git-history.diyao.me Git - systemd/.git/log

bootctl: Fix update not adding EFI entry if Boot IDs are non-consecutive

"bootctl update" tries to add sd-boot to the EFI boot loader list if it
is not already there. To do so, it uses find_slot() which finds the
proper BootXXXX slot ID to use and also returns 1 if an existing sd-boot
entry was found at this ID or 0 if it is a new unused ID. In "update"
case install_variables() only writes the entry in case 0 (no existing
entry).

However, find_slot() erroneously returns 1 if it finds a gap in the Boot
IDs (i.e. when not resorting to max(ids) + 1). This causes
"bootctl update" to not add a missing systemd-boot boot entry if the
existing BootXXXX entry IDs are not consecutive.

Fix that by returning 0 in find_slot() when an empty gap ID is selected
to make it match the behavior when selecting an empty non-gap ID.

(cherry picked from commit 26d54e1263dcb58daa6578595cc6ab1037315593)
(cherry picked from commit 0028a3eb976dfa7209433dfa3a24b785f05fd352)

watchdog: pass right error code to log function so that %m works

(cherry picked from commit a4588af942af976c55f72869340c24d5017db278)
(cherry picked from commit 11d5f109b04cd61c8bf437065b5e178c485a49b4)

sd-journal: Ignore data threshold if set to zero in sd_journal_enumerate_fields()

According to the documentation, Setting the data threshold to zero disables the
data threshold alltogether. Let's make sure we actually implement this behaviour
in sd_journal_enumerate_fields() by only applying the data threshold if it exceeds
zero.

(cherry picked from commit adbd80f51088058d55e703abe0ac11476cfe0ba4)
(cherry picked from commit 99ae9b83b42abbe54c059ae964b737b64ae17df9)

journalctl: never fail at flushing when the flushed flag is set

Even if journald was not running, flushing the volatile journal used to work if
the journal was already flushed (ie the flushed flag
/run/systemd/journald/flushed was created).

However since commit 4f413af2a0a, this behavior changed and now '--flush' fails
because it tries to contact journald without checking the presence of the
flushed flag anymore.

This patch restores the previous behavior since there's no reason to fail when
journalctl can figure out that the flush is not necessary.

(cherry picked from commit f6fca35e642a112e80cc9bddb9a2b4805ad40df2)
(cherry picked from commit dc331f4c9268d17a66f4393cfd0dba14c7022d41)

sd-journal: Don't compare hashes from different journal files

In sd_journal_enumerate_fields(), we check if we've already handled
a field by checking if we can find it in any of the already processed
journal files. We do this by calling
journal_file_find_field_object_with_hash(), which compares the size,
payload and hash of the given field against all fields in a journal file,
trying to find a match. However, since we now use per file hash functions,
hashes for the same fields will differ between different journal files,
meaning we'll never find an actual match.

To fix the issue(), let's use journal_file_find_field_object() when one
or more of the files we're comparing is using per file keyed hashes.
journal_file_find_field_object() only takes the field payload and size
as arguments and calculates the hash itself using the hash function from
the journal file we're searching in.

(cherry picked from commit 27bf0ab76e13611dce10210f2a22fb5fba05adbb)
(cherry picked from commit 2f5b486edfdb6dc3d5465fe7569c19560208813c)

Fix error building repart with no libcryptsetup (#20739)

(cherry picked from commit 2709d02906dd3ab5ecc2b3e19e2846b1714a7e5a)
(cherry picked from commit d3dfc9afa2297e2e15019adf974da8fb0ab7270c)

test-network: kernel treats the lowest IP address as unicast since 5.14

See kernel's 94c821c74bf5fe0c25e09df5334a16f98608db90.

(cherry picked from commit 8be102f8b8019a9bd7e445532cad632cbc6986d3)
(cherry picked from commit 64c59740ca21f47718c69b9c68ca28e6fab68741)

unit: systemd-oomd.service requires cgroup memory controller

(cherry picked from commit ca589b1b4139c85e2ae55b62be0a2a6d3eb4db90)
(cherry picked from commit 82ce34f42b4f5648416cc2ef8f78e722e1771114)

core: Parse log environment settings again after applying manager environment

Currently, SYSTEMD_LOG_LEVEL set in the ManagerEnvironment property in system.conf
or user.conf doesn't affect the manager's logging level. Parsing the logging environment
variables again after pushing the manager environment into the process environment
block makes sure any new environment changes also get taken into account for logging.

(cherry picked from commit a4303b4096d9a75acd09c5b897ed3d20c9bca6de)
(cherry picked from commit b246b5370e95756e9597d8ec967ae030b442e73f)

nss-systemd: ensure returned strings point into provided buffer

Jamie Bainbridge found an issue where glib's g_get_user_database_entry()
may crash after doing:

```
error = getpwnam_r (logname, &pwd, buffer, bufsize, &pw);
// ...
pw->pw_name[0] = g_ascii_toupper (pw->pw_name[0]);
```

in order to uppercase the first letter of the user's real name. This is
a glib bug, because there is a different codepath that gets the pwd from
vanilla getpwnam instead of getpwnam_r as shown here. When the pwd
struct is returned by getpwnam, its fields point to static data owned by
glibc/NSS, and so it must not be modified by the caller. After much
debugging, Jamie Bainbridge has fixed this in https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2244
by making a copy of the data before modifying it, and that resolves all
problems for glib. Yay!

However, glib is crashing even when getpwnam_r is used instead of
getpwnam! According to getpwnam_r(3), the strings in the pwd struct are
supposed to be pointers into the buffer passed by the caller, so glib
should be able to safely edit it directly in this case, so long as it
doesn't try to increase the size of any of the strings.

