From 9f6e99b2822079f5a8034a459025f08739421f9b Mon Sep 17 00:00:00 2001
From: h30032433 <huyubiao@huawei.com>
Date: Thu, 7 Dec 2023 11:14:00 +0800
Subject: [PATCH] sync community patches

Make '+' exec prefix ignore PrivateTmp=yes
---
 ...ke-exec-prefix-ignore-PrivateTmp-yes.patch | 126 ++++++++++++++++++
 systemd.spec                                  |   6 +-
 2 files changed, 131 insertions(+), 1 deletion(-)
 create mode 100644 backport-execute-Make-exec-prefix-ignore-PrivateTmp-yes.patch

diff --git a/backport-execute-Make-exec-prefix-ignore-PrivateTmp-yes.patch b/backport-execute-Make-exec-prefix-ignore-PrivateTmp-yes.patch
new file mode 100644
index 0000000..d5f5488
--- /dev/null
+++ b/backport-execute-Make-exec-prefix-ignore-PrivateTmp-yes.patch
@@ -0,0 +1,126 @@
+From ecf63c91025b1692d48886b57dae3896ab12c54c Mon Sep 17 00:00:00 2001
+From: Nate Jones <jonesnl@umich.edu>
+Date: Fri, 28 Feb 2020 20:31:23 -0500
+Subject: [PATCH 1732/1760] execute: Make '+' exec prefix ignore
+PrivateTmp=yes
+
+The man pages state that the '+' prefix in Exec* directives should
+ignore filesystem namespacing options such as PrivateTmp. Now it does.
+
+This is very similar to #8842, just with PrivateTmp instead of
+PrivateDevices.
+Reference: https://github.com/systemd/systemd/commit/ecf63c91025b1692d48886b57dae3896ab12c54c
+Conflict: NA
+---
+ src/core/execute.c                            | 26 +++++++++----------
+ src/test/test-execute.c                       |  1 +
+ test/meson.build                              |  1 +
+ test/test-execute/exec-basic.service          |  1 -
+ ...exec-privatetmp-disabled-by-prefix.service |  8 ++++++
+ 5 files changed, 23 insertions(+), 14 deletions(-)
+ create mode 100644 test/test-execute/exec-privatetmp-disabled-by-prefix.service
+
+diff --git a/src/core/execute.c b/src/core/execute.c
+index 4c90007..7e28870 100644
+--- a/src/core/execute.c
++++ b/src/core/execute.c
+@@ -2468,17 +2468,6 @@ static int apply_mount_namespace(
+ 
+         assert(context);
+ 
+-        /* The runtime struct only contains the parent of the private /tmp,
+-         * which is non-accessible to world users. Inside of it there's a /tmp
+-         * that is sticky, and that's the one we want to use here. */
+-
+-        if (context->private_tmp && runtime) {
+-                if (runtime->tmp_dir)
+-                        tmp = strjoina(runtime->tmp_dir, "/tmp");
+-                if (runtime->var_tmp_dir)
+-                        var = strjoina(runtime->var_tmp_dir, "/tmp");
+-        }
+-
+         if (params->flags & EXEC_APPLY_CHROOT) {
+                 root_image = context->root_image;
+ 
+@@ -2491,7 +2480,18 @@ static int apply_mount_namespace(
+                 return r;
+ 
+         needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED);
+-        if (needs_sandboxing)
++        if (needs_sandboxing) {
++                /* The runtime struct only contains the parent of the private /tmp,
++                 * which is non-accessible to world users. Inside of it there's a /tmp
++                 * that is sticky, and that's the one we want to use here. */
++
++                if (context->private_tmp && runtime) {
++                        if (runtime->tmp_dir)
++                                tmp = strjoina(runtime->tmp_dir, "/tmp");
++                        if (runtime->var_tmp_dir)
++                                var = strjoina(runtime->var_tmp_dir, "/tmp");
++                }
++
+                 ns_info = (NamespaceInfo) {
+                         .ignore_protect_paths = false,
+                         .private_dev = context->private_devices,
+@@ -2502,7 +2502,7 @@ static int apply_mount_namespace(
+                         .mount_apivfs = context->mount_apivfs,
