From: Clemens Gruber <clemens.gruber@pqgruber.com>
To: ptxdist@pengutronix.de
Cc: Clemens Gruber <clemens.gruber@pqgruber.com>
Subject: [ptxdist] [PATCH] systemd: backport fix for nss-resolve fallback
Date: Tue, 6 Jun 2017 16:36:41 +0200 [thread overview]
Message-ID: <20170606143643.23028-17-clemens.gruber@pqgruber.com> (raw)
In-Reply-To: <20170606143643.23028-1-clemens.gruber@pqgruber.com>
Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
---
...00-nss-resolve-drop-the-internal-fallback.patch | 200 +++++++++++++++++++++
patches/systemd-233/series | 3 +-
2 files changed, 202 insertions(+), 1 deletion(-)
create mode 100644 patches/systemd-233/0100-nss-resolve-drop-the-internal-fallback.patch
diff --git a/patches/systemd-233/0100-nss-resolve-drop-the-internal-fallback.patch b/patches/systemd-233/0100-nss-resolve-drop-the-internal-fallback.patch
new file mode 100644
index 000000000..4e69eb65a
--- /dev/null
+++ b/patches/systemd-233/0100-nss-resolve-drop-the-internal-fallback.patch
@@ -0,0 +1,200 @@
+From: Zbigniew Jedrzejewski-Szmek <zbyszek@in.waw.pl>
+Date: Fri, 12 May 2017 08:31:46 -0400
+Subject: [PATCH] nss-resolve: drop the internal fallback to libnss_dns (#5945)
+
+If we could not communicate with systemd-resolved, we would call into
+libnss_dns. libnss_dns would return NOTFOUND for stuff like "localhost" and
+other names resolved by nss-myhostname, which we would fall under the !UNAVAIL=
+condition and cause resolution to fail. So the following recommended
+configuration in nsswitch.conf would not work:
+
+ hosts: resolve [!UNAVAIL=return] dns myhostname
+
+Remove the internal fallback code completely so that the fallback logic
+can be configured in nsswitch.conf.
+
+Tested with
+ hosts: resolve [!UNAVAIL=return] myhostname
+and
+ hosts: resolve [!UNAVAIL=return] dns myhostname
+
+Fixes #5742.
+
+[cg: Back-ported to 233]
+Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
+
+---
+diff --git a/Makefile.am b/Makefile.am
+index e6b573587d..ab24ebaa61 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -5630,8 +5630,7 @@ libnss_resolve_la_LDFLAGS = \
+
+ libnss_resolve_la_LIBADD = \
+ libsystemd-internal.la \
+- libbasic.la \
+- -ldl
++ libbasic.la
+
+ rootlib_LTLIBRARIES += \
+ libnss_resolve.la
+diff --git a/src/nss-resolve/nss-resolve.c b/src/nss-resolve/nss-resolve.c
+index d155625e11..ec059d9586 100644
+--- a/src/nss-resolve/nss-resolve.c
++++ b/src/nss-resolve/nss-resolve.c
+@@ -17,7 +17,6 @@
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+ ***/
+
+-#include <dlfcn.h>
+ #include <errno.h>
+ #include <netdb.h>
+ #include <nss.h>
+@@ -39,20 +38,6 @@ NSS_GETHOSTBYADDR_PROTOTYPES(resolve);
+
+ #define DNS_CALL_TIMEOUT_USEC (45*USEC_PER_SEC)
+
+-typedef void (*voidfunc_t)(void);
+-
+-static voidfunc_t find_fallback(const char *module, const char *symbol) {
+- void *dl;
+-
+- /* Try to find a fallback NSS module symbol */
+-
+- dl = dlopen(module, RTLD_LAZY|RTLD_NODELETE);
+- if (!dl)
+- return NULL;
+-
+- return dlsym(dl, symbol);
+-}
+-
+ static bool bus_error_shall_fallback(sd_bus_error *e) {
+ return sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) ||