Problem is various functions throughout nss-systemd.c return synthesized
records declared at the top of the file. These records are returned
directly and so contain pointers to static strings owned by
libsystemd-nss. systemd must instead copy all the strings into the
provided buffer.

This crash is reproducible if nss-systemd is listed first on the passwd
line in /etc/nsswitch.conf, and the application looks up one of the
synthesized user accounts "root" or "nobody", and finally the
application attempts to edit one of the strings in the returned struct.
All our synthesized records for the other struct types have the same
problem, so this commit fixes them all at once.

Fixes #20679

(cherry picked from commit 47fd7fa6c650d7a0ac41bc89747e3b866ffb9534)
(cherry picked from commit 055ba736e12255cf79acc81aac382344129d03c5)

nss-systemd: pack pw_passwd result into supplied buffer

getpwnam_r() guarantees that the strings in the struct passwd that it
returns are pointers into the buffer allocated by the application and
passed to getpwnam_r(). This means applications may choose to modify the
strings in place, as long as the length of the strings is not increased.
So it's wrong for us to return a static string here, we really do have
to copy it into the application-provided buffer like we do for all the
other strings.

This is only a theoretical problem since it would be very weird for an
application to modify the pw_passwd field, but I spotted this when
investigating a similar crash caused by glib editing a different field.
See also:

https://gitlab.gnome.org/GNOME/glib/-/merge_requests/2244
(cherry picked from commit 92b264676ccd79c89da270aabc1ec466fa18cd0d)
(cherry picked from commit 84313bc5a262e87f49d176db169e1562d7060b33)

user-util: add generic definition for special password hash values in /etc/passwd + /etc/shadow

Let's add three defines for the 3 special cases of passwords.

Some of our tools used different values for the "locked"/"invalid" case,
let's settle on using "!*" which means the password is both locked *and*
invalid.

Other tools like to use "!!" for this case, which however is less than
ideal I think, since the this could also be a considered an entry with
an empty password, that can be enabled again by unlocking it twice.

(cherry picked from commit 53c25ac968ab8b868506c3a1820d8c76beb0cd88)

sd-event: take ref on event loop object before dispatching event sources

Idea is that all public APIs should take reference on objects that get
exposed to user-provided callbacks. We take the reference as a
protection from callbacks dropping it. We used to do this also here in
sd_event_loop(). However, in cleanup portion of f814c871e6 this was
accidentally dropped.

(cherry picked from commit 9f6ef467818f902fe5369c8e37a39a3901bdcf4f)
(cherry picked from commit a93ddddd00860bda05df72cfd5b80be9b3a93023)

meson.build: change operator combining bools from + to and

upstream meson stopped allowing combining boolean with the plus
operator, and now requires using the logical and operator

reference:
https://github.com/mesonbuild/meson/commit/43302d3296baff6aeaf8e03f5d701b0402e37a6c

Fixes: #20632
(cherry picked from commit c29537f39e4f413a6cbfe9669fa121bdd6d8b36f)
(cherry picked from commit 7f16b730c80b017ad381eba918c066a911b5943f)

nspawn: fix type to pass to connect()

It expects a generic "struct sockaddr", not a "struct sockaddr_un".
Pass the right member of the union.

Not sure why gcc/llvm never complained about this...

(cherry picked from commit 32b9736a230d47b73babcc5cfa27d672bb721bd0)
(cherry picked from commit caa0827ca920617dc54e62be1ff8422ad9ce2d3a)

udev: fix potential memleak

(cherry picked from commit 4154524d47d24bcee3ebfed939912a847ebeb1b3)
(cherry picked from commit f4a8e2c2115fc901e588a1672f129e7e3371f5d7)

network: print Ethernet Link-Layer DHCP client ID with leading 0's

This is a small cosmetic change.

Before:

Offered DHCP leases: 192.168.0.183 (to 0:9:a7:36:bc:89)

After:

Offered DHCP leases: 192.168.0.183 (to 00:09:a7:36:bc:89)

(cherry picked from commit 8e664ab6ecc9c420d2151f14b36824aecc76d8ac)
(cherry picked from commit 133354a3b9fc7b88fb143f241cfc4565b943ae87)

run/mount/systemctl: don't fork off PolicyKit/ask-pw agent when in --user mode

When we are in --user mode there's no point in doing PolicyKit/ask-pw
because both of these systems are only used by system-level services.
Let's disable the two agents for that automaticlly hence.

Prompted by: #20576

(cherry picked from commit 966f3a246c8c804d8a9c9d393f03c5c3fe0dd393)
(cherry picked from commit fb999b918462361fefa435f86884f81edff503c5)

man: Don't leak memory in path-documents example

The `sd_path_lookup(3)` man page states that the returned string shall be
`free(3)`'d but then doesn't do so in the example code.

Also add basic error handling as well.

(cherry picked from commit fee1863c83d04aa06d50a90ff42f5d4f4f2b9178)
(cherry picked from commit 010770bbbe45e1c381f4db4f81b35872569a3944)

hwdb: remove double empty line in --help text

(cherry picked from commit aecc04f1800c87e0479e74e0225e288a403ba77e)
(cherry picked from commit da61fe147e40ba26ed8cf405dbf0a0e71e060d0b)

path-util: make find_executable() work without /proc mounted

Follow-up for 888f65ace6296ed61285d31db846babf1c11885e.

Hopefully fixes #20514.

(cherry picked from commit 93413acd3ef3a637a0f31a1d133b103e1dc81fd6)
(cherry picked from commit 727d0b55f46468d6171f4a326bd3139bab3c93ab)

core: Check unit start rate limiting earlier

Fixes #17433. Currently, if any of the validations we do before we
check start rate limiting fail, we can still enter a busy loop as
no rate limiting gets applied. A common occurence of this scenario
is path units triggering a service that fails a condition check.

