git-history.diyao.me Git - systemd/.git/log

shared/rm-rf: loop over nested directories instead of instead of recursing

To remove directory structures, we need to remove the innermost items first,
and then recursively remove higher-level directories. We would recursively
descend into directories and invoke rm_rf_children and rm_rm_children_inner.
This is problematic when too many directories are nested.

Instead, let's create a "TODO" queue. In the the queue, for each level we
hold the DIR* object we were working on, and the name of the directory. This
allows us to leave a partially-processed directory, and restart the removal
loop one level down. When done with the inner directory, we use the name to
unlinkat() it from the parent, and proceed with the removal of other items.

Because the nesting is increased by one level, it is best to view this patch
with -b/--ignore-space-change.

This fixes CVE-2021-3997, https://bugzilla.redhat.com/show_bug.cgi?id=2024639.
The issue was reported and patches reviewed by Qualys Team.
Mauro Matteo Cascella and Riccardo Schirone from Red Hat handled the disclosure.

(cherry picked from commit 5b1cf7a9be37e20133c0208005274ce4a5b5c6a1)
(cherry picked from commit 911516e1614e435755814ada5fc6064fa107a105)
(cherry picked from commit 6a28f8b55904c818b25e4db2e1511faac79fd471)
(cherry picked from commit c752f27b7647c99b4a17477c99d84fd8c950ddf0)

shared/rm_rf: refactor rm_rf() to shorten code a bit

(cherry picked from commit 84ced330020c0bae57bd4628f1f44eec91304e69)
(cherry picked from commit 664529efa9431edc043126013ea54e6c399ae2d3)
(cherry picked from commit 811b137d6137cc3e8932599e6ef9254ba43ff5eb)
(cherry picked from commit 39a53d4f1445a8981efd0adcc1734dfad46647c5)

shared/rm_rf: refactor rm_rf_children_inner() to shorten code a bit

(cherry picked from commit 3bac86abfa1b1720180840ffb9d06b3d54841c11)
(cherry picked from commit 47741ff9eae6311a03e4d3d837128191826a4a3a)
(cherry picked from commit 89395b63f04f1acc0db533c32637ea20379f97c0)
(cherry picked from commit 3976f244990aa1210ebe018647f32ab060e1c3d3)

tmpfiles: 'st' may have been used uninitialized

(cherry picked from commit 160dadc0350c77d612aa9d5569f57d9bc84c3dca)
(cherry picked from commit 7563de501246dccf5a9ea229933481aa1e7bd5c9)
(cherry picked from commit f54b97b1d05052bfee824ecc03ae9f07f6c37be8)

rm-rf: optionally fsync() after removing directory tree

(cherry picked from commit bdfe7ada0d4d66e6d6e65f2822acbb1ec230f9c2)
(cherry picked from commit 2426beacca09d84091759be45b25c88116302184)
(cherry picked from commit 0e180f8e9c25c707b0465ad1b9447a4360f785f1)

rm-rf: refactor rm_rf_children(), split out body of directory iteration loop

This splits out rm_rf_children_inner() as body of the loop. We can use
that to implement rm_rf_child() for deleting one specific entry in a
directory.

(cherry picked from commit 1f0fb7d544711248cba34615e43c5a76bc902d74)
(cherry picked from commit ca4a0e7d41f0b2a1fe2f99dbc3763187c16cf7ab)
(cherry picked from commit 85ccac3393e78d4bf2776ffb8c3a1d8a2a909a2a)

rm-rf: fstatat() might fail if containing dir has limited access mode, patch that too

(cherry picked from commit 1b55621dabf741dd963f59ac706ea62cd6e3e95c)

btrfs-util: add helper that abstracts "might be btrfs subvol?" check

Let#s not hardcode inode nr 256 everywhere, but abstract this check
slightly.

(cherry picked from commit 674b04ff1b6deab17f5d36c036c0275ba94e1ebc)

sd-dhcp6-client: ignore IAs whose IAID do not match client's IAID

But do not refuse whole message.

(cherry picked from commit 469fd57f181e2a8d93f01662418ca998e1239ea5)

meson.build: change operator combining bools from + to and

upstream meson stopped allowing combining boolean with the plus
operator, and now requires using the logical and operator

reference:
https://github.com/mesonbuild/meson/commit/43302d3296baff6aeaf8e03f5d701b0402e37a6c

Fixes: #20632
(cherry picked from commit c29537f39e4f413a6cbfe9669fa121bdd6d8b36f)

Drop bundled copy of linux/if_arp.h

As far as I can see, we use this to get a list of ARPHRD_* defines (used in
particular for Type= in .link files). If we drop our copy, and build against
old kernel headers, the user will have a shorter list of types available.  This
seems OK, and I don't think it's worth carrying our own version of this file
just to have newest possible entries.

7c5b9952c4f6e2b72f90edbe439982528b7cf223 recently updated this file, but we'd
have to update it every time the kernel adds new entries. But if we look at
the failure carefully:

src/basic/arphrd-from-name.gperf:65:16: error: ‘ARPHRD_MCTP’ undeclared (first use in this function); did you mean ‘ARPHRD_FCPP’?
   65 | MCTP, ARPHRD_MCTP
      |                ^~
      |                ARPHRD_FCPP

we see that the list we were generating was from the system headers, so it was
only as good as the system headers anyway, without the newer entries in our
bundled copy, if there were any. So let's make things simpler by always using
system headers.

And if somebody wants to fix things so that we always have the newest list,
then we should just generate and store the converted list, not the full header.

(cherry picked from commit e7f46ee3ae1cc66a94b293957721d68dc09d7449)

basic/linux: Sync if_arp.h with Linux 5.14

ARPHRD_MCTP was added in 5.14. Sync if_arp.h to pick up the definition

Fixes #20694

(cherry picked from commit 7c5b9952c4f6e2b72f90edbe439982528b7cf223)

journal,network,timesync: fix segfault on 32bit timeval/timespec systems

Fixes #20741.

