systemctl: refuse --capsule=foo with --system

Fixes the following assertion:
===
systemctl --capsule=hoge --system reboot
Assertion 'runtime_scope == RUNTIME_SCOPE_USER' failed at src/shared/bus-util.c:479, function bus_connect_transport(). Aborting.
Aborted (core dumped)
===

Follow-up for 56cb74c3cd1358d7d0b3f613feaf2eeab601a6bd.

base-filesystem: do not attempt to create a /lib64 -> /usr/lib/<tuple> symlink

In multi-arch distributions (debian and derivatives) multiarch tuples under
/usr/lib are used, such as /usr/lib/x86_64-linux-gnu/ but the /lib64 symlink
should never point there, it should always point to /usr/lib64, as that's
how they are set up by distribution-specific tools.

https://packages.debian.org/bookworm/amd64/libc6-i386/filelist
https://packages.debian.org/bookworm/mipsel/libc6-mips64/filelist
https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L295
https://salsa.debian.org/md/usrmerge/-/blob/master/convert-usrmerge?ref_type=heads#L517
http://bugs.debian.org/1076491

Fixes https://github.com/systemd/systemd/issues/33919

meson: Use -fstrict-flex-arrays=3

Let's explicitly pass the value to -fstrict-flex-arrays. This does
not change behavior but it does (selfishly) make my error not bug
out with an error saying -fstrict-flex-arrays does not exist.

hwdb: fix auto rotate on Asus Q551LB (#33921)

core/service: drop redundant flush_n_restarts indicator

Now that we track auto-restarts with a dedicated state,
there's no need for a separate variable for this.

I also took the chance to reorder some struct members.

Merge pull request #33925 from YHNdnzj/exec-serialize-path-escape

core/execute-serialize: two fixes

core/execute-serialize: use serialize_item_escaped() for external paths

Otherwise, read_stripped_line() would spuriously drop trailing spaces.

Fixes #33924

core/execute-serialize: drop extraneous '=' in ip-{in,e}gress serialization

core/service: actually allow to "hurry up" auto restarts

unit_start() advertises that start requests don't get suppressed,
so that it could be used to manually speed up auto restarts.
However, service_start() so far rejected this, stating that
clients should issue restart request in order to trigger
BindsTo=/OnFailure=.

That seems to be a red herring though, because for a long time
the service states between auto-restarts were buggy (#27594).
With the introduction of RestartMode=direct, the behavior
is sane again and customizable, hence I see no reason to refuse
this anymore. Whether those deps are triggered solely depends
on RestartMode= now.

Plus, filter out some intermediate states that should never
be seen in service_start().

Fixes #33890

Merge pull request #33916 from yuwata/import-creds-follow-ups

core: several follow-ups for ImportCreds=

core: refuse credentials with invalid names matching with glob

Even if the glob pattern is valid, the pattern may match credentials
with invalid names. So, we need to check the names of the found
credentials.

Follow-up for 947c4d3952e30604b97f657dca08f93a0a8f4bae.

test: a credential can be imported multiple times with different names

This is supported since 831f208783aeac443e6f2fc2efc3119535a032ef.
Let's explicitly test the functionality.

core: make ImportCredentialEx= DBus property support without renaming

Note that the conf parser for ImportCredential= checks in the same way.

Follow-up for 831f208783aeac443e6f2fc2efc3119535a032ef.

creds-util: fix typo

Follow-up for 947c4d3952e30604b97f657dca08f93a0a8f4bae.

