diff --git a/0001-Don-t-store-debug-messages-from-rtkit-daemon.patch b/0001-Don-t-store-debug-messages-from-rtkit-daemon.patch new file mode 100644 index 0000000000000000000000000000000000000000..e55758f268118cde0de4eac8b7b78b38739151f5 --- /dev/null +++ b/0001-Don-t-store-debug-messages-from-rtkit-daemon.patch @@ -0,0 +1,24 @@ +From 0ced1f81d7e14e042f0c300011659a3eae0df3c3 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Tue, 13 Aug 2024 21:09:57 +0200 +Subject: [PATCH] Don't store debug messages from rtkit-daemon + +--- + rtkit-daemon.service.in | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/rtkit-daemon.service.in b/rtkit-daemon.service.in +index d0dc786..7a80d33 100644 +--- a/rtkit-daemon.service.in ++++ b/rtkit-daemon.service.in +@@ -26,6 +26,7 @@ NotifyAccess=main + CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CHROOT CAP_SETGID CAP_SETUID + PrivateTmp=yes + PrivateNetwork=yes ++LogLevelMax=info + + [Install] + WantedBy=graphical.target +-- +2.45.2 + diff --git a/0001-Fix-borked-error-check.patch b/0001-Fix-borked-error-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..46b759fcdf725cfa37f0d87828bbadfd1d82fe46 --- /dev/null +++ b/0001-Fix-borked-error-check.patch @@ -0,0 +1,22 @@ +From ef090ee5a913f2c68e0fbed2600bfe38dfe55029 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= +Date: Sun, 24 Jan 2021 21:12:22 +0100 +Subject: [PATCH 1/2] Fix borked error check + +--- + rtkit-daemon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/rtkit-daemon.c b/rtkit-daemon.c +index 3ecc1f7840..a15e84f8f5 100644 +--- a/rtkit-daemon.c ++++ b/rtkit-daemon.c +@@ -1463,7 +1463,7 @@ static DBusHandlerResult dbus_handler(DBusConnection *c, DBusMessage *m, void *u + if (strcmp(interface, "org.freedesktop.RealtimeKit1") == 0) { + assert_se(r = dbus_message_new_method_return(m)); + +- if (!handle_dbus_prop_get(property, r) < 0) { ++ if (handle_dbus_prop_get(property, r) < 0) { + dbus_message_unref(r); + assert_se(r = dbus_message_new_error_printf( + m, diff --git a/0001-systemd-update-sd-daemon.-ch.patch b/0001-systemd-update-sd-daemon.-ch.patch new file mode 100644 index 0000000000000000000000000000000000000000..41195ed8c66fed91989b4686e4d681e02b0ac2fd --- /dev/null +++ b/0001-systemd-update-sd-daemon.-ch.patch @@ -0,0 +1,306 @@ +From 8c902327f91616af5e87fd2a6d4b7ea38bb3aa32 Mon Sep 17 00:00:00 2001 +From: Lennart Poettering +Date: Thu, 26 Sep 2013 21:53:49 +0200 +Subject: [PATCH] systemd: update sd-daemon.[ch] + +--- + sd-daemon.c | 100 +++++++++++++++++++++++----------------------------- + sd-daemon.h | 14 ++++---- + 2 files changed, 52 insertions(+), 62 deletions(-) + +diff --git a/sd-daemon.c b/sd-daemon.c +index 763e079b4e..485b301023 100644 +--- a/sd-daemon.c ++++ b/sd-daemon.c +@@ -25,18 +25,14 @@ + ***/ + + #ifndef _GNU_SOURCE +-#define _GNU_SOURCE ++# define _GNU_SOURCE + #endif + + #include + #include + #include + #include +-#ifdef __BIONIC__ +-#include +-#else +-#include +-#endif ++#include + #include + #include + #include +@@ -47,22 +43,22 @@ + #include + #include + +-#if defined(__linux__) +-#include ++#if defined(__linux__) && !defined(SD_DAEMON_DISABLE_MQ) ++# include + #endif + + #include "sd-daemon.h" + + #if (__GNUC__ >= 4) +-#ifdef SD_EXPORT_SYMBOLS ++# ifdef SD_EXPORT_SYMBOLS + /* Export symbols */ +-#define _sd_export_ __attribute__ ((visibility("default"))) +-#else ++# define _sd_export_ __attribute__ ((visibility("default"))) ++# else + /* Don't export the symbols */ +-#define _sd_export_ __attribute__ ((visibility("hidden"))) +-#endif ++# define _sd_export_ __attribute__ ((visibility("hidden"))) ++# endif + #else +-#define _sd_export_ ++# define _sd_export_ + #endif + + _sd_export_ int sd_listen_fds(int unset_environment) { +@@ -75,7 +71,8 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + char *p = NULL; + unsigned long l; + +- if (!