(cherry picked from commit f782eee68aea996c68b8cfeba5f288dae7fc876f)

timesync: check cmsg length

(cherry picked from commit 37df6d9b8d3a8b34bec5346766ab8093c0f0fc26)

socket-util: introduce CMSG_SPACE_TIMEVAL/TIMESPEC macro to support additional 64bit timeval or timespec

Fixes #20482 and #20564.

(cherry picked from commit 9365e296fe281da45797af89a97627e872fc019d)

icmp6: drop unnecessary assertion

Follow-up for 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1.

(cherry picked from commit 6da22a2fa592cc908d26c732b537d8b4fc004280)

timesync: fix wrong type for receiving timestamp in nanoseconds

(cherry picked from commit 6f96bdc58746b1698bf8b3430a6c638f8949daec)

network: fix wrong flag: manage_foreign_routes -> manage_foreign_rules

Fixes a bug in d94dfe7053d49fa62c4bfc07b7f3fc2227c10aff.

(cherry picked from commit 771a36439e955906290afc16a6fb3b10401892cf)

man: update description for ManageForeignRoutes=

(cherry picked from commit 3fe23a96d66e82ff8b08e6573093e391d62f5bd1)

network: introduce ManageForeignRoutingPolicyRules= boolean setting in networkd.conf

The commit 0b81225e5791f660506f7db0ab88078cf296b771 makes that networkd
remove all foreign rules except those with "proto kernel".

But, in some situation, people may want to manage routing policy rules
with other tools, e.g. 'ip' command. To support such the situation,
this introduce ManageForeignRoutingPolicyRules= boolean setting.

Closes #19106.

(cherry picked from commit d94dfe7053d49fa62c4bfc07b7f3fc2227c10aff)

sd-netlink: always append new bridge FDB entries

This partially reverts 192a9d95ea3e058afd824d38a9cea16ad0a84a57 (#19432).

Fixes #20305.

(cherry picked from commit 74c1ab841fbad9d4f237c819577fcd1d46a072b6)
(cherry picked from commit 38388b95d71b7701922f90854ce568f74e11ed12)
(cherry picked from commit 2e27dd58a85c3e8bd9d0e7ff200a2e07f422743df)

mkosi: openSUSE update --bootable=no dependencies

Since we can build --bootable=no images without dracut->systemd, we need
to add systemd runtime dependencies explicitely.

(cherry picked from commit f2bb8857cd093eb9bd5e1dad6fb996a0a4463556)
(cherry picked from commit 731a4d9cd6bf471d22b6ac637e49dcd477a92ac6)
(cherry picked from commit 103dfac36b938ce12d33b6379758197e86a262d45)

man: describe veritysetup command syntax

It makes it easier to diagnose what the generated units actually do.

(cherry picked from commit d53285d551d883bb9f097eca0942e8c585e33470)
(cherry picked from commit 3cd5be0e2952548aea9b1cda7985e5bc1b65f4e2)
(cherry picked from commit 4c02e269003adbf364dd21d9806c178147bc16367)

veritysetup: print help for --help/-h/help

In general our commands print help on --help, but here this would trigger
the error that two arguments are needed. Let's make this more user-friendly.

(cherry picked from commit 5d5e43cc33637a12f743f17294cfbd3ede08a1b3)
(cherry picked from commit 8d9471cbca46115e6411b78abc5bc67390940cf1)
(cherry picked from commit e5715ab1c75a1b80c1a9a30f7d353b5fd09a93f2a)

Use correct `<poll.h>` include

* `<sys/poll.h>` is not specified in POSIX

(cherry picked from commit 2b6c0bb2a341c95223ce672249e43c743b03d78c)
(cherry picked from commit c15fc774d59c486adb81c7eb07fe58b2b3db86da)
(cherry picked from commit 5c9236971acc52455df51226996fbe71ecedc2f6f)

Use correct `<fcntl.h>` include

* `<sys/fcntl.h>` is not specified in POSIX

(cherry picked from commit f8d54f7810aeea5ff27a5db03e1aab7ea54c8268)
(cherry picked from commit d57080b6229b45802fed997bd53add0df4c7ec00)
(cherry picked from commit 43498df87dbf3cfca2198bdb0cbd832be1ff4738d)

test: correctly detect ASan on s390x

s390x uses BRAS(L) instead of CALL(Q), e.g.:

```
1009528: c0 e5 ff ff f8 a0 brasl %r14,1008668 <__asan_report_load1@plt>
10095f0: c0 e5 ff ff ea ec brasl %r14,1006bc8 <__asan_stack_malloc_4@plt>
10097f8: c0 e5 ff ff f8 f8 brasl %r14,10089e8 <__asan_report_load8@plt>
```

x86_64 for reference:

```
  4011f3: e8 48 fe ff ff        callq  401040 <__asan_report_load1@plt>
  401227: e8 24 fe ff ff        callq  401050 <__asan_report_load8@plt>
  401251: e8 da fd ff ff        callq  401030 <__asan_init@plt>
```

(cherry picked from commit 8bf79f05532162d19fe6ee211297cff81b4f9874)
(cherry picked from commit 5a6a08284d7ca89218d9e9ccfe44fce8898ef6bf)
(cherry picked from commit 365ed29af67a511c1a1bc427a54bbfe69a3ebc96b)

systemctl: allow set-property to be called with a glob pattern

We call "systemctl set-property … Markers=+needs-restart" and this should
also work for globs, e.g. "user@*.service" or "syncthing@*.service".

https://bugzilla.redhat.com/show_bug.cgi?id=1986258
(cherry picked from commit 23a0ffa59f9cb26c4b016c9fd1a3a70da2607f61)
(cherry picked from commit 2d7cda87690baacb98941b7653cae67a749571ef)
(cherry picked from commit f7d310092c1aa26344ba959e6902b167b961e8fe4)

seccomp: move sched_getaffinity() from @system-service to @default

See: https://github.com/systemd/systemd/pull/20191#issuecomment-881982739

In general, we shouldn't blanket move syscalls like this into @default,
given that glibc actually does have fallbacks, afaics. However, as
long as the syscalls are "read-only" and thus benign, I figure it's a
safe thing to do. But we should probably stick to a "if in doubt, don't"
rule, and put these syscalls in @system-service as default, but not into
@default.