Merge pull request #33911 from YHNdnzj/cgroup-setup-cleanup

cgroup-setup/util: several cleanups; make use of cgroup.kill on client request

man/net-naming-scheme: mention that NAMING_BRIDGE_MULTIFUNCTION_SLOT is reverted

Follow-up for af7417ac7b07bc01232982bf46e9d72e69e7f820.
Closes #33596.

man: extend explanation for ConfigureWithoutCarrier= in systemd.network(5)

Prompted by #33702.

vmspawn: fix typo

Follow-up for 862c68a914ab4561d83875e58e05dcf65cb4a551.

ukify: fix typo

Follow-up for 987f4bce938e790622a4b4b89d37daa7adfdc141.

udevadm: fix typo

Follow-up for 0e789e6d48046d43c50dd949a71ac56f1127bb96.

import: fix typo

Follow-up for 17a6043a145f19f4f5b020fa4bb9c82c1ce160e7.

login: fix typo

Follow-up for 0e10c3d8724b0a5d07871c9de71565ac91dd55b7.

core/execute: fix typo

Follow-up for 628c214656fada4228b62b1546220ac781002897.

boot: fix typo

Follow-up for dcac1e4a9ba231d8e88d36dbecf3d8b6c9b07cb2.

cgroup-util: fix typo

Follow-up for 0fbb569de1dcc06118dba006cf7a40caf6cd94d0.

mkosi: fix typo

Follow-up for 7205fc7dc31eb2be3075ee6ba23ebe84324aa5cb.

man: fix typo

Follow-up for 7102dc52e6b03248da1f01b3a8a4b83c6d7a1316 and 3d689b675b565c29a51c7127ae30839987aaa18b.

man/net-naming-scheme: add missing period

Follow-up for 0a4ecc54cb9f2d3418b970c51bfadb69c34ae9eb.

Merge pull request #33913 from berrange/cvm-s390x

Add detection of confidential virtualization on s390x architcture

advanced-issue-labeler: use correct label for env-generator

man/systemd-detect-virt: list known CVM technologies

Add a section which lists the known confidential virtual machine
technologies.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

man/systemd-detect-virt: fix row spanning for VM header

This fixes

  commit 9b0688f491674b53ef7a52bdf561a430c53673d6
  Author: Yu Watanabe <watanabe.yu+github@gmail.com>
  Date:   Tue Jan 9 10:52:49 2024 +0900

    virt: add Google Compute Engine support

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

confidential-virt: add detection for s390x target

The s390x platform provides confidential VMs using the "Secure Execution"
technology, which is also referred to as "Protected Virtualization" or
just "prot virt" in Linux / QEMU.

This can be detected through a simple sysfs attribute.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

Added support for L2 BridgeMDB entries (#32894)

* Added support for L2 BridgeMDB entries

confidential-virt: split caching of CVM detection into separate method

We have different impls of detect_confidential_virtualization per
architecture. The detection is cached in the x86_64 impl, and as we
add support for more targets, we want to use caching for all. It thus
makes sense to split caching out into an architecture independent
method.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

test: don't use /skipped for subtests

Since, at least the old framework, checks for the presence of the file
at the end and marks the whole test as skipped if it exists.

Resolves: systemd/systemd-centos-ci#728

core/unit: utilize cgroup.kill on client request + SIGKILL

cgroup-util: clean up cg_kill() and friends, completely split out cg_kill_kernel_sigkill()

cg_kill_kernel_sigkill() has a narrow use case, and currently
no code really reaches that branch. Let's detach it from
cg_kill_recursive() hence, and call it explicitly later
where appropriate.

core/unit: modernize log_kill() too

core/unit: unexport cg_kill log funcs, rather take in bool

It seems unnecessary to duplicate the func ptrs everywhere.

cgroup-util: drop unused cg_rmdir()

When removing a cgroup, we always want to eliminate subcgroups
first, i.e. use cg_trim(). And cg_rmdir() (along with
CGROUP_REMOVE flag) is simply unused. Kill it.

cgroup-util: refactor cg_{ns,freezer,kill}_supported

cgroup-setup: kernel threads can reside in arbitrary cgroups

Realistically this doesn't matter, as cg_migrate() is only
used to populate init.scope. But it's probably better to
make things clear.

cgroup-setup: drop unneeded O_RDONLY when O_DIRECTORY

cgroup-setup: use fchownat() + AT_EMPTY_PATH where appropriate

This already existed long before our kernel baseline.
While at it, switch to RET_GATHER().

cgroup-setup: minor cleanups

cgroup-setup: move cg_{,un}install_release_agent from cgroup-util

They're pid1-specific, so move them out of basic/.

cgroup-setup: group v1-specific functions

cgroup-setup: drop unused cg_migrate_callback for cg_attach_everywhere()

While at it, move the typedef from cgroup-util to -setup.

localectl: introduce -l/--full option

Closes #33906.