To fix the issue, we simply move up start rate limiting checks to
be the first thing we do when starting a unit. To achieve this,
we add a new method to the unit vtable and implement it for the
relevant unit types so that we can do the start rate limit checks
earlier on.

(cherry picked from commit 9727f2427ff6b2e1f4ab927cc57ad8e888f04e95)
(cherry picked from commit ed8fbbf1745c6a2dc0b8cd560ac8a3353f72e979)

core: Remove circular include

service.h includes socket.h and socket.h includes service.h. Move
service.h include from socket.h to socket.c to remove the circular
dependency.

(cherry picked from commit a243128d1fcfc378df9fce1b4997148a17ef23a5)
(cherry picked from commit a203879ae5914fa1a676dbd480a7ad41ca0d8e40)

NEWS: net.ipv4.tcp_ecn = 1 was reverted at v240

Turning on ECN was reverted by 1e190df.

(cherry picked from commit e447ffe4daca1d0beb57242f079125669e4e1c3c)
(cherry picked from commit d69732ea03f2f4e71d0f0952cd0aaf71ceda4240)

explicitly close FIDO2 devices

FIDO2 device access is serialised by libfido2 using flock().
Therefore, make sure to close a FIDO2 device once we are done
with it, or we risk opening it again at a later point and
deadlocking. Fixes #20664.

(cherry picked from commit b6aa89b0a399992c8ea762e6ec4f30cff90618f2)
(cherry picked from commit d6e4920b10c3da1665cb44f4686893b865003d12)

Drop bundled copy of linux/if_arp.h

As far as I can see, we use this to get a list of ARPHRD_* defines (used in
particular for Type= in .link files). If we drop our copy, and build against
old kernel headers, the user will have a shorter list of types available.  This
seems OK, and I don't think it's worth carrying our own version of this file
just to have newest possible entries.

7c5b9952c4f6e2b72f90edbe439982528b7cf223 recently updated this file, but we'd
have to update it every time the kernel adds new entries. But if we look at
the failure carefully:

src/basic/arphrd-from-name.gperf:65:16: error: ‘ARPHRD_MCTP’ undeclared (first use in this function); did you mean ‘ARPHRD_FCPP’?
   65 | MCTP, ARPHRD_MCTP
      |                ^~
      |                ARPHRD_FCPP

we see that the list we were generating was from the system headers, so it was
only as good as the system headers anyway, without the newer entries in our
bundled copy, if there were any. So let's make things simpler by always using
system headers.

And if somebody wants to fix things so that we always have the newest list,
then we should just generate and store the converted list, not the full header.

(cherry picked from commit e7f46ee3ae1cc66a94b293957721d68dc09d7449)

basic/linux: Sync if_arp.h with Linux 5.14

ARPHRD_MCTP was added in 5.14. Sync if_arp.h to pick up the definition

Fixes #20694

(cherry picked from commit 7c5b9952c4f6e2b72f90edbe439982528b7cf223)

tpm-util: fix TPM parameter handling

cryptenroll allows to specify a custom TPM driver separated from
parameters with colon e.g. `systemd-cryptenroll --tpm2-device=swtpm:`
tells to load swtpm tss driver and use it as a device.

Unfortunately it does not work, swtpm driver init() fails with

```
debug:tcti:src/tss2-tcti/tcti-swtpm.c:570:Tss2_Tcti_Swtpm_Init() Dup'd conf string to: 0x562f91cbc000
debug:tcti:src/util/key-value-parse.c:85:parse_key_value_string() parsing key/value: swtpm:
WARNING:tcti:src/util/key-value-parse.c:50:parse_key_value() key / value string is invalid
Failed to initialize TCTI context: tcti:A parameter has a bad value
```

It turns out that cryptenroll suppose to use the driver name internally
and strip it before passing the rest of parameters to init() function.
Without doing it swtpm receives incorrect key-value property and gets
confused.

Fix it by passing the correct parameter (without driver name) to the
init() function.

Fixes #20708

(cherry picked from commit 8889564a8da574e4b956e2b6ced34354dee54cd7)

journal,network,timesync: fix segfault on 32bit timeval/timespec systems

Fixes #20741.

(cherry picked from commit f782eee68aea996c68b8cfeba5f288dae7fc876f)

timesync: check cmsg length

(cherry picked from commit 37df6d9b8d3a8b34bec5346766ab8093c0f0fc26)

socket-util: introduce CMSG_SPACE_TIMEVAL/TIMESPEC macro to support additional 64bit timeval or timespec

Fixes #20482 and #20564.

(cherry picked from commit 9365e296fe281da45797af89a97627e872fc019d)

icmp6: drop unnecessary assertion

Follow-up for 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1.

(cherry picked from commit 6da22a2fa592cc908d26c732b537d8b4fc004280)

timesync: fix wrong type for receiving timestamp in nanoseconds

(cherry picked from commit 6f96bdc58746b1698bf8b3430a6c638f8949daec)

network: fix wrong flag: manage_foreign_routes -> manage_foreign_rules

Fixes a bug in d94dfe7053d49fa62c4bfc07b7f3fc2227c10aff.

(cherry picked from commit 771a36439e955906290afc16a6fb3b10401892cf)

man: update description for ManageForeignRoutes=

(cherry picked from commit 3fe23a96d66e82ff8b08e6573093e391d62f5bd1)

network: introduce ManageForeignRoutingPolicyRules= boolean setting in networkd.conf

The commit 0b81225e5791f660506f7db0ab88078cf296b771 makes that networkd
remove all foreign rules except those with "proto kernel".