I think in the real world @system-service is the sensible group people
should use, and not @default actually.

(cherry picked from commit 7df660e45682af5c40a236abe1bdc5ddcf3b3533)
(cherry picked from commit ee8564940b527cef6e643e6e41b6f0b5df375a37)
(cherry picked from commit bcdec4e0fc1744461d535091298d5da5b369ace0c)

seccomp: drop getrandom() from @system-service

It's included in @default now, since
14f4b1b568907350d023d1429c1aa4aaa8925f22, and since @system-service
pulls that in we can drop it from @system-service.

Follow-up for #20191

(cherry picked from commit 67347f37407489a68e12da8f75b78ae1d1168de9)
(cherry picked from commit 3eb4dc295ae9b853450e4823c8be7dbf8ccdbd43)
(cherry picked from commit cbae9c99952f2a422b7fc1112406f25e8cd9fdb5e)

networkd: Include linux/netdevice.h header

This header provides definitions for NET_NAME_UNKNOWN ånd NET_NAME_ENUM
Fixes build issue found with non-glibc systems

../git/src/network/networkd-link.c:1203:52: error: 'NET_NAME_UNKNOWN' undeclared (first use in this function)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2a0d07d6a0d5be63c6c10cb0789412f584858ec1)
(cherry picked from commit 369b2066e93e9a11fdfd3eb6fc7402ecd55fc7bd)
(cherry picked from commit 18535f62c126f38c7128c54780bcfd52eaa3461bc)

man: Fix incorrect EFI vendor UUID (last missing nibble)

(cherry picked from commit d2e84b601805ae89cf8cb1b383b30c7c97cac73d)
(cherry picked from commit 595d9965bb07c1f96e159d5be31504972c9d0754)
(cherry picked from commit aa7f0febcd1b2d444aabf11fd8b1ee885e36675ec)

malloc() uses getrandom now

glibc master uses getrandom in malloc since https://sourceware.org/git/?p=glibc.git;a=commit;h=fc859c304898a5ec72e0ba5269ed136ed0ea10e1 , getrandom should be in the default set so to avoid all non trivial programs to fallback to a PRNG.

(cherry picked from commit 14f4b1b568907350d023d1429c1aa4aaa8925f22)
(cherry picked from commit 1253d18af7449814bc882506b0fe3770311b3bc0)
(cherry picked from commit 381149c6e265a4e44cfe2bbba6a3cae2782874bd9)

machined-varlink: fix double free

Fixes: #18599
(cherry picked from commit feac9a1d1bf3f59adaa85f58b655ec01a111a29a)
(cherry picked from commit 1600b38cd2029533547f8c3d4abfa12911ca0630)
(cherry picked from commit 7f143dada7c0c9e230d4037043e213268c9b85f0)

basic/unit-name: do not use strdupa() on a path

The path may have unbounded length, for example through a fuse mount.

CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.

https://bugzilla.redhat.com/show_bug.cgi?id=1970887

The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.

(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce)
(cherry picked from commit 4a1c5f34bd3e1daed4490e9d97918e504d19733b)

shell-completion/zsh/_systemd-run: Fix completion of command names and arguments

(cherry picked from commit 3f49d1faf59acaa85aa5ad502c39b1a601d58d26)
(cherry picked from commit b511a441f3277750e68a14d8d7e6649c4f182b86)
(cherry picked from commit cb5564aea24d6d92716bdd0c06d1a2d7b91a1c71)

shared/format-table: allocate buffer of sufficient size

(cherry picked from commit 6dc57047ff0f1f9e98938ffb172dae06e6868b94)
(cherry picked from commit e6407ca25852dadec355df2e6fdc92d1f189bceb)
(cherry picked from commit d442b879abac5bcaf7756e53e304fd0ade36d49d)

systemctl: show error when help for unknown unit is requested

Fixes #20189. We would only log at debug level and return failure, which looks
like a noop for the user.

('help' accepts multiple arguments and will show multiple concatenated man
pages in that case. Actually, it will also show multiple concatenated man pages
if the Documentation= setting lists multiple pages. I don't think it's very
terribly useful, but, meh, I don't think we can do much better. If a user
requests a help for a two services, one known and one unknown, there'll now be
a line in the output. It's not very user friendly, but not exactly wrong too.)

(cherry picked from commit 75312ada5324d8adae3f3a0ed97f0acfc8b8bde5)
(cherry picked from commit 486412ad3bba4f1306597302cf66cc4858126243)
(cherry picked from commit ee0cf3ef6f522ee084ed987593f55c6c32097619)

hostnamed: correct variable with errno in fallback_chassis

fixes assertion failure on arm:

systemd-hostnamed[642]: Assertion '(_error) != 0' failed at src/hostname/hostnamed.c:207, function fallback_chassis(). Aborting.

(cherry picked from commit 105a4245ff13d588e1e848e8ee3cffd6185bd0ae)
(cherry picked from commit 4a44597bdd725f504ebd520b0deef7797dc46daa)

NEWS: add old entry about Type=ether

Apparently it's an important feature for some folks:
https://utcc.utoronto.ca/\~cks/space/blog/linux/NetworkdMACMatchesWidely.
I think we considered this more of a bugfix, but it's somewhere on the border.
Let's add this it's easier to discover.

(cherry picked from commit 88b2a95064675c5f86648053cf124265f5289095)
(cherry picked from commit 3cb75aecc0a5facf2e057ea56d2334ebd3ee2761)

tmpfiles: fix borked assert

It seems that fd_set_perms() is always called after checking that
fd >= 0 (also when called as action() in glob_item_recursively()),
so it seems that the assertion really came from fd==0.