Merge pull request #33032 from yuwata/sd-device-monitor-low-level-api

sd-device-monitor: expose low-level functions

Merge pull request #33876 from dbnicholson/firstboot-root-creds-only

firstboot: fix root params with creds and prompting disabled

resolved: don't treat conn reset as packet loss

tcp reset / icmp port-unreachable are markedly different conditions than
packet loss. It doesn't make much sense to retry in this case. It's
actually not clear if there is any benefit at all retrying tcp
connections, which were presumably already retried as necessary by the
tcp stack.

test: add test case for restarting device monitor

sd-device-monitor: rename device_monitor_send_device() -> device_monitor_send()

sd-device-monitor: expose low-level functions

To make it work without sd-event.

Prompted by recent chat:
> Hey all!
> reading man libudev, it says to use sd-device instead now. I've read that
> APIs header file and it seems it no longer has an equivalent to libudev's
> udev_monitor_get_fd, which AFAICT means I have to use sd-event to watch
> for events I'm interested in. I know I can "embed" sd-event in other event
> loops I might already have, but that seems overkill when I'm only interested
> in this one type of event and don't need sd-event for anything else.

sd-device-monitor: make device_monitor_receive_device() always initialize ret on success

sd-device-monitor: remove device_monitor_disconnect()

It is not necessary to be exposed anymore.

udev: manage only socket address of device monitor

Previously, the main process of systemd-udevd manages worker process
with their sd_device_monitor object to save the destination address.
Let's save only destination address, and drop worker's sd_device_monitor
object.

sd-device-monitor: introduce device_monitor_get_address()

Currently it is used internally, but will be used later at other places.

sd-device: allow to restart device monitor

Previously, sd_device_monitor_stop() closes socket, hence we cannot
restart monitoring unless recreating sd_device_monitor object.
Let's allow to restart monitor by sd_device_monitor_start().

sd-device-monitor: introduce sd_device_monitor_is_running()

sd-device-monitor: bind socket in device_monitor_new_full()

Previously, device_monitor_enable_receiving() does
- update filter,
- bind socket.

But, binding socket can be done in when the socket is opened.
Let's remove device_monitor_enable_receiving() and bind the socket in
device_monitor_new_full().

sd-device-monitor: replace -1 with -EBADF

test: modernize test-sd-device-monitor.c

socket-util: introduce netlink_socket_get_multicast_groups()

No functional change. Preparation for later commits.

Merge pull request #33904 from bluca/os_release_type

os-release: change RELEASE_TYPE value from 'pre-release' to 'development' and break into paragraphs

os-release: break RELEASE_TYPE into paragraphs and clarify about rolling stable releases

Arch and Tumbleweed do not do EOLs but are still stable, so clarify the paragraph.
Also break the entry in paragraphs, to make it more readable when rendered.

os-release: change RELEASE_TYPE value from 'pre-release' to 'development'

The point was made on https://lists.debian.org/debian-ctte/2024/08/msg00005.html
that 'pre-release sounds' like an RC candidate, ie, something that will change
very slightly in the released version. But this is not necessarily the case
for example at the beginnig of a Fedora Rawhide or Debian Testing release cycle,
so change it to a more generic 'development'

Follow-up for 7102dc52e6b03248da1f01b3a8a4b83c6d7a1316

Merge pull request #33893 from yuwata/coverity

tree-wide: resolve several issues found by coverity

Merge pull request #32988 from AdrianVovk/os-release-prerelease

os-release: Add RELEASE_TYPE=

os-release: Introduce experiment RELEASE_TYPE

This is for experimental builds of the OS made to test some specific WIP
feature.

