tree-wide-replace-strverscmp-and-str_verscmp-with-strverscmp_improved.patch'
         'initcpio-hook-udev'
         'initcpio-install-systemd'
         'initcpio-install-udev'
@@ -49,9 +51,10 @@ source=("git+https://github.com/systemd/systemd-stable#tag=${_tag}?signed"
 sha512sums=('SKIP'
             'SKIP'
             '882e486b6d88c8bafc50088845e41a49686e98981967f72ca1fb4ef07a01767400632f4b648fd31857d2a2a24a8fd65bcc2a8983284dd4fff2380732741d4c41'
-            '313f3d6cc3d88f718509007e029213a82d84b196afdadc6ef560580acf70ab480aaecd7622f51726cc1af7d7841c6ec5390f72890b055a54fc74722341395651'            
+            '313f3d6cc3d88f718509007e029213a82d84b196afdadc6ef560580acf70ab480aaecd7622f51726cc1af7d7841c6ec5390f72890b055a54fc74722341395651'
+            '34541f1967536524329867f9f341f8d9250d9d771c60dc3e6a22ccb82fc01f103cfd3f9903329777591ccbecd2446622a5d6b3804fa0411482b85c70593ee8ad'
             'f0d933e8c6064ed830dec54049b0a01e27be87203208f6ae982f10fb4eddc7258cb2919d594cbfb9a33e74c3510cfd682f3416ba8e804387ab87d1a217eb4b73'
-            '1c8bdc6ecc3b755b0258faf4cbfac1b5bc25dbcd88c68cbb2ef1c41842ed349cdce84ce3f6f537845e49fab02cb5282504e1f97aa73c163fbc78997f9f00fc61'
+            'f599e1a35cba2c4e83e37c2299fac23ae128d8f68081283e71e1729384975dee1c4b677787f31a17890aeb98c8d2fc90405a202644290708ef9c027315022b17'
             'a25b28af2e8c516c3a2eec4e64b8c7f70c21f974af4a955a4a9d45fd3e3ff0d2a98b4419fe425d47152d5acae77d64e69d8d014a7209524b75a81b0edb10bf3a'
             '61032d29241b74a0f28446f8cf1be0e8ec46d0847a61dadb2a4f096e8686d5f57fe5c72bcf386003f6520bc4b5856c32d63bf3efe7eb0bc0deefc9f68159e648'
             'c416e2121df83067376bcaacb58c05b01990f4614ad9de657d74b6da3efa441af251d13bf21e3f0f71ddcb4c9ea658b81da3d915667dc5c309c87ec32a1cb5a5'
@@ -95,6 +98,10 @@ prepare() {
 
   # https://github.com/gwsw/less/issues/140
   patch -Np1 -i ../0002-Disable-SYSTEMD_URLIFY-by-default.patch
+
+  # https://bugs.archlinux.org/task/70264
+  # https://github.com/systemd/systemd/issues/19191
+  patch -Np1 -i ../0003-PARTIAL-REVERT-commit-tree-wide-replace-strverscmp-and-str_verscmp-with-strverscmp_improved.patch
 }
 
 build() {
@@ -171,8 +178,8 @@ package_systemd-selinux() {
               'systemd-sysvcompat: symlink package to provide sysvinit binaries'
               'polkit: allow administration as unprivileged user'
               'curl: machinectl pull-tar and pull-raw'
-              'libfido2: unlocking LUKS2 volumes'
-              'tpm2-tss: unlocking LUKS2 volumes')
+              'libfido2: unlocking LUKS2 volumes with FIDO2 token'
+              'tpm2-tss: unlocking LUKS2 volumes with TPM2')
   backup=(etc/pam.d/systemd-user
           etc/systemd/coredump.conf
           etc/systemd/homed.conf
@@ -181,6 +188,7 @@ package_systemd-selinux() {
           etc/systemd/journal-upload.conf
           etc/systemd/logind.conf
           etc/systemd/networkd.conf
+          etc/systemd/oomd.conf
           etc/systemd/pstore.conf
           etc/systemd/resolved.conf
           etc/systemd/sleep.conf
@@ -247,7 +255,7 @@ package_systemd-selinux() {
 