(e = getenv("LISTEN_PID"))) { ++ e = getenv("LISTEN_PID"); ++ if (!e) { + r = 0; + goto finish; + } +@@ -83,12 +80,12 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + errno = 0; + l = strtoul(e, &p, 10); + +- if (errno != 0) { ++ if (errno > 0) { + r = -errno; + goto finish; + } + +- if (!p || *p || l <= 0) { ++ if (!p || p == e || *p || l <= 0) { + r = -EINVAL; + goto finish; + } +@@ -99,7 +96,8 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + goto finish; + } + +- if (!(e = getenv("LISTEN_FDS"))) { ++ e = getenv("LISTEN_FDS"); ++ if (!e) { + r = 0; + goto finish; + } +@@ -107,12 +105,12 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + errno = 0; + l = strtoul(e, &p, 10); + +- if (errno != 0) { ++ if (errno > 0) { + r = -errno; + goto finish; + } + +- if (!p || *p) { ++ if (!p || p == e || *p) { + r = -EINVAL; + goto finish; + } +@@ -120,7 +118,8 @@ _sd_export_ int sd_listen_fds(int unset_environment) { + for (fd = SD_LISTEN_FDS_START; fd < SD_LISTEN_FDS_START + (int) l; fd ++) { + int flags; + +- if ((flags = fcntl(fd, F_GETFD)) < 0) { ++ flags = fcntl(fd, F_GETFD); ++ if (flags < 0) { + r = -errno; + goto finish; + } +@@ -152,7 +151,6 @@ _sd_export_ int sd_is_fifo(int fd, const char *path) { + if (fd < 0) + return -EINVAL; + +- memset(&st_fd, 0, sizeof(st_fd)); + if (fstat(fd, &st_fd) < 0) + return -errno; + +@@ -162,7 +160,6 @@ _sd_export_ int sd_is_fifo(int fd, const char *path) { + if (path) { + struct stat st_path; + +- memset(&st_path, 0, sizeof(st_path)); + if (stat(path, &st_path) < 0) { + + if (errno == ENOENT || errno == ENOTDIR) +@@ -272,15 +269,13 @@ _sd_export_ int sd_is_socket(int fd, int family, int type, int listening) { + if (family < 0) + return -EINVAL; + +- if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) ++ r = sd_is_socket_internal(fd, type, listening); ++ if (r <= 0) + return r; + + if (family > 0) { +- union sockaddr_union sockaddr; +- socklen_t l; +- +- memset(&sockaddr, 0, sizeof(sockaddr)); +- l = sizeof(sockaddr); ++ union sockaddr_union sockaddr = {}; ++ socklen_t l = sizeof(sockaddr); + + if (getsockname(fd, &sockaddr.sa, &l) < 0) + return -errno; +@@ -295,19 +290,17 @@ _sd_export_ int sd_is_socket(int fd, int family, int type, int listening) { + } + + _sd_export_ int sd_is_socket_inet(int fd, int family, int type, int listening, uint16_t port) { +- union sockaddr_union sockaddr; +- socklen_t l; ++ union sockaddr_union sockaddr = {}; ++ socklen_t l = sizeof(sockaddr); + int r; + + if (family != 0 && family != AF_INET && family != AF_INET6) + return -EINVAL; + +- if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) ++ r = sd_is_socket_internal(fd, type, listening); ++ if (r <= 0) + return r; + +- memset(&sockaddr, 0, sizeof(sockaddr)); +- l = sizeof(sockaddr); +- + if (getsockname(fd, &sockaddr.sa, &l) < 0) + return -errno; + +@@ -340,16 +333,14 @@ _sd_export_ int sd_is_socket_inet(int fd, int family, int type, int listening, u + } + + _sd_export_ int sd_is_socket_unix(int fd, int type, int listening, const char *path, size_t length) { +- union sockaddr_union sockaddr; +- socklen_t l; ++ union sockaddr_union sockaddr = {}; ++ socklen_t l = sizeof(sockaddr); + int r; + +- if ((r = sd_is_socket_internal(fd, type, listening)) <= 0) ++ r = sd_is_socket_internal(fd, type, listening); ++ if (r <= 0) + return r; + +- memset(&sockaddr, 0, sizeof(sockaddr)); +- l = sizeof(sockaddr); +- + if (getsockname(fd, &sockaddr.sa, &l) < 0) + return -errno; + +@@ -360,10 +351,10 @@ _sd_export_ int sd_is_socket_unix(int fd, int type, int listening, const char *p + return 0; + + if (path) { +- if (length <= 0) ++ if (length == 0) + length = strlen(path); + +- if (length <= 0) ++ if (length == 0) + /* Unnamed socket */ + return l == offsetof(struct sockaddr_un, sun_path); + +@@ -383,7 +374,7 @@ _sd_export_ int sd_is_socket_unix(int fd, int type, int listening, const char *p + } + + _sd_export_ int sd_is_mq(int fd, const char *path) { +-#if !defined(__linux__) ++#if !defined(__linux__) || defined(SD_DAEMON_DISABLE_MQ) + return 0; + #else + struct mq_attr attr; +@@ -434,7 +425,8 @@ _sd_export_ int sd_notify(int unset_environment, const char *state) { + goto finish; + } + +- if (!(e = getenv("NOTIFY_SOCKET"))) ++ e = getenv("NOTIFY_SOCKET"); ++ if (!e) + return 0; + + /* Must be an abstract socket, or an absolute path */ +@@ -443,7 +435,8 @@ _sd_export_ int sd_notify(int unset_environment, const char *state) { + goto finish; + } + +- if ((fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0)) < 0) { ++ fd = socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0); ++ if (fd < 0) { + r = -errno; + goto finish; + } +@@ -513,18 +506,15 @@ _sd_export_ int sd_booted(void) { + #if defined(DISABLE_SYSTEMD) || !defined(__linux__) + return 0; + #else ++ struct stat st; + +- struct stat a, b; ++ /* We test whether the runtime unit file directory has been ++ * created. This takes place in mount-setup.c, so is ++ * guaranteed to happen very early during boot. */ + +- /* We simply test whether the systemd cgroup hierarchy is +- * mounted */ +- +- if (lstat("/sys/fs/cgroup", &a) < 0) +- return 0; +- +- if (lstat("/sys/fs/cgroup/systemd", &b) < 0) ++ if (lstat("/run/systemd/system/", &st) < 0) + return 0; + +- return a.st_dev != b.st_dev; ++ return !!S_ISDIR(st.st_mode); + #endif + } +diff --git a/sd-daemon.h b/sd-daemon.h +index fe51159ee6..daa3f4c857 100644 +--- a/sd-daemon.h ++++ b/sd-daemon.h +@@ -59,20 +59,20 @@ extern "C" { + You may find an up-to-date version of these source files online: + + http://cgit.freedesktop.org/systemd/systemd/plain/src/systemd/sd-daemon.h +- http://cgit.freedesktop.org/systemd/systemd/plain/src/sd-daemon.c ++ http://cgit.freedesktop.org/systemd/systemd/plain/src/libsystemd-daemon/sd-daemon.c + + This should compile on non-Linux systems, too, but with the + exception of the sd_is_xxx() calls all functions will become NOPs. + +- See sd-daemon(7) for more information. ++ See sd-daemon(3) for more information. + */ + + #ifndef _sd_printf_attr_ +-#if __GNUC__ >= 4 +-#define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b))) +-#else +-#define _sd_printf_attr_(a,b) +-#endif ++# if __GNUC__ >= 4 ++# define _sd_printf_attr_(a,b) __attribute__ ((format (printf, a, b))) ++# else ++# define _sd_printf_attr_(a,b) ++# endif + #endif + + /* diff --git a/format-security.patch b/format-security.patch new file mode 100644 index 0000000000000000000000000000000000000000..994bebf84d1eb4a45451241203ee12cdda1021f6 --- /dev/null +++ b/format-security.patch @@ -0,0 +1,13 @@ +diff -ruN rtkit-0.11.orig/Makefile.am rtkit-0.11/Makefile.am +--- rtkit-0.11.orig/Makefile.am 2017-05-12 12:56:52.245623657 -0400 ++++ rtkit-0.11/Makefile.am 2017-05-12 13:24:27.206304970 -0400 +@@ -18,6 +18,8 @@ + AM_CFLAGS = $(WARNINGFLAGS) $(PTHREAD_CFLAGS) + AM_LDFLAGS = $(GCLDFLAGS) + ++CFLAGS += -Wno-error=format-security ++ + ACLOCAL_AMFLAGS = -I m4 + + policykitdir = $(datadir)/polkit-1/actions/ +Binary files rtkit-0.11.orig/.Makefile.am.swp and rtkit-0.11/.Makefile.am.swp differ diff --git a/rtkit-controlgroup.patch b/rtkit-controlgroup.patch new file mode 100644 index 0000000000000000000000000000000000000000..7a36deeeae7b96fa9364bdeb7a063b998918ca9c --- /dev/null +++ b/rtkit-controlgroup.patch @@ -0,0 +1,14 @@ +diff --git