Fixes #20140.

Also three other similar cases are updated.

(cherry picked from commit b4b0f87c6275dde32769c2e75231caa1d4c21f9b)
(cherry picked from commit 1dcecfc50b6c4db3b76b81765403f84c06ecf225)

udev: Fix by-uuid symlink for ubifs volumes

ubifs volumes have a UUID and the built-in blkid is able to determine
it.  The disk/by-uuid symlink isn't created because ubifs volumes are
not on block devices but on SUBSYSTEM="ubi" devices.  See #20071.

Allow ubi subsystem devices to be processed by the persistent storage
rules too.  The kernel device name matching already allows ubi* to pass.
The existing rules are sufficient to create the link.

The links look like other by-uuid symlinks, for example:
/dev/disk/by-uuid/9a136158-585b-4ba4-9b70-cbaf2cf78a1c -> ../../ubi0_1

(cherry picked from commit 21ac7884e9c1684d091d893254bcbe4b83740e9f)
(cherry picked from commit 15bd27b06c67e94541e3376d3d482f4f849f5aff)

Revert "rules: ubi mtd - add link to named partitions"

This reverts commit 7f1e9c806b6915e8020cf3706dc87e1cd37bc2fa, PR #6750

Apparently the rule change never worked, see #20071.

Fixes #20071

(cherry picked from commit 4b6bc397b454f79006481c1e8507d85c5bfd2e9a)
(cherry picked from commit 7e558b501783757f63b9c93edce43239a5178611)

core: add comment explaining event source deallocation

Followup for bc989831e6. The original reproducer still works w/o the unref,
and doesn't work with this change.

(cherry picked from commit 13bb1ffb912cacea4041910e38674e0984ac5772)
(cherry picked from commit d82da0f04f6ebe7044f4c33b9067c17c909a8d5d)

core: add default descriptions for slices

[  OK  ] Created slice system-getty.slice (Slice /system/getty).
[  OK  ] Created slice system-modprobe.slice (Slice /system/modprobe).
[  OK  ] Created slice system-sshd\x2dkeygen.slice (Slice /system/sshd-keygen).
[  OK  ] Created slice user.slice (User and Session Slice).

Before, the first three slices were shown without any description which didn't
look nice.

(cherry picked from commit 4dd21726f852010aef17e9b952b4bb1646fdf496)
(cherry picked from commit 0b0d80d96009e10ce36d683b7991829a2cfca67c)

core/service: rework management of exec_fd event source

The code in service_spawn() was written as if exec_fd_event_source
was always unset. (We would either fail the assertion that is moved in the
patch, or leak the event source object if it was set.)

To make this work, let's always assert that exec_fd_event_source is unset,
and actually unset it service_sigchld_event(). I think this is the most
elegant approach. The problem is that we don't have the same information
about execution flags as in service_spawn(), so we need to conditionalize
on pid==main_pid to know if we should disable exec_fd_event_source.
I think this matches all cases where we may set exec_fd_event_source:
service_enter_start() and service_run_next_main().

service_enter_stop_post() calls service_set_state(), which will also destroy
the source. But that happens too late, because from service_enter_stop_post()
we call service_spawn() first, and then service_set_state() second.

(An alternative approach would be to deallocate the existing
exec_fd_event_source in service_spawn(). But this would mean that we would
temporarily have an event source attached to a process that we already know is
dead, which seems less than ideal.)

Original report from Dimitri John Ledkov <dimitri.ledkov@canonical.com>:
> Ubuntu private bug reference for this issue at the moment is
> https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1921145

> Michael's and Ian's team run into an issue when using systemd in the
> initrd, without dbus daemon running, and launching a unit in a
> particular way that appears to lock up systemd (pid 1) it self.

> michael vogt: "The attached script works for me to reproduce this on
> classic. I tested 20.04 (245) and 21.04 (247) in a qemu VM. Sometimes
> I need to run it multiple times but usually it crashes after at most 2
> runs. Use "journalctl | tail" to see the messages, it's the same that
> Ian reported. There is also a /var/crash/_usr_lib_systemd_systemd
> crash file created."

> I understand that the particular way to run a unit is very odd,
> however, it is currently possible to invoke, and it would be expected
> for pid1 to not lock up and crash.

> The Assertion that systemd hits is along the lines of:

> [ 10.182627] systemd[1]: Assertion 's' failed at
> src/core/service.c:3204, function service_dispatch_exec_io().
> Aborting.
> [ 10.195458] systemd[1]: Caught <ABRT>, dumped core as pid 449.
> [ 10.204446] systemd[1]: Freezing execution.

(cherry picked from commit bc989831e634123c2ff43bcbbeae19097ccc9ff9)
(cherry picked from commit 493c5c7bab9713afcd647dada885bed68b9d3cf3)

core: disable event sources before unreffing them

This mirrors the change done for systemd-resolved in
97935302283729c9206b84f5e00b1aff0f78ad19. Quoting that patch:

> We generally operate on the assumption that a source is "gone" as soon as we
> unref it. This is generally true because we have the only reference. But if
> something else holds the reference, our unref doesn't really stop the source
> and it could fire again.

In particular, we take temporary references from sd-event code, and when called
from an sd-event callback, we could temporarily see this elevated reference
count. This patch doesn't seem to change anything, but I think it's nicer to do
the same change as in other places and not rely on _unref() immediately
disabling the source.

(cherry picked from commit 5dcadb4c8320f6a7b8a9353404874d43668e4648)
(cherry picked from commit 67782e10f0dd0f2feeb036aa4380fa5c6c55aaea)

resolved: do not try to copy empty NSEC types bitmaps

dns_resource_record_copy() assumes that NSEC types bitmap is non-empty
which results in a null pointer dereference inside bitmap_copy() in some
cases. Fix this by calling bitmap_copy() conditionally.