+ sd_bus_error_has_name(e, SD_BUS_ERROR_NAME_HAS_NO_OWNER) ||
+@@ -151,7 +136,7 @@ enum nss_status _nss_resolve_gethostbyname4_r(
+
+ r = sd_bus_open_system(&bus);
+ if (r < 0)
+- goto fallback;
++ goto fail;
+
+ r = sd_bus_message_new_method_call(
+ bus,
+@@ -179,13 +164,14 @@ enum nss_status _nss_resolve_gethostbyname4_r(
+ return NSS_STATUS_NOTFOUND;
+ }
+
+- if (bus_error_shall_fallback(&error))
+- goto fallback;
++ /* Return NSS_STATUS_UNAVAIL when communication with systemd-resolved fails,
++ allowing falling back to other nss modules. Treat all other error conditions as
++ NOTFOUND. This includes DNSSEC errors and suchlike. (We don't use UNAVAIL in this
++ case so that the nsswitch.conf configuration can distuingish such executed but
++ negative replies from complete failure to talk to resolved). */
++ if (!bus_error_shall_fallback(&error))
++ ret = NSS_STATUS_NOTFOUND;
+
+- /* Treat all other error conditions as NOTFOUND, and fail. This includes DNSSEC errors and
+- suchlike. (We don't use UNAVAIL in this case so that the nsswitch.conf configuration can distuingish
+- such executed but negative replies from complete failure to talk to resolved. */
+- ret = NSS_STATUS_NOTFOUND;
+ goto fail;
+ }
+
+@@ -286,17 +272,6 @@ enum nss_status _nss_resolve_gethostbyname4_r(
+
+ return NSS_STATUS_SUCCESS;
+
+-fallback:
+- {
+- _nss_gethostbyname4_r_t fallback;
+-
+- fallback = (_nss_gethostbyname4_r_t)
+- find_fallback("libnss_dns.so.2", "_nss_dns_gethostbyname4_r");
+-
+- if (fallback)
+- return fallback(name, pat, buffer, buflen, errnop, h_errnop, ttlp);
+- }
+-
+ fail:
+ *errnop = -r;
+ *h_errnop = NO_RECOVERY;
+@@ -339,7 +314,7 @@ enum nss_status _nss_resolve_gethostbyname3_r(
+
+ r = sd_bus_open_system(&bus);
+ if (r < 0)
+- goto fallback;
++ goto fail;
+
+ r = sd_bus_message_new_method_call(
+ bus,
+@@ -367,10 +342,9 @@ enum nss_status _nss_resolve_gethostbyname3_r(
+ return NSS_STATUS_NOTFOUND;
+ }
+
+- if (bus_error_shall_fallback(&error))
+- goto fallback;
++ if (!bus_error_shall_fallback(&error))
++ ret = NSS_STATUS_NOTFOUND;
+
+- ret = NSS_STATUS_NOTFOUND;
+ goto fail;
+ }
+
+@@ -484,16 +458,6 @@ enum nss_status _nss_resolve_gethostbyname3_r(
+
+ return NSS_STATUS_SUCCESS;
+
+-fallback:
+- {
+- _nss_gethostbyname3_r_t fallback;
+-
+- fallback = (_nss_gethostbyname3_r_t)
+- find_fallback("libnss_dns.so.2", "_nss_dns_gethostbyname3_r");
+- if (fallback)
+- return fallback(name, af, result, buffer, buflen, errnop, h_errnop, ttlp, canonp);
+- }
+-
+ fail:
+ *errnop = -r;
+ *h_errnop = NO_RECOVERY;
+@@ -540,7 +504,7 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
+
+ r = sd_bus_open_system(&bus);
+ if (r < 0)
+- goto fallback;
++ goto fail;
+
+ r = sd_bus_message_new_method_call(
+ bus,
+@@ -576,10 +540,9 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
+ return NSS_STATUS_NOTFOUND;
+ }
+
+- if (bus_error_shall_fallback(&error))
+- goto fallback;
++ if (!bus_error_shall_fallback(&error))
++ ret = NSS_STATUS_NOTFOUND;
+
+- ret = NSS_STATUS_NOTFOUND;
+ goto fail;
+ }
+
+@@ -674,17 +637,6 @@ enum nss_status _nss_resolve_gethostbyaddr2_r(
+
+ return NSS_STATUS_SUCCESS;
+