 package_systemd-libs-selinux() {
   pkgdesc='systemd client libraries with SELinux support'
-  depends=('glibc' 'libcap' 'libgcrypt' 'lz4' 'xz' 'zstd' 'libselinux')
+  depends=('glibc' 'libcap' 'libgcrypt' 'libp11-kit' 'lz4' 'xz' 'zstd' 'libselinux')
   license=('LGPL2.1')
   provides=('libsystemd' 'libsystemd.so' 'libudev.so'
             'libsystemd-selinux'
diff --git a/initcpio-install-systemd b/initcpio-install-systemd
index c5b82b17d00b..05ccb904fa90 100644
--- a/initcpio-install-systemd
+++ b/initcpio-install-systemd
@@ -1,27 +1,21 @@
 #!/bin/bash
 
-strip_quotes() {
-  local len=${#1} quotes=$'[\'"]' str=${!1}
-
-  if [[ ${str:0:1} = ${str: -1} && ${str:0:1} = $quotes ]]; then
-    printf -v "$1" %s "${str:1:-1}"
-  fi
-}
-
 add_udev_rule() {
     # Add an udev rules file to the initcpio image. Dependencies on binaries
     # will be discovered and added.
     #   $1: path to rules file (or name of rules file)
 
-    local rules= rule= key= value= binary=
+    local rules="$1" rule= key= value= binary=
 
-    rules=$(PATH=/usr/lib/udev/rules.d:/lib/udev/rules.d type -P "$1")
+    if [[ ${rules:0:1} != '/' ]]; then
+        rules=$(PATH=/usr/lib/udev/rules.d:/lib/udev/rules.d type -P "$1")
+    fi
     if [[ -z $rules ]]; then
         # complain about not found rules
         return 1
     fi
 
-    add_file "$rules"
+    add_file "$rules" /usr/lib/udev/rules.d/"${rules##*/}"
 
     while IFS=, read -ra rule; do
         # skip empty lines, comments
@@ -31,9 +25,10 @@ add_udev_rule() {
             IFS=' =' read -r key value <<< "$pair"
             case $key in
                 RUN@({program}|+)|IMPORT{program}|ENV{REMOVE_CMD})
-                    strip_quotes 'value'
+                    # strip quotes
+                    binary=${value//[\"\']/}
                     # just take the first word as the binary name
-                    binary=${value%% *}
+                    binary=${binary%% *}
                     [[ ${binary:0:1} == '$' ]] && continue
                     if [[ ${binary:0:1} != '/' ]]; then
                         binary=$(PATH=/usr/lib/udev:/lib/udev type -P "$binary")
@@ -125,7 +120,6 @@ build() {
     # udev rules and systemd units
     map add_udev_rule "$rules" \
             50-udev-default.rules \
-            60-fido-id.rules \
             60-persistent-storage.rules \
             64-btrfs.rules \
             80-drivers.rules \
@@ -164,17 +158,6 @@ build() {
             rescue.target \
             emergency.target
 
-    # add libraries dlopen()ed by systemd and its tools
-    for LIB in fido2 tss2-{{esys,rc,mu},tcti-'*'}; do
-        for FILE in $(find /usr/lib/ -maxdepth 1 -name "lib${LIB}.so*"); do
-            if [[ -L "${FILE}" ]]; then
-                add_symlink "${FILE}"
-            else
-                add_binary "${FILE}"
-            fi
-        done
-    done
-
     add_symlink "/usr/lib/systemd/system/default.target" "initrd.target"
     add_symlink "/usr/lib/systemd/system/ctrl-alt-del.target" "reboot.target"
 
@@ -186,7 +169,7 @@ build() {
 
     echo "root:x:0:0:root:/root:/bin/sh" >"$BUILDROOT/etc/passwd"
     echo 'root:*:::::::' >"$BUILDROOT/etc/shadow"
-    getent group root audio disk input kmem kvm lp optical render storage tty uucp video | awk -F: ' { print $1 ":x:" $3 ":" }' >"$BUILDROOT/etc/group"
+    getent group root audio disk input kmem kvm lp optical render sgx storage tty uucp video | awk -F: ' { print $1 ":x:" $3 ":" }' >"$BUILDROOT/etc/group"
 
     add_dir "/etc/modules-load.d"
     (