(cherry picked from commit 1f00a50c695fe3b55dee38fbd02a902a6c703c87)
(cherry picked from commit fc7be6db131a5062dde76ee7857c2f91e1c402cb)

dbus-socket: fix check of Listen* arguments

We checked the wrong field, which was always NULL here, so we would always
reject the assignment. We would also print the wrong string in the error
message:

$ sudo systemd-run --socket-property ListenFIFO=/tmp/fifo3 cat
Failed to start transient socket unit: Invalid socket path: FIFO

(cherry picked from commit aeecab3804aae973577f36880af4b7799e4eb7d5)
(cherry picked from commit 78fb13b38572f6649f1e9822ef6acb8ca4952c12)

resolvectl: Only strip ifname suffixes when being resolvconf

Only treat interface names containing dots specially when resolvectl is
pretending to be resolvconf to fix
https://github.com/systemd/systemd/issues/20014 .

Move the special suffix-stripping behaviour of ifname_mangle out to the
new ifname_resolvconf_mangle to be called from resolvconf only.

(cherry picked from commit 7875170f01991a1d28cfe284cc7075630cd69055)
(cherry picked from commit 6ec5680beaa8df4b4b87e9aa614d29561c0e98fe)

docs: update autofs Kconfig name

(cherry picked from commit 0c651d32d49e66ea0152eea5e65dd19fe01e7a06)
(cherry picked from commit b6811758288fd53266028885d46f5a5f7d8c49a7)

sd-journal: add missing bracket in journal verify log message

(cherry picked from commit 6abd991c718dbc1480ab7e71103a8b3e886bd3a3)
(cherry picked from commit 3dabd7f816fa0465c08745ce76f459c4c2a7c3d5)

sd-dhcp-client: tentatively ignore FORCERENEW command

This makes DHCP client ignore FORCERENEW requests, as unauthenticated
FORCERENEW requests causes a security issue (TALOS-2020-1142, CVE-2020-13529).

Let's re-enable this after RFC3118 (Authentication for DHCP Messages)
and/or RFC6704 (Forcerenew Nonce Authentication) are implemented.

Fixes #16774.

(cherry picked from commit 38e980a6a5a3442c2f48b1f827284388096d8ca5)
(cherry picked from commit 3ec1234d1e3195849088b2a3c70fbdefebeadc35)

completion: fix 'unbound variables' errors

Fixes https://github.com/systemd/systemd/issues/19987

(cherry picked from commit 36ec026830c6978be8bd39f3c6d1d7822495e07f)
(cherry picked from commit fe13c0bd40bc5ccdda61b8b474194920543a617b)

completion/systemd-delta,-resolve: autocomplete with parameters

(cherry picked from commit 6a0667d2b6f05682c2ced1b53132274049b9ea5c)
(cherry picked from commit 0aed618942b0bcc5946d15c91f3518fc5024789a)

time-util: don't use plural units indiscriminately

format_timestamp_relative currently returns the plural form of
years and months no matter the quantity, and in many cases (for
durations > 1 week) this is the same with days.

This patch changes this so that the function takes the quantity into account,
returning "1 month 1 week ago" instead of "1 months 1 weeks ago".

(cherry picked from commit 45eb4d2261ed0d943fd503a6d79ee3b7b7558c09)
(cherry picked from commit e74329ce9fa7ccb025960f9b220dff9e556a80e5)

shell-completion: revert c1072f6473bafa063cbf700c86524083d2857031
fixing https://github.com/systemd/systemd/issues/19689

(cherry picked from commit 682e043c42fe3ac0fee4ce727458aaeb0e638589)
(cherry picked from commit 2683e7a16024506b203092208ca1d28b953a111a)

core/service: fix assertion when Type=dbus but BusName= is not specified

Fixes #19920.

(cherry picked from commit 0f97b7c338bb7440572c454558efb8fee395896a)
(cherry picked from commit 455713ce7061afa6db68e72c93c061335dd941df)

core: Avoid spurious realization of unit cgroups

Cgroups may be unnecessarily realized when they are not needed. This
happens, e.g. for mount units parsed from /proc/$PID/mountinfo, check

        touch /run/ns_mount
        unshare -n sh -c "mount --bind /proc/self/ns/net /run/ns_mount"
        # no cgroup exists
        file /sys/fs/cgroup/system.slice/run-ns_mount.mount
        systemctl daemon-reload
        # the vain cgroup exists
        file /sys/fs/cgroup/system.slice/run-ns_mount.mount

. (Such cgroups can account to a large number with many similar mounts.)

The code already accounts for "lazy" realization (see various checks for
Unit.cgroup_realized) but the unit_deserialize() in the reload/reexec
path performs unconditional realization.

Invalidate (and queue) the units for realization only if we know that
they were already realized in the past. This is a safe thing to do even
in the case the reload brings some new cgroup setting (controllers, BPF)
because units that aren't realized will use the updated setting when the
time for their realization comes. (It's not even needed to add a code
comment because the current formulation suggests the changed behavior.)

(cherry picked from commit cc815b7fea0ade5331e8dd22ef6b5183edb77608)
(cherry picked from commit 94f501805db8b272fd2d8d2c4eab0c5291db50e0)

kbd-model-map: add Latvian keyboard layout mapping

(cherry picked from commit 9dfb429a44b0c7e4c50f35f888ac8ba3c677a994)
(cherry picked from commit 9f7274055762c8ab31248489e7236c1a51154f62)

Clarify help information for --global

(cherry picked from commit 3c3335c7146a43137c46acfa18417cca101cb088)
(cherry picked from commit 12600fdc423c0d06906204795230314d5dbfde82)

journal: don't try to reuse already calculated hash between files with keyed hash feature

When suppressing duplicate fields between files we so far tried to reuse
the already known hash value of the data fields between files. This was
fine as long as we used the same hash function everywhere. However,
since addition of the keyed hash feature for journal files this doesn't
work anymore, since the hashes will be different for different files.

Fixes: #19172
(cherry picked from commit 2e1a8a5dab8b5519c079c9bed54fc682aa4095b0)
(cherry picked from commit d804bcadcb448879f31c32363970d9b70b742b9a)

journal: add some careful overflow checking

(cherry picked from commit d8671b1c6f036ce270b9631973314e7de24e74b1)
(cherry picked from commit 84e1819ec104a168f7904134b6212669133c955f)

seccomp: add some recently added syscalls to filter groups

(cherry picked from commit 34254e599a28529bdb89f91571adeaf7c76d9f43)
(cherry picked from commit daaf9273294f133ab9c970b3172608686de6f86a)

core/socket: do not assign another fd to SocketPort which already has a fd on deserialization

Otherwise, if a socket address is duplicated, then the previous fd is
closed.

Fixes #19843.

(cherry picked from commit 3da0caf5bbf3c8cab716c4d7adf0eb25907dc951)
(cherry picked from commit 11acee8a00f1e04952f86088078041849d8f9819)

udevadm: fix --tag-match help + description

(cherry picked from commit d27e6aee5050da17bc9531fb62ac11aba4b15ceb)
(cherry picked from commit 98af14bf53e0aeebf9d88b8f1c202a31ae7bb753)

units: stop automount unit when shutting down

This is currently our only .automount unit. We wouldn't want to trigger it
accidentally during shutdown, so let's stop it too.

(cherry picked from commit dc16846c26287fd2081eb3c4a73487c9b186e2b7)
(cherry picked from commit b1ce5653fac2766c4b4a070fec2126f211d49efa)

pid1: only add a Wants= type dependency on /tmp when PrivateTmp=yes

We support that tmp.mount being masked, and this should not be considered an
error.

(cherry picked from commit b2c7d1bbc2243a425d9b825859bbd0647eecd050)
(cherry picked from commit 6a3a8c70686ab6da80dd87d0bd816a8c18980b71)

tmpfiles: do not check if unresolved globs are autofs paths

With the previous commit, we would not complain about the not-found path, but
the check is still not useful. We use a libc function to resolve the glob, and
it has no notion of treating autofs specially. So we can't avoid touching
autofs when resolving globs. But usually the glob is found in the last
component of the path, so if we strip the glob part, we can still do a useful
check in many cases. (E.g. if /var/tmp is on autofs, something like
"/var/tmp/<glob>" is much more likely than "/var/<glob-that-matches-tmp>/<something>".)

With the system config in F34, we check the following prefixes:

/var/tmp/abrt/* → /var/tmp/abrt/
/run/log/journal/08a5690a2eed47cf92ac0a5d2e3cf6b0/*.journal* → /run/log/journal/08a5690a2eed47cf92ac0a5d2e3cf6b0/
/var/lib/systemd/coredump/.#core*.21e5c6c28c5747e6a4c7c28af9560a3d* → /var/lib/systemd/coredump/
/tmp/podman-run-* → /tmp/
/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-*/tmp → /tmp/
/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-* → /tmp/
/tmp/containers-user-* → /tmp/
/var/tmp/beakerlib-* → /var/tmp/
/var/tmp/dnf*/locks/* → /var/tmp/
/var/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-*/tmp → /var/tmp/
/var/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-* → /var/tmp/
/var/tmp/abrt/* → /var/tmp/abrt/
/var/tmp/beakerlib-* → /var/tmp/
/var/tmp/dnf*/locks/* → /var/tmp/
/tmp/podman-run-* → /tmp/
/tmp/containers-user-* → /tmp/
/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-* → /tmp/
/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-*/tmp → /tmp/
/var/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-* → /var/tmp/
/var/tmp/systemd-private-21e5c6c28c5747e6a4c7c28af9560a3d-*/tmp → /var/tmp/
/var/lib/systemd/coredump/.#core*.21e5c6c28c5747e6a4c7c28af9560a3d* → /var/lib/systemd/coredump/
/run/log/journal/08a5690a2eed47cf92ac0a5d2e3cf6b0/*.journal* → /run/log/journal/08a5690a2eed47cf92ac0a5d2e3cf6b0/

(cherry picked from commit bd6d28f21ad212e141b5e74bd0b7ad517f64a711)
(cherry picked from commit 399a00be3536cb5fbf3f96058c2a88a2a634d466)

basic/glob-util: add helper to strip the glob part from a glob

(cherry picked from commit 1e472a6ce4747a1f10954fb239df73580c8e7411)
(cherry picked from commit 82fcf663cf2cec519185330964c9fdee956047d8)

tmpfiles: stop complaining about autofs on not-found paths

systemd-tmpfiles[328]: Failed to determine whether '/run/cryptsetup' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/etc/resolv.conf' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/lock/subsys' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/setrans' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/console' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/faillock' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/sepermit' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/motd.d' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/motd.d' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/motd' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/run/nologin' is below autofs, ignoring: No such file or directory
systemd-tmpfiles[328]: Failed to determine whether '/var/lib/systemd/pstore' is below autofs, ignoring: No such file or directory
... and so on and so on.

(cherry picked from commit 16eff8271b402f2705d4329fa4cf5a0435e65996)
(cherry picked from commit a2861e9b9c60bb697854a1aa317c0c365204aab1)

pid1: don't choke on overly long device paths

This mimics what we do for device units: if there's a device we cannot
synthesize a good swap unit name for, then proceed without failure.

(cherry picked from commit e82c6e8b6230b237c838f053d52baa3297668eaa)
(cherry picked from commit 5fbb002c65c5dbfb9e789caf3bea1dc6e63ee7ae)

pid1: downgrade if we can't make sense of the old device on MOVE uevent

If the name of the old device didn#t work for us, we don't have to clean
anything up, since we know for sure that there won't be a device unit
for it. hence downgrade log message about it.