+-fallback:
+- {
+- _nss_gethostbyaddr2_r_t fallback;
+-
+- fallback = (_nss_gethostbyaddr2_r_t)
+- find_fallback("libnss_dns.so.2", "_nss_dns_gethostbyaddr2_r");
+-
+- if (fallback)
+- return fallback(addr, len, af, result, buffer, buflen, errnop, h_errnop, ttlp);
+- }
+-
+ fail:
+ *errnop = -r;
+ *h_errnop = NO_RECOVERY;
diff --git a/patches/systemd-233/series b/patches/systemd-233/series
index 48057dddb..2f3aa9542 100644
--- a/patches/systemd-233/series
+++ b/patches/systemd-233/series
@@ -14,4 +14,5 @@
0011-missing-add-SMACK_MAGIC-EFIVARFS_MAGIC-BINFMTFS_MAGI.patch
0012-missing-define-PR_SET_MM.patch
#tag:upstream --start-number 100
-# 555c08880967c52b9852ca2f5dce5e35 - git-ptx-patches magic
+0100-nss-resolve-drop-the-internal-fallback.patch
+# aeeb8c856cfb6320185a980e3f2b37ec - git-ptx-patches magic
--
2.13.0
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2017-06-06 14:37 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-06 14:36 [ptxdist] [PATCH] alsa-lib: version bump 1.0.29 -> 1.1.4.1 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] cairo: version bump 1.12.18 -> 1.14.8 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] collectd: add exec plugin Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] coreutils: version bump 8.25 -> 8.27 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] fontconfig: version bump 2.11.1 -> 2.12.3 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] freetype: version bump 2.6.3 -> 2.8 Clemens Gruber
2017-06-07 9:21 ` Roland Hieber
2017-06-07 10:35 ` Michael Olbrich
2017-06-07 12:46 ` Clemens Gruber
2017-06-08 16:29 ` Michael Olbrich
2017-06-19 12:12 ` Michael Olbrich
2017-06-19 12:26 ` Michael Olbrich
2017-06-06 14:36 ` [ptxdist] [PATCH] latrace: improve configure options Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] libelf: version bump 0.168 -> 0.169 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] libevent: version bump 2.0.21 -> 2.1.8 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] libgcrypt: version bump 1.7.6 -> 1.7.7 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] libpng: version bump 1.2.54 -> 1.6.29 Clemens Gruber
2017-06-19 12:11 ` Michael Olbrich
2017-06-06 14:36 ` [ptxdist] [PATCH] mpg123: version bump 1.23.8 -> 1.25.0 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] nano: version bump 2.3.1 -> 2.8.4 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] nginx: add -Wno-error to fix build with GCC 7.1 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] pango: version bump 1.29.4 -> 1.40.6 Clemens Gruber
2017-06-26 10:18 ` Michael Olbrich
2017-06-26 19:29 ` Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] rrdtool: version bump 1.6.0 -> 1.7.0 Clemens Gruber
2017-06-06 14:36 ` Clemens Gruber [this message]
2017-06-06 14:36 ` [ptxdist] [PATCH] tmux: version bump 2.3 -> 2.5 Clemens Gruber
2017-06-06 14:36 ` [ptxdist] [PATCH] u-boot-tools: version bump 2016.11 -> 2017.05 Clemens Gruber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170606143643.23028-17-clemens.gruber@pqgruber.com \
--to=clemens.gruber@pqgruber.com \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox