nixpkgs/pkgs/os-specific/linux/systemd/0003-Start-device-units-for-uninitialised-encrypted-devic.patch
Eelco Dolstra e65ff3b72a systemd: Prevent privilege escalation via polkit
Cherry-picked from upstream.  Also applied a fix for the CPUShares
configuration option while I'm at it.

CVE-2013-4327
2013-09-30 13:30:15 +02:00

32 lines
1.6 KiB
Diff

From b288ca7d376e3a78368a2b59529ebe5ba812babf Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Tue, 8 Jan 2013 15:46:30 +0100
Subject: [PATCH 03/11] Start device units for uninitialised encrypted devices
This is necessary because the NixOS service that initialises the
filesystem depends on the appearance of the device unit. Also, this
makes more sense to me: the device is ready; it's the filesystem
that's not, but taking care of that is the responsibility of the mount
unit. (However, this ignores the fsck unit, so it's not perfect...)
---
rules/99-systemd.rules.in | 4 ----
1 file changed, 4 deletions(-)
diff --git a/rules/99-systemd.rules.in b/rules/99-systemd.rules.in
index d17bdd9..040b10e 100644
--- a/rules/99-systemd.rules.in
+++ b/rules/99-systemd.rules.in
@@ -14,10 +14,6 @@ KERNEL=="vport*", TAG+="systemd"
SUBSYSTEM=="block", KERNEL!="ram*|loop*", TAG+="systemd"
SUBSYSTEM=="block", KERNEL!="ram*|loop*", ENV{DM_UDEV_DISABLE_OTHER_RULES_FLAG}=="1", ENV{SYSTEMD_READY}="0"
-# Ignore encrypted devices with no identified superblock on it, since
-# we are probably still calling mke2fs or mkswap on it.
-SUBSYSTEM=="block", KERNEL!="ram*|loop*", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="0"
-
# Ignore raid devices that are not yet assembled and started
SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", TEST!="md/array_state", ENV{SYSTEMD_READY}="0"
SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", KERNEL=="md*", ATTR{md/array_state}=="|clear|inactive", ENV{SYSTEMD_READY}="0"
--
1.8.3.4