(cherry picked from commit 4d94c74fae21f7ef02a5f14b8296a4522d6b51df)
(cherry picked from commit 2ff9f3068341433b031ed8f42900bf1460b53ff6)

pid1: reduce log noise generated by devices with overly long sysfs paths

This basically does what 2c905207db37c691d4abef868165ad5ea2dd0f4f did
for mount units

Fixes: #16161
(cherry picked from commit ad172d19d5ef8b5a3631a8484cc3d1a28dba26c2)
(cherry picked from commit 7f035c549fdc0660431d48f1f7dcb7fc41bad22c)

efi: drop glibc header and use pre-defined macros

This reverts 72dc626b3d6905b105ae61ca2c60f51a6f74070e and replace glibc
specific macros with compiler's pre-defined macros.

(cherry picked from commit ffc36c276c47a9b3f21e83947090f11039628676)
(cherry picked from commit cab22cae2addcbfaa42621440bd7cb4b1a56c84f)

sd-device: do not use ::subsystem member directly

The value is set dynamically when sd_device_get_subsystem() is called
first time.

Fixes the following issue:
```
$ build/udevadm test /sys/class/block/dm-1
...
Assertion '_subsystem' failed at src/libsystemd/sd-device/sd-device.c:767, function device_set_subsystem(). Aborting.
Program received signal SIGABRT, Aborted.
```

(cherry picked from commit 2255e8adee37c490bf8cf2daab791b6f746bb0a0)
(cherry picked from commit 93cf1abc60b774eb5c19e327a2079f67e80011df)

various: don't say that the timestamp 'changed' on initial load

I always found this a bit annoying.
With the patch:

$ SYSTEMD_LOG_LEVEL=debug build/udevadm test /sys/class/block/dm-1
...
Loaded timestamp for '/etc/systemd/network'.
Loaded timestamp for '/usr/lib/systemd/network'.
Parsed configuration file /usr/lib/systemd/network/99-default.link
Parsed configuration file /etc/systemd/network/10-eth0.link
Created link configuration context.
Loaded timestamp for '/etc/udev/rules.d'.
Loaded timestamp for '/usr/lib/udev/rules.d'.
...

(cherry picked from commit 0d5a24beaedb161d4f7fe07361d2a5abdbd6e736)
(cherry picked from commit 688b311f5c6c0b20a3811f6a135bf87e11f36502)

varlink: remove duplicated "varlink:" prefix

We had:

systemd[1]: varlink-36: New incoming message: {"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"userName":"gdm","service":"io.systemd.DynamicUser"},"more":true}
systemd[1]: varlink-36: varlink: changing state idle-server → processing-method-more
systemd[1]: varlink-36: Sending message: {"error":"io.systemd.UserDatabase.NoRecordFound","parameters":{}}
systemd[1]: varlink-36: varlink: changing state processing-method-more → processed-method
systemd[1]: varlink-36: varlink: changing state processed-method → idle-server
systemd[1]: varlink-36: Got POLLHUP from socket.
systemd[1]: varlink-36: varlink: changing state idle-server → pending-disconnect
systemd[1]: varlink-36: varlink: changing state pending-disconnect → processing-disconnect
systemd[1]: varlink-36: varlink: changing state processing-disconnect → disconnected

So let's drop the "varlink:" prefix and use capitalized sentences like in other messages.

(cherry picked from commit 953394e3bb1f1ead3c1d80237b97b71835b0755a)
(cherry picked from commit 780768328a755057f955f36bac56e1da01e090f0)

varlink: say "varlink:" instead of "n/a:" when no description is available

For new connections, we log something like this:

systemd[1]: n/a: New incoming connection.
systemd[1]: n/a: Connections of user 997: 0 (of 1024 max)
systemd[1]: varlink-22: varlink: setting state idle-server
systemd[1]: varlink-22: New incoming message: ...

This "n/a" is not very pretty, and without context it would be hard to even
figure out this is a varlink connection.

(cherry picked from commit f35e9b101d80c05d5a5eaece6e62e8eeb5743691)
(cherry picked from commit b5691dd6f83d99e0588532940c1c24e5647662f7)

udev: ignore the case that the device is already removed

See #19788.

(cherry picked from commit 6be1feb1d7e30c0e7591121b74d4c3c7079de6b3)
(cherry picked from commit b4ad8b418f65e8fbe8719344415758e6e62602f6)

efi: include endian.h to handle endian correctly

The macro __BYTE_ORDER__ is defined in endian.h.

(cherry picked from commit 72dc626b3d6905b105ae61ca2c60f51a6f74070e)
(cherry picked from commit 326e3ae2af0254c0d489ee053610fbbdc60a1f8b)

efi: do not use _STRING_ARCH_unaligned macro

It is already removed from glibc. See,
https://sourceware.org/git/?p=glibc.git;a=commit;h=16396c41deab45f715ffd813280d9d685b3b281e
https://sourceware.org/git/?p=glibc.git;a=commit;h=09a596cc2cf4e0f9f8e9f3bba4b1a97efcb13bcb

(cherry picked from commit 959ab90bbc08855ad5824efecbc03d37b3f9c982)
(cherry picked from commit d31347080272128e9b5c5f922a3f098ba62b059e)

mount: be more descriptive when logging about overly long mount point paths

This is prompted by #17684: let's very explicitly say that the name is
too long for us, and that we'll ignore it.

(cherry picked from commit 3ebc9b9b30b04a3aeec55a11022b337ec5fdb5cf)
(cherry picked from commit 264f179b692843fbb5de2e111b85e6e8bb837e68)

core: when looping over mount/swap names, continue if we find one which doesn't translate to a valid unit name

(cherry picked from commit 598a6a8491abd311d36b11caf262123fbbffb2c0)
(cherry picked from commit f564342089ab56e44bf7240d19b860f2ed003e58)

unit-name: generate a clear error code when converting an overly long fs path to a unit name

(cherry picked from commit 9d5acfab20c5f1177d877d0bec18063c0a6c5929)
(cherry picked from commit 1579dce2c2a162bb09afb9a8a46fd4f7e8fbf1d5)

pam: do not require a non-expired password for user@.service

Without this parameter, we would allow user@ to start if the user
has no password (i.e. the password is "locked"). But when the user does have a password,
and it is marked as expired, we would refuse to start the service.
There are other authentication mechanisms and we should not tie this service to
the password state.

The documented way to disable an *account* is to call 'chage -E0'. With a disabled
account, user@.service will still refuse to start:

systemd[16598]: PAM failed: User account has expired
systemd[16598]: PAM failed: User account has expired
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
systemd[1]: user@1005.service: Failed with result 'exit-code'.
systemd[1]: Failed to start user@1005.service.
systemd[1]: Stopping user-runtime-dir@1005.service...

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.

(cherry picked from commit 71889176e4372b443018584c3520c1ff3efe2711)
(cherry picked from commit 0af5a8921f6019dc35057482711f0fbe347b0c06)

logind-dbus: correctly calculate when to create /etc/nologin file in all cases

Fixes: #19258
(cherry picked from commit cbb6c000c7f08f97fca28db990cd6aeb7aad7f4a)
(cherry picked from commit e55a705af5bfe53c754727138455599798a573bf)

basic/unit-file: fix use-after-free

This fixes a bug introduced by e8630e695232bdfcd16b55f3faafb4329c961104.

Fixes CID#1453292.

(cherry picked from commit 7f1238bd04000f3333e8e2fcb82c9c6e18ee3ffc)
(cherry picked from commit 218117da2a8b4f1eccfc61353fdbe01219696378)

core/service: do not set zero error to log_unit_debug_errno()

Fixes #19725.

(cherry picked from commit 95599cacd3944073f7d944a8b3973e1308d1d57f)
(cherry picked from commit 1af2dba1d3d2d6ffba6816d8ff59eb034074cc18)

load-fragment: validate paths properly

The comment suggests we validate paths here, but we actually didn't, we
only validated filenames. Let' fix that.

(Note this still lets any kind of paths through, including those with
".." and stuff, this is not a normalization check after all)

(cherry picked from commit 108144adea838b281fe1f60dfa75542fe4c82d4b)
(cherry picked from commit 740b24c3e0f81556576a16390d7a2d7e0dc2a7e2)

README: point at IRC channel on the new network

(cherry picked from commit fb906b00c68e34b8692e207a658bcfa3df62456c)
(cherry picked from commit 2aefb7beff0601c8785625784ace2f0d93214321)

network: allow to set Group=0 in [Link] section

Previously, when a link has already in a numbered group, we cannot
remove the link from the group.

This also fixes the range mentioned in the man page.

(cherry picked from commit f0c09831bddb9f335af1b1ebfa6eb8424c2058f3)
(cherry picked from commit f59caa064e158fc0041938c3b0890c8704f84a65)

systemctl: avoid crash when pattern expands to empty unit list

Fixes #19652.

(cherry picked from commit ffcd68385226d4b499dbff0123271e1d3fb8f516)
(cherry picked from commit 9a24f5edcc1c16f2afaa943dfd39f413322a5a0a)

kernel-install: don't erase previous errors if a hook returns 77

The manpage says that exiting 77 is the same as exiting 0,
then skipping all other hooks, but the behaviour heretofor
was to exit 0, skip all, and behave as if all hooks exited 0

(cherry picked from commit 44230fa2b050d63fce49b4bfbbb93c42940754cc)
(cherry picked from commit 954f6ae49a6dc8a7994ff7ca3c86551a8748c2d1)

rules.d: Properly quote $env{MODALIAS}

Add quotes around use of $env{MODALIAS} in rules.d/80-drivers.rules. The
modalias can contain whitespace, for example when it is dynamically generated
using device or vendor IDs.

(cherry picked from commit 07c0e5eeaf3183963f4d680555d2289a33735d6e)
(cherry picked from commit 1151d6f55dd5cc4925a52e0faeca98963114df9b)

journal: fix uninitialized variable use

If the journal file being processed is archivied, seqnum_id will not be
initialized before being passed on, and coverity complains.
Initialize it to zero.

CID #1453235

(cherry picked from commit 06a368e8198a9cbfad86ba17bba6a76a33f15492)
(cherry picked from commit b97c113704056c386574c047928e410c6c1e89ae)

network: fix an infinite loop

Fixes #19467.

(cherry picked from commit e8f99f4e249916e12c09ee5cc9a108cba6a2b5c0)
(cherry picked from commit b234ee7859de556c272c36fc691cee4cb08f7230)

selinux: invoke selinux_set_callback(3) more type-safe

(cherry picked from commit 57e70396dfdc6835c4a9141d29043e4af407205d)
(cherry picked from commit c259b1b6da788964dd9a92f6ff0cfe02f62c0af8)

selinux: reload label db on policy load with libselinux 3.2

Currently the label database is not reloaded with libselinux 3.2 on a
policy reload.

Since libselinux 3.2 avc_open(3) uses the SELinux status page instead of
a netlink socket to check for policy reloads.
The status page is also queried in mac_selinux_maybe_reload().
Thus calls to selinux_check_access(3) might consume an update, queried
by selinux_status_updated(3), leaving mac_selinux_maybe_reload() unable
to detect a policy reload.

Do not use selinux_status_updated(3), use selinux_status_policyload(3)
unconditionally.

Relevant libselinux commit: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503

Debian Bullseye is going to ship libselinux 3.1, so stay compatible for
backports.

(cherry picked from commit c46c76881144271b9a18842e086d1318febdb372)
(cherry picked from commit 82e9abf69ada90373efd7dc2db9934510562b853)

kbd-model-map: add mapping 'es-dvorak'

And update test-keymap-util accordingly.

While at it, make sure to use tabs everywhere.

(cherry picked from commit 0495728429096a405b1d2cf1fa283a90c30ebaa9)
(cherry picked from commit 644a8ca3e026d22e71cb1f37034e6713bb8ee982)