For example, let's say the distro in question is Asahi Linux and Apple
just released the M3 SoC. The Asahi developers will start porting to the
M3, and will quickly generate builds of Asahi Linux that can technically
boot but aren't ready for any kind of daily use. These images are marked
as experimental, and can be shared among the developers. If a user
somehow stumbles upon one of these images and tries to install it,
they'll be warned that they're about to install an experimental Apple M3
port of Asahi Linux. Eventually, once the Asahi developers think that
their M3 port is ready for a wider audience, they can merge it into the
mainline Asahi repos, where it will be distributed through the usual
nightly CI builds (where RELEASE_TYPE=pre-release; M3 support is no
longer experimental).

os-release: Add RELEASE_TYPE=

This will allow GUIs to customize their behavior a little based on the
type of release.

For example, an OS installer may display a warning/disclaimer if
RELEASE_TYPE=prerelease. The software updates app might be a bit more
insistent about upgrading to the next major release if
RELEASE_TYPE=stable than if RELEASE_TYPE=lts

import: check overflow

Fixes CID#1548022 and CID#1548075.

test: use ASSERT_OK_ERRNO() for setenv() and unsetenv()

test: resolve "Unchecked return value" coverity warning

Follow-up for c8210d98a4b64af6fadb1cb765c0451758af1303.
Fixes CID#1548920.

vmspawn: check overflow earlier

Follow-up for 862c68a914ab4561d83875e58e05dcf65cb4a551.
Fixes CID#1550749.

test: resolve "Unchecked return value" coverity warning

Follow-up for 5fef5552a658130f00dc97d0a1003a6a49f3ca96.
Fixes CID#1558540.

test: resolve "Unchecked return value" coverity warning

Follow-up for 8c57700b6b61318594aaa757dff5e34219c0281d.
Fixes CID#1558539.

test: attempt to install sshd-session from multiple places

On Fedora the sshd-session binary is under /usr/libexec/openssh/ so
cover this path as well in the old framework.

Follow-up for aaa7b36bd15ca3a96a1e11a557482b0bc59c769f.

build(deps): bump github/codeql-action from 3.25.11 to 3.25.15

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.11 to 3.25.15.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/b611370bb5703a7efb587f9d136a52ea24c5c38c...afb54ba388a7dca6ecae48f608c4ff05ff4cc77a)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump meson from 1.4.1 to 1.5.1 in /.github/workflows

Bumps [meson](https://github.com/mesonbuild/meson) from 1.4.1 to 1.5.1.
- [Release notes](https://github.com/mesonbuild/meson/releases)
- [Commits](https://github.com/mesonbuild/meson/compare/1.4.1...1.5.1)

---
updated-dependencies:
- dependency-name: meson
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump systemd/mkosi

Bumps [systemd/mkosi](https://github.com/systemd/mkosi) from 4eba736412c702bbbe2c6d4a58a92fa977219249 to 63fc1fde5b1aac1abf07ac499068c2b62263dafb.
- [Release notes](https://github.com/systemd/mkosi/releases)
- [Changelog](https://github.com/systemd/mkosi/blob/main/NEWS.md)
- [Commits](https://github.com/systemd/mkosi/compare/4eba736412c702bbbe2c6d4a58a92fa977219249...63fc1fde5b1aac1abf07ac499068c2b62263dafb)

---
updated-dependencies:
- dependency-name: systemd/mkosi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump redhat-plumbers-in-action/differential-shellcheck