+                         .private_mounts = context->private_mounts,
+                 };
+-        else if (!context->dynamic_user && root_dir)
++        } else if (!context->dynamic_user && root_dir)
+                 /*
+                  * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
+                  * sandbox info, otherwise enforce it, don't ignore protected paths and
+diff --git a/src/test/test-execute.c b/src/test/test-execute.c
+index 435ab39..91729f5 100644
+--- a/src/test/test-execute.c
++++ b/src/test/test-execute.c
+@@ -292,6 +292,7 @@ static void test_exec_privatetmp(Manager *m) {
+ 
+         test(__func__, m, "exec-privatetmp-yes.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
+         test(__func__, m, "exec-privatetmp-no.service", 0, CLD_EXITED);
++        test(__func__, m, "exec-privatetmp-disabled-by-prefix.service", can_unshare ? 0 : EXIT_FAILURE, CLD_EXITED);
+ 
+         unlink("/tmp/test-exec_privatetmp");
+ }
+diff --git a/test/meson.build b/test/meson.build
+index 36d9df7..0c1db57 100644
+--- a/test/meson.build
++++ b/test/meson.build
+@@ -108,6 +108,7 @@ test_data_files = '''
+         test-execute/exec-privatenetwork-yes.service
+         test-execute/exec-privatetmp-no.service
+         test-execute/exec-privatetmp-yes.service
++        test-execute/exec-privatetmp-disabled-by-prefix.service
+         test-execute/exec-protecthome-tmpfs-vs-protectsystem-strict.service
+         test-execute/exec-protectkernelmodules-no-capabilities.service
+         test-execute/exec-protectkernelmodules-yes-capabilities.service
+diff --git a/test/test-execute/exec-basic.service b/test/test-execute/exec-basic.service
+index ae4618c..60c5be6 100644
+--- a/test/test-execute/exec-basic.service
++++ b/test/test-execute/exec-basic.service
+@@ -10,7 +10,6 @@ ExecStart=touch /tmp/a ; /bin/sh -c 'touch /tmp/b' ; touch /tmp/c
+ ExecStart=test -f /tmp/a
+ ExecStart=!test -f /tmp/b
+ ExecStart=!!test -f /tmp/c
+-ExecStart=+test -f /tmp/c
+ ExecStartPost=rm /tmp/a /tmp/b /tmp/c
+ 
+ PrivateTmp=true
+diff --git a/test/test-execute/exec-privatetmp-disabled-by-prefix.service b/test/test-execute/exec-privatetmp-disabled-by-prefix.service
+new file mode 100644
+index 0000000..009e6be
+--- /dev/null
++++ b/test/test-execute/exec-privatetmp-disabled-by-prefix.service
+@@ -0,0 +1,8 @@
++[Unit]
++Description=Test for PrivateTmp=yes with prefix
++
++[Service]
++ExecStart=/bin/sh -x -c 'test ! -f /tmp/test-exec_privatetmp'
++ExecStart=+/bin/sh -x -c 'test -f /tmp/test-exec_privatetmp'
++Type=oneshot
++PrivateTmp=yes
+-- 
+2.19.1
+
diff --git a/systemd.spec b/systemd.spec
index 2f62f52..00bc3fe 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -16,7 +16,7 @@
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
 Version:        243
-Release:        64
+Release:        65
 License:        MIT and LGPLv2+ and GPLv2+
 Summary:        System and Service Manager
 
@@ -246,6 +246,7 @@ Patch0198:      backport-unit-add-AF_ALG-to-systemd-networkd.service.patch
 Patch0199:      backport-Fix-generator-name-in-hibernate-resume-generator-s-d.patch
 Patch0200:      backport-udevadm-show-more-error-message-during-exporting-dat.patch
 Patch0201:      backport-udevd-don-t-kill-worker-in-manager_kill_workers-when.patch
+Patch0202:      backport-execute-Make-exec-prefix-ignore-PrivateTmp-yes.patch
 
 #openEuler
 Patch9002:      1509-fix-journal-file-descriptors-leak-problems.patch
@@ -1653,6 +1654,9 @@ fi
 %exclude /usr/share/man/man3/*
 
 %changelog
+* Thu Dec 7 2023 huyubiao <huyubiao@huawei.com> - 243-65
+- add backport-execute-Make-exec-prefix-ignore-PrivateTmp-yes.patch
+
 * Wed Dec 6 2023 huyubiao <huyubiao@huawei.com> - 243-64
 - add backport-pstore-fix-use-after-free.patch
       backport-udev-also-logs-file-permission.patch