But, in some situation, people may want to manage routing policy rules
with other tools, e.g. 'ip' command. To support such the situation,
this introduce ManageForeignRoutingPolicyRules= boolean setting.

Closes #19106.

(cherry picked from commit d94dfe7053d49fa62c4bfc07b7f3fc2227c10aff)

test-install-root: add test for unknown WantedBy= target

(cherry picked from commit 8adbad370f522831dd9246fe272caf37ce748d4a)

shared/install: ignore enablement of template units w/o instance when presetting

When we have a unit which cannot be enabled:
# foo@.service:
...
[Install]
WantedBy=foo.target # there is no instance, so we don't know what to enable

we should throw an error when invoked directly with 'enable', but
not when doing 'preset' or 'preset-all'.

Fixes #19856.

(cherry picked from commit ad5fdd391248432e0c105003a8a13f821bde0b8e)

Fixes https://github.com/systemd/systemd-stable/issues/108

shared/install: pass UnitFileFlags down into the call chain

This just propagates the parameter down into leaf functions,
without any functional change.

(cherry picked from commit 9b69770a495a170bd6efd5b0c7a89a3ad093a021)

shared/install: improve message about template mismatch

$ systemctl enable --root=/ serial-getty@.service
Failed to enable unit, unit getty.target is a non-template unit.
↓
Failed to enable serial-getty@.service, destination unit getty.target is a non-template unit.

(cherry picked from commit e1f2f7f194bf8687e19e74ac703923e4c107b46e)

shared/install: remove custom error handling in unit_file_preset_all()

This had some purpose back in the day, but right now I cannot see what
difference this makes. It's hard to keep the list of all possible errors up to
date. So let's remove this, hopefully nothing breaks.

(cherry picked from commit 4a203a5177b7d9aa499221c315bc0e327a23b5cf)

shared/install: ignore failures for auxiliary files

If Also= fails, warn, but otherwise ignore the failure.

Fixes #19407.

(cherry picked from commit 3aa96361ed32b4084cdd59caaebca9cbdc66db0f)

Make unit_name_to_instance() return UnitNameFlags

The function returns non-negative UnitNameFlags on success, and negative
errno on error. In the past we kept the return type as int because of those
negative return values. But nowadays _UNIT_NAME_INVALID == -EINVAL. And if
we tried to actually return something that doesn't fit in the return type,
the compiler would throw an error. By changing to the "real" return type,
we allow the debugger to use symbolic representation for the variables.

(cherry picked from commit 73ce91a05a63f44367b48a7ef3ca1ce4e85205b3)

test-install-root: create referenced targets

(cherry picked from commit cd228002ccedb927b4531a4b7dd9ea7015fdb657)

install: warn if WantedBy targets don't exist

Currently, if [Install] section contains WantedBy=target that doesn't exist,
systemd creates the symlinks anyway. That is just user-unfriendly.
Let's be nice and warn about installing non-existent targets.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1835351.

Replaces: #15834
(cherry picked from commit 8ae27441c2dcf585f58242991302b09778d4d710)

network: use address_equal()/route_equal() to compare addresses or routes configured by NDisc

Fixes #20244.

(cherry picked from commit 10e417b3eac03c1bcd0b5f3d5c24291ac644e164)

core: wrap cgroup path with empty_to_root() in log messages

This fixes e.g. the following log message:
---
systemd[1]: -.slice: Failed to migrate controller cgroups from , ignoring: Read-only file system
---

(cherry picked from commit 6178e2f88956e1900f445908ed053865cc22e879)
(cherry picked from commit 24a40953d3d6ad8b1429d19da2f66399ae3f7e0b)

core/cgroup: fix error handling of cg_remove_xattr()

(cherry picked from commit 0cddb53c85588fbfb8043f622895c7bd15819198)
(cherry picked from commit 7e79bfce0674c58068d2a125ed666986544e790f)

sd-netlink: always append new bridge FDB entries

This partially reverts 192a9d95ea3e058afd824d38a9cea16ad0a84a57 (#19432).

Fixes #20305.

(cherry picked from commit 74c1ab841fbad9d4f237c819577fcd1d46a072b6)
(cherry picked from commit f65dedbb8f3bd8a0ec69a02f63f62f339a791423)

mkosi: openSUSE update --bootable=no dependencies

Since we can build --bootable=no images without dracut->systemd, we need
to add systemd runtime dependencies explicitely.

(cherry picked from commit f2bb8857cd093eb9bd5e1dad6fb996a0a4463556)
(cherry picked from commit e4e572117b41f6e8152a30acc6f60a0385090137)

man: describe veritysetup command syntax

It makes it easier to diagnose what the generated units actually do.

(cherry picked from commit d53285d551d883bb9f097eca0942e8c585e33470)
(cherry picked from commit e820d11a409ba93cf1634031fd363dde5e2b6a94)

veritysetup: print help for --help/-h/help

In general our commands print help on --help, but here this would trigger
the error that two arguments are needed. Let's make this more user-friendly.