Bumps [redhat-plumbers-in-action/differential-shellcheck](https://github.com/redhat-plumbers-in-action/differential-shellcheck) from 5.3.0 to 5.4.0.
- [Release notes](https://github.com/redhat-plumbers-in-action/differential-shellcheck/releases)
- [Changelog](https://github.com/redhat-plumbers-in-action/differential-shellcheck/blob/main/docs/CHANGELOG.md)
- [Commits](https://github.com/redhat-plumbers-in-action/differential-shellcheck/compare/60c9f2b924a9c5a2ddbb25e7b23e8e11b56faab9...cc6721c45a8800cc666de45493545a07a638d121)

---
updated-dependencies:
- dependency-name: redhat-plumbers-in-action/differential-shellcheck
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

build(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/dc50aa9510b46c811795eb24b2f1ba02a914e534...62b2cac7ed8198b15735ed49ab1e5cf35480ba46)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

journalctl: fix compile error on i386

Fixes the following error:
===
In file included from ../src/basic/macro.h:13,
                 from ../src/basic/dirent-util.h:8,
                 from ../src/journal/journalctl-misc.c:3:
../src/journal/journalctl-misc.c: In function 'show_log_ids':
../src/journal/journalctl-misc.c:107:22: error: comparison is always true due to limited range of data type [-Werror=type-limits]
  107 |         assert(n_ids < INT64_MAX);
      |                      ^
../src/fundamental/macro-fundamental.h:70:44: note: in definition of macro '_unlikely_'
   70 | #define _unlikely_(x) (__builtin_expect(!!(x), 0))
      |                                            ^
../src/basic/macro.h:165:22: note: in expansion of macro 'assert_message_se'
  165 | #define assert(expr) assert_message_se(expr, #expr)
      |                      ^~~~~~~~~~~~~~~~~
../src/journal/journalctl-misc.c:107:9: note: in expansion of macro 'assert'
  107 |         assert(n_ids < INT64_MAX);
      |         ^~~~~~
cc1: all warnings being treated as errors
===

Follow-up for 0a8c1f6212a874b542a57ed5416e7d3575d2da93.

Merge pull request #33888 from YHNdnzj/followups

core: a few follow-ups for recent PRs

Merge pull request #32448 from yuwata/journalctl-current-invocation

journalctl: introduce --list-invocations, -I, --invocation= options

test: add test for journalctl --list-invocations and --invocation=

journalctl: add --list-invocations command and -I/--invocation options

The --list-invocations command is similar to --list-boots, but shows
invocation IDs of specified unit. This should be useful when showing
a specific invocation of a unit.

The --invocation option is similar to --boot, but takes a invocation ID
or an offset. The -I option is equivalent to --invocation=0.

logs-show: extend journal_get_boots() and friends to find invocation IDs

Currently the extended features are not used, but will be used later.

logs-show: introduce several helper functions

Currently these are not used, but will be used later.

use int64_t for index in show_log_ids()

journalctl: split out show_log_ids() from action_list_boots()

No functional change, just refactoring and prepraration for later change.

journalctl: update log messages

logs-show: rename BootId -> LogId

The struct itself is generic, and can be used for other ID.
Let's rename it to more generic one.
No functional change, just refactoring and preparation for later
commits.

core/socket: stop hardcoding every service inactive state

History (c068650fcfc69aebb35be1c71f35dbc25b22030a,
941a12dcba57f6673230a9c413738c51374d2998) has proven
that we're not good at keeping socket and service states
in sync. Instead, let's query the high-level unit_active_state()
first, and only hardcode the two special auto-restart
service states.

Additionally, allow returning to listening state on SERVICE_CLEANING.

core/cgroup: use UNIT_IS_INACTIVE_OR_FAILED where appropriate

core/unit: merge use of LOG_CONTEXT_SET_LOG_LEVEL into LOG_CONTEXT_PUSH_UNIT

No functional change, since LOG_CONTEXT_PUSH_UNIT is only used
in exec_spawn().

core: clean up ambient capability logging

Follow-up for e0ebc81b2d194206c519375394bd67baa19e67ce