rtkit-0.11/rtkit-daemon.service.in~ rtkit-0.11/rtkit-daemon.service.in +index 3dfefa6..d0dc786 100644 +--- rtkit-0.11/rtkit-daemon.service.in~ ++++ rtkit-0.11/rtkit-daemon.service.in +@@ -27,9 +27,5 @@ CapabilityBoundingSet=CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_PTRACE CAP_SYS_CH + PrivateTmp=yes + PrivateNetwork=yes + +-# Work around the fact that the Linux currently doesn't assign any RT +-# budget to CPU control groups that have none configured explicitly +-ControlGroup=cpu:/ +- + [Install] + WantedBy=graphical.target diff --git a/rtkit-mq_getattr.patch b/rtkit-mq_getattr.patch new file mode 100644 index 0000000000000000000000000000000000000000..2cb63c76e40cd502d6975b8814e89aa33933c57e --- /dev/null +++ b/rtkit-mq_getattr.patch @@ -0,0 +1,12 @@ +diff --git a/configure.ac b/configure.ac +index 5a77363..45721a5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -112,6 +112,7 @@ CC="$PTHREAD_CC" + + AC_SEARCH_LIBS([sched_setscheduler], [rt]) + AC_SEARCH_LIBS([clock_gettime], [rt]) ++AC_SEARCH_LIBS([mq_getattr], [rt]) + AC_SEARCH_LIBS([cap_init], [cap]) + + PKG_CHECK_MODULES(DBUS, dbus-1) diff --git a/rtkit.spec b/rtkit.spec index a5d52a2cc70ef8a9d02e571aff7eb89bf7cc3a40..51f222dd2c9872a38e601b88dee8c1464930b74d 100644 --- a/rtkit.spec +++ b/rtkit.spec @@ -1,4 +1,4 @@ -%define anolis_release 4 +%define anolis_release 5 Summary: REALTIMEKIT Realtime Policy and Watchdog Daemon Name: rtkit @@ -9,13 +9,15 @@ Release: %{anolis_release}%{?dist} # The daemon itself is GPL3 licensed, and the client library is BSD licensed. License: GPLv3+ and BSD URL: http://git.0pointer.net/%{name}.git/ -Source0: https://0pointer.de/public/%{name}-%{version}.tar.xz +Source0: http://0pointer.de/public/rtkit-0.11.tar.xz +Source1: rtkit.sysusers BuildRequires: autoconf automake libtool make BuildRequires: dbus-devel >= 1.2 BuildRequires: libcap-devel BuildRequires: polkit-devel >= 0.92 BuildRequires: systemd-devel +BuildRequires: systemd-rpm-macros Requires: dbus Requires: polkit >= 0.92 @@ -30,6 +32,12 @@ Patch3: 0003-format-security.patch Patch4: 0004-Fix-borked-error-check.patch Patch5: 0005-systemd-update-sd-daemon.-ch.patch Patch6: 0006-Remove-bundled-copy-of-sd-daemon.-ch.patch +Patch7: format-security.patch +Patch8: 0001-Fix-borked-error-check.patch +Patch9: rtkit-controlgroup.patch +Patch10: 0001-systemd-update-sd-daemon.-ch.patch +Patch11: rtkit-mq_getattr.patch +Patch12: 0001-Don-t-store-debug-messages-from-rtkit-daemon.patch %description RealtimeKit is a D-Bus system service that changes the @@ -103,6 +111,13 @@ dbus-send --system --type=method_call --dest=org.freedesktop.DBus / org.freedesk %doc README rtkit.c rtkit.h %changelog +* Fri Sep 19 2025 wenyuzifang - 0.11-5 +- Ensure the build succeeds in hardened environments by preventing format-security warnings from failing compilation. +- Fix incorrect error handling to ensure proper detection of D-Bus property retrieval failures. +- Remove obsolete cgroup workaround to improve security and align with modern kernel and systemd practices. +- Improve code safety, portability, and reliability by applying upstream fixes and modern practices. +- Ensure proper linking with librt to avoid linker errors on systems requiring explicit rt library usage. +- Reduce log noise by suppressing debug messages to improve system logging clarity and efficiency. * Thu Jun 8 2023 Liwei Ge - 1:0.11-4 - fix useradd in pre script diff --git a/rtkit.sysusers b/rtkit.sysusers new file mode 100644 index 0000000000000000000000000000000000000000..83b292a32ebc6c1e02a91ff0571a4faf540ac21d --- /dev/null +++ b/rtkit.sysusers @@ -0,0 +1,2 @@ +#Type Name ID GECOS Home directory Shell +u rtkit 172 "RealtimeKit" / /sbin/nologin