(cherry picked from commit 5d5e43cc33637a12f743f17294cfbd3ede08a1b3)
(cherry picked from commit 5e5923f272682476c053e5afd705e0f6b4595cbf)

Use correct `<poll.h>` include

* `<sys/poll.h>` is not specified in POSIX

(cherry picked from commit 2b6c0bb2a341c95223ce672249e43c743b03d78c)
(cherry picked from commit fba9fd963bb3b5fafdb123788b3fabe6ed0830c9)

Use correct `<fcntl.h>` include

* `<sys/fcntl.h>` is not specified in POSIX

(cherry picked from commit f8d54f7810aeea5ff27a5db03e1aab7ea54c8268)
(cherry picked from commit cc94387e674c7db7b15efe56763fe6c87363f73d)

test: correctly detect ASan on s390x

s390x uses BRAS(L) instead of CALL(Q), e.g.:

```
1009528: c0 e5 ff ff f8 a0 brasl %r14,1008668 <__asan_report_load1@plt>
10095f0: c0 e5 ff ff ea ec brasl %r14,1006bc8 <__asan_stack_malloc_4@plt>
10097f8: c0 e5 ff ff f8 f8 brasl %r14,10089e8 <__asan_report_load8@plt>
```

x86_64 for reference:

```
  4011f3: e8 48 fe ff ff        callq  401040 <__asan_report_load1@plt>
  401227: e8 24 fe ff ff        callq  401050 <__asan_report_load8@plt>
  401251: e8 da fd ff ff        callq  401030 <__asan_init@plt>
```

(cherry picked from commit 8bf79f05532162d19fe6ee211297cff81b4f9874)
(cherry picked from commit 02a744940e26a6ecf8778800a4317e9a8a474482)

systemctl: allow set-property to be called with a glob pattern

We call "systemctl set-property … Markers=+needs-restart" and this should
also work for globs, e.g. "user@*.service" or "syncthing@*.service".

https://bugzilla.redhat.com/show_bug.cgi?id=1986258
(cherry picked from commit 23a0ffa59f9cb26c4b016c9fd1a3a70da2607f61)
(cherry picked from commit d334cc62101b8b8ea37d8458f90abc5a6136b315)

man/systemctl: rework descriptions of bind and mount-image

The text used "unit's view" to mean mount namespace. But we talk about
mount namespaces in the later part of the paragraph anyway, so trying to
use an "approachable term" only makes the whole thing harder to understand.
Let's use the precise term.

Some paragraph-breaking and re-indentation is done too.

(cherry picked from commit e04eae5e1c43c050e0707d3fcfdc16691b761d61)
(cherry picked from commit dcdfc4d9a77720d0432d0e587e41e96dc8b8542c)

man: use title of docs/ pages when referring to them

There is some inconsistency, partially caused by the awkward naming
of the docs/ pages. But let's be consistent and use the "official" title.
If we ever change plural↔singular, we should use the same form everywhere.

(cherry picked from commit d6029680df7c4991e37662467668816a83c0b806)
(cherry picked from commit 77681242c8c6d7693814b8245e9096e43faa21be)

man: fix assorted issues reported by the manpage-l10n project

Fixes #20297.

(cherry picked from commit be0d27ee0c2a2cce39490b8cfc0e7d995fbd7644)
(cherry picked from commit 9eb9b07c404be8d59a800c70593809a69f0d0e55)

[Only the parts that were conflict-free: I think it's nice to fix errors, but
not important enough to devote actual work to it.]

seccomp: move sched_getaffinity() from @system-service to @default

See: https://github.com/systemd/systemd/pull/20191#issuecomment-881982739

In general, we shouldn't blanket move syscalls like this into @default,
given that glibc actually does have fallbacks, afaics. However, as
long as the syscalls are "read-only" and thus benign, I figure it's a
safe thing to do. But we should probably stick to a "if in doubt, don't"
rule, and put these syscalls in @system-service as default, but not into
@default.

I think in the real world @system-service is the sensible group people
should use, and not @default actually.

(cherry picked from commit 7df660e45682af5c40a236abe1bdc5ddcf3b3533)
(cherry picked from commit 898949f71513da918c4aa94a0681fbc6b868e00f)

seccomp: drop getrandom() from @system-service

It's included in @default now, since
14f4b1b568907350d023d1429c1aa4aaa8925f22, and since @system-service
pulls that in we can drop it from @system-service.

Follow-up for #20191

(cherry picked from commit 67347f37407489a68e12da8f75b78ae1d1168de9)
(cherry picked from commit 24243d8d271c56c2ebe5cb361d8b2ebab7f6ead0)

networkd: Include linux/netdevice.h header

This header provides definitions for NET_NAME_UNKNOWN ånd NET_NAME_ENUM
Fixes build issue found with non-glibc systems

../git/src/network/networkd-link.c:1203:52: error: 'NET_NAME_UNKNOWN' undeclared (first use in this function)

Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2a0d07d6a0d5be63c6c10cb0789412f584858ec1)
(cherry picked from commit 46ced8149d5d97bf485bd668115915bcb6d47deb)

man: Fix incorrect EFI vendor UUID (last missing nibble)

(cherry picked from commit d2e84b601805ae89cf8cb1b383b30c7c97cac73d)
(cherry picked from commit 08c99e5600f92c5143b931a507980a2655380cb3)

malloc() uses getrandom now

glibc master uses getrandom in malloc since https://sourceware.org/git/?p=glibc.git;a=commit;h=fc859c304898a5ec72e0ba5269ed136ed0ea10e1 , getrandom should be in the default set so to avoid all non trivial programs to fallback to a PRNG.

(cherry picked from commit 14f4b1b568907350d023d1429c1aa4aaa8925f22)
(cherry picked from commit 765c366274db3ff841da237769f2b20a4ec3a045)

machined-varlink: fix double free

Fixes: #18599
(cherry picked from commit feac9a1d1bf3f59adaa85f58b655ec01a111a29a)
(cherry picked from commit 1600b38cd2029533547f8c3d4abfa12911ca0630)

sd-event: always reshuffle time prioq on changing online/offline state

Before 81107b8419c39f726fd2805517a5b9faab204e59, the compare functions
for the latest or earliest prioq did not handle ratelimited flag.
So, it was ok to not reshuffle the time prioq when changing the flag.

But now, those two compare functions also compare the source is
ratelimited or not. So, it is necessary to reshuffle the time prioq
after changing the ratelimited flag.

Hopefully fixes #19903.

(cherry picked from commit 2115b9b6629eeba7bc9f42f757f38205febb1cb7)

Hopefully fixes #20285 and
https://bugzilla.redhat.com/show_bug.cgi?id=1984651.

sd-event: make event_source_time_prioq_reshuffle() accept all event source type

But it does nothing for an event source which is neither a timer nor
ratelimited.

(cherry picked from commit 5c08c7ab23dbf02aaf4e4bbae8e08a195da230a4)

sd-event: use usec_add()

(cherry picked from commit a595fb5ca9c69c589e758e9ebe3b70ac90450ba3)

sd-event: drop unnecessary "else"

(cherry picked from commit 7e2bf71ca3638e36ee33215ceee386ba8013da6d)

man: document nss-{resolve,myhostname} resolving in the other direction, too

(cherry picked from commit 946f7ce32cef44d9bfcf2dc594bb193341434f57)
(cherry picked from commit f869a39bceb35406d3193058d6ab5308c2e28f17)

man: stop recommending putting myhostname after dns

nss-resolve also looks in /etc/hosts, and has the same local hostname
resolving logic as nss-myhostname. We shouldn't recommend another order
than nss-resolve uses internally.

When nss-resolve is used, there's no possibility to override
nss-myhostname hosts via DNS *anyway*.

On top of that, it's not a good idea to allow DNS to override local
hostnames as all - at least not something we should advertise in the
docs.

Followup of f918c67d38ba6ccd4eb0dc657f3f3155e5010cae /
https://github.com/systemd/systemd/pull/16754.

(cherry picked from commit ce266330fc3bd6767451ac3400336cd9acebe9c1)
(cherry picked from commit 21423efc5852194ba3bf2bbc8067258e35c1558d)

pid1: propagate the original command line when reexecuting

When we reexec the manager in a container, we lose configuration settings on
the kernel command line:

  $ systemd-nspawn -M rawhide -b systemd.status-unit-format=name systemd.show-status=yes
  ...
  # tr '\0' ' ' </proc/1/cmdline
  /usr/lib/systemd/systemd systemd.status_unit_format=combined systemd.show-status=yes
  # sudo systemctl daemon-reexec
  # tr '\0' ' ' </proc/1/cmdline
  /usr/lib/systemd/systemd --system --deserialize 20

  This means that after daemon-reexec, the settings that we gain from the
  commandline are reset to defaults.

So let's reeexecute with the original arguments copied over, modulo some
filtering.

(cherry picked from commit 846f1da465beda990c1c01346311393f485df467)
(cherry picked from commit f3af6ba86c1128ccf6d6f896f70c22f9645a51c5)

sd-bus: fix missing initializer in SD_BUS_VTABLE_END (#20253)

When two fields were added to the vtable.x.start struct, no initializers
for these were added to SD_BUS_VTABLE_END which also (ab)used that
struct (albeit sneakily by using non-designated initialization).

While C tolerates this, C++ prohibits these missing initializers, and
both g++ and clang++ will complain when using -Wextra.

This patch gives SD_BUS_VTABLE_END its own case in the union and
clarifies its initialization.

I tested the behaviour of g++ 10.2 and clang 11 in various cases. Both will warn
(-Wmissing-field-initializers, implied by -Wextra) if you provide initializers for some
but not all fields of a struct. Declaring x.end as empty struct or using an empty initializer
{} to initialize the union or one of its members is valid C++ but not C, although both gcc
and clang accept it without warning (even at -Wall -Wextra -std=c90/c++11) unless you
use -pedantic (which requires -std=c99/c++2a to support designated initializers).

Interestingly, .x = { .start = { 0, 0, NULL } } is the only initializer I found for the union
(among candidates for SD_BUS_VTABLE_END) where gcc doesn't zero-fill it entirely
when allocated on stack, it looked like it did in all other cases (I only examined this on
32-bit arm). clang always seems to initialize all bytes of the union.

[zjs: test case:
$ cat vtable-test.cc
#include "sd-bus.h"

const sd_bus_vtable vtable[] = {
   SD_BUS_VTABLE_END
};

$ g++ -I src/systemd/ -Wall -Wmissing-field-initializers -c vtable-test.cc
vtable-test.cc:5:1: warning: missing initializer for member ‘sd_bus_vtable::<unnamed union>::<unnamed struct>::features’ [-Wmissing-field-initializers]
    5 | };
      | ^
vtable-test.cc:5:1: warning: missing initializer for member ‘sd_bus_vtable::<unnamed union>::<unnamed struct>::vtable_format_reference’ [-Wmissing-field-initializers]

$ clang++ -I src/systemd/ -Wmissing-field-initializers -c vtable-test.cc
vtable-test.cc:4:4: warning: missing field 'features' initializer [-Wmissing-field-initializers]
   SD_BUS_VTABLE_END
   ^
src/systemd/sd-bus-vtable.h:188:28: note: expanded from macro 'SD_BUS_VTABLE_END'
                .x = { { 0 } },                                         \
                           ^
1 warning generated.

Both warnings are gone with the patch.]

(cherry picked from commit 654eaa403070d3c897454a5190603fda4071c3ff)
(cherry picked from commit cdaf655f73bb3be10d47ab6f00d71a8d0b1a81e3)

hwdb: 60-keyboard::remove hardcoded definition for KEYBOARD_KEY_56 for MSI Prestige And Modern

(cherry picked from commit 30c9faff0d74ceb0cbafb8ecdd8573bc479984dc)
(cherry picked from commit 95c3ad53f3febdaa1f175b85fb8b08ffc2bc96be)

This fixes a regression which was introduced into v248-stable with
976b4254a336a5bda52e7a38df48564d08f4cbff.

alloc-util: introduce MALLOC_SIZEOF_SAFE() helper

It's a wrapper around malloc_usable_size() that is supposed to be
compatible with _FORTIFY_SOURCES=1, by taking the
__builtin_object_size() data into account, the same way as the
_FORTIFY_SOURCES=1 logic does.

Fixes: #19203
(cherry picked from commit 6df28e1f847d68ad37ffe3f4ff47745b55233861)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1975564

fileio: bump limit for read_full_file() and friends to 64M

Apparently people use such large key files. Specifically, people used 4M
key files, and we lowered the limit from 4M to 4M-1 back in 248.

This raises the limit to 64M for read_full_file() to avoid these
specific issues and give some non-trivial room beyond the 4M files seen
IRL.

Note that that a 64M allocation in glibc is always immediately done via
mmap(), and is thus a lot slower than shorter allocations. This means
read_virtual_file() becomes ridiculously slow if we'd use the large
limit, since we use it all the time for reading /proc and /sys metadata,
and read_virtual_file() typically allocates the full size with malloc()
in advance. In fact it becomes so slow, that test-process-util kept
timing out on me all the time, once I blindly raised the limit.

This patch hence introduces two distinct limits for read_full_file() and
read_virtual_file(): the former is much larger than the latter and the
latter remains where it is. This is safe since the former uses an
exponentially growing realloc() loop while the latter uses the
aforementioend ahead-of-time full limit allocation.

Fixes: #19193

(cherry picked from commit f6dd48fae807f93e4295c27bff79f4707cc96662)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1963428

basic/unit-name: do not use strdupa() on a path

The path may have unbounded length, for example through a fuse mount.

CVE-2021-33910: attacked controlled alloca() leads to crash in systemd and
ultimately a kernel panic. Systemd parses the content of /proc/self/mountinfo
and each mountpoint is passed to mount_setup_unit(), which calls
unit_name_path_escape() underneath. A local attacker who is able to mount a
filesystem with a very long path can crash systemd and the whole system.

https://bugzilla.redhat.com/show_bug.cgi?id=1970887

The resulting string length is bounded by UNIT_NAME_MAX, which is 256. But we
can't easily check the length after simplification before doing the
simplification, which in turns uses a copy of the string we can write to.
So we can't reject paths that are too long before doing the duplication.
Hence the most obvious solution is to switch back to strdup(), as before
7410616cd9dbbec97cf98d75324da5cda2b2f7a2.

(cherry picked from commit 441e0115646d54f080e5c3bb0ba477c892861ab9)
(cherry picked from commit 764b74113e36ac5219a4b82a05f311b5a92136ce)

Minor typo (#20254)

Correct resoulution with resolution.

(cherry picked from commit b838bc11268ea461e8c58ce69e2f781be1821aa1)
(cherry picked from commit 5ea3ec8e18a2883c2ea89af9de48fc0fb0e3f283)

shell-completion/zsh/_systemd-run: Fix completion of command names and arguments

(cherry picked from commit 3f49d1faf59acaa85aa5ad502c39b1a601d58d26)
(cherry picked from commit b511a441f3277750e68a14d8d7e6649c4f182b86)

man/systemd.network: Fix duplicate Xfrm description

It's already listed along with others (Tunnel, VLAN, etc.) and its description matches those. The duplication was introduced by commit c3006a485c9c35c0ab947479ff1dd7149fda9750.

(cherry picked from commit 534b5abce12847abc896fba24cafb99c101a2987)
(cherry picked from commit d4ce78bfa3d90cc4601d1cbb0b51af32fe8f4b2a)

shared/format-table: allocate buffer of sufficient size

(cherry picked from commit 6dc57047ff0f1f9e98938ffb172dae06e6868b94)
(cherry picked from commit e6407ca25852dadec355df2e6fdc92d1f189bceb)

homed: allow systemd-homed access to FIDO2 devices

Add DeviceAllow= option for FIDO2 devices in systemd-homed.service.

(cherry picked from commit 85e424c0c852fcb92d108494a6efa9dd0ce943b2)
(cherry picked from commit 727a03e4826efe1392b8a1899b220e7df7976990)

systemctl: show error when help for unknown unit is requested

Fixes #20189. We would only log at debug level and return failure, which looks
like a noop for the user.

('help' accepts multiple arguments and will show multiple concatenated man
pages in that case. Actually, it will also show multiple concatenated man pages
if the Documentation= setting lists multiple pages. I don't think it's very
terribly useful, but, meh, I don't think we can do much better. If a user
requests a help for a two services, one known and one unknown, there'll now be
a line in the output. It's not very user friendly, but not exactly wrong too.)

(cherry picked from commit 75312ada5324d8adae3f3a0ed97f0acfc8b8bde5)
(cherry picked from commit 486412ad3bba4f1306597302cf66cc4858126243)

Updated manpage for sd_bus_set_property

Updated manpage for sd_bus_set_property and sd_bus_set_propertyv. In the old manpage, these functions included the parameter sd_bus_message **reply when the actual function had no such argument.

(cherry picked from commit 4226dfafbac2167e1441a7a65d00c29c5016d4fb)
(cherry picked from commit 70a318d012d5900ad16685038a1e9a30e9a2a41d)

Fixed typo (#20187)

* Fixed typo

Before, the file claimed that some systemd units are created "from other
configuration". It should have read "from other configuration files".

Co-authored-by: Nozz <nozolo90@gmail.com>
(cherry picked from commit a814eae728a5e238e39d4a9d952ce8e309fa38fd)
(cherry picked from commit 5263490368b3f2c94935300bb5faa09cc04cb4cd)

test: strip binaries by default

Since 23f8e01 we always kept binaries unstripped, since $STRIP_BINARIES
is unset by default.

(cherry picked from commit e68e473ba2d6383155c49337c3c5f2c0d3fb0b5f)
(cherry picked from commit b149c2c64a1093fd509a94d7a25f01b726798098)

test: bump the test timeout to give ldconfig.service enough time to finish

Sometimes the ldconfig.service might take a bit longer to finish,
causing spurious test timeouts:

```
[ 1025.858923] systemd[24]: ldconfig.service: Executing: /sbin/ldconfig -X
...
[ 1043.883620] systemd[1]: ldconfig.service: Main process exited, code=exited, status=0/SUCCESS (success)
...
Trying to halt container. Send SIGTERM again to trigger immediate
termination.
Container TEST-52-HONORFIRSTSHUTDOWN terminated by signal KILL.
E: Test timed out after 20s
```

(cherry picked from commit 7fb4ee7aa5b6ffdf2e1e8e50a18630aa30f16505)
(cherry picked from commit 610406767b8ddf23a27c919fe52922d35457e0d3)

docs: improve wording when mentioning the acronym "ESP"

"ESP" is "EFI system partition", so "ESP partition" is redundant.

(cherry picked from commit 250db1bf02b9fd73f2e0604acddbc20937c67d19)
(cherry picked from commit 6822cfa5f066fcbf79ded85419d59a97decc67b9)

hwdb: update to state from v249

This updates various "upstream" hwdb entries. The two new files that
were added in v249, and the associated udev rules, are not included in
this.

hwdb: allow parser to expect usage of slash sign in value of property

Although in IEEE 1394 unit function list I have a plan to use slash sign
in name of property, current implementation of parser doesn't allow it.
When parsing current entries in database excluded from parser testing, we
can find usage of slash sign in name of property.

This commit adds slash sign in allow list of the parser for my
convenience.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
(cherry picked from commit 5e939304f513ba57ce6595f36b7da641c62c60db)

hostnamed: correct variable with errno in fallback_chassis

fixes assertion failure on arm:

systemd-hostnamed[642]: Assertion '(_error) != 0' failed at src/hostname/hostnamed.c:207, function fallback_chassis(). Aborting.

(cherry picked from commit 105a4245ff13d588e1e848e8ee3cffd6185bd0ae)

meson: install the right README file in modprobe.d

We put the "global" README file there. Introduced
in d83e90c73cf25a839f5e60f355baa0d38364ff41.

(cherry picked from commit 378e9d2b6d701a1385c4bf72dfc0697c2c37bd57)

Clarify the behaviour of suspend-then-sleep mode in the manual pages.

Fixes #20125.

(cherry picked from commit 33f899bd479534b0a920ce427cdf06739028f5ab)

NEWS: add old entry about Type=ether

Apparently it's an important feature for some folks:
https://utcc.utoronto.ca/\~cks/space/blog/linux/NetworkdMACMatchesWidely.
I think we considered this more of a bugfix, but it's somewhere on the border.
Let's add this it's easier to discover.

(cherry picked from commit 88b2a95064675c5f86648053cf124265f5289095)

oomd: don't collect candidate stats on every interval

cb13961ada52c1b27f6d6c2c6e37a2901f01ed30 updated the oomd logic to
collect candidate data when a kill was about to happen. However there
was still a call left over in the main loop to collect candidate data on
every interval. Remove this since it's unneeded.

Fixes #20122

(cherry picked from commit d61ee727f037ab4e07af720ab34055e9cafe9cec)

tmpfiles: fix borked assert

It seems that fd_set_perms() is always called after checking that
fd >= 0 (also when called as action() in glob_item_recursively()),
so it seems that the assertion really came from fd==0.

Fixes #20140.

Also three other similar cases are updated.

(cherry picked from commit b4b0f87c6275dde32769c2e75231caa1d4c21f9b)

man: correct return value of sd_bus_open_with_description

Since https://github.com/systemd/systemd/commit/f4b2933ee7890e5d414ab266d8586f19027a2bd9
if a description is not set, sd_bus_open_with_description returns -ENXIO, but the
documnetation stated that it returned successfully with a NULL string.

(cherry picked from commit 48e5ef14af5ade97b0f7491c63443778c7602c43)

units: correct description of final.target

This was updated incorrectly in https://github.com/systemd/systemd/pull/20058/commits/4fd3fc66396026f81fd5b27746f2faf8a9a7b9ee. As https://github.com/systemd/systemd/blob/main/man/systemd.special.xml decribes, this unit is about shutdown rather than boot.

(cherry picked from commit f127fed75d3bae3a1eb0be6feea334bb8d1c3a43)

coredumpctl: show --help text if "coredumpctl help" is called

Most of our programs that take "verbs" make the "help" verb either
equivalent to passing the --help switch (or at least print a message
redirecting the user to that switch). Do so in coredumpctl too, in order
to minimize surprises.

(cherry picked from commit 6d8be376e1682a79f0aecceb2136884c5b4327e2)

udev: Fix by-uuid symlink for ubifs volumes

ubifs volumes have a UUID and the built-in blkid is able to determine
it.  The disk/by-uuid symlink isn't created because ubifs volumes are
not on block devices but on SUBSYSTEM="ubi" devices.  See #20071.

Allow ubi subsystem devices to be processed by the persistent storage
rules too.  The kernel device name matching already allows ubi* to pass.
The existing rules are sufficient to create the link.

The links look like other by-uuid symlinks, for example:
/dev/disk/by-uuid/9a136158-585b-4ba4-9b70-cbaf2cf78a1c -> ../../ubi0_1

(cherry picked from commit 21ac7884e9c1684d091d893254bcbe4b83740e9f)