git-history.diyao.me Git - systemd/.git/log

meson: don't fail if latest tag's commit is signed

Today this is v248 with 938bdfc0fa737d86eb3ecc70506e11e5f740e0dc, which,
if you don't know about the github webflow key fails to configure with
meson.build:724:8: ERROR: String "gpg: Signature made Tue 30 Mar 2021 22:59:02 CEST\ngpg: using RSA key 4AEE18F83AFDEB23\ngpg: Can't check signature: No public key\n1617137942\n" cannot be converted to int
or, if you do, with
meson.build:724:8: ERROR: String 'gpg: Signature made Tue 30 Mar 2021 22:59:02 CEST\ngpg: using RSA key 4AEE18F83AFDEB23\ngpg: Good signature from "GitHub (web-flow commit signing) <noreply@github.com>" [unknown]\ngpg: WARNING: This key is not certified with a trusted signature!\ngpg: There is no indication that the signature belongs to the owner.\nPrimary key fingerprint: 5DE3 E050 9C47 EA3C F04A 42D3 4AEE 18F8 3AFD EB23\n1617137942\n' cannot be converted to int

(cherry picked from commit 2d945027244c02fab8d388353f034a2d82ca151b)
(cherry picked from commit 964a13d17be3426ecf539a5155e2cb8b4c16fb31)

network: can: do not warn if link does not exist anymore

(cherry picked from commit ed52cce33f588bbeb3d7f5d7f5e76a85cf6e4f89)
(cherry picked from commit 8b881617609e530b846faa27a32db070536fb0d4)

network: drop duplicated link_up_can()

(cherry picked from commit f282ce20aaa767f5395b065f2be587cdef3e5491)
(cherry picked from commit 179a92c9d8b2df688764095ce1d242de20ee72fa)

sd-bus: fix vtable named argument logic

Fixes #19468.

(cherry picked from commit c068a17f6a18d3ebfabe88fc49e24a923d0bdd0a)
(cherry picked from commit 618b8bfa38873a45704753b882ada90c0f3492c5)

Clarify that these values are in bytes

Similar to `ProcessSizeMax`. The defaults in percentages can be misunderstood to mean the values for these parameters will be in percentages.

(cherry picked from commit 88c2c8a0ba13de31061a22a352410c18ffacab9a)
(cherry picked from commit a9ab73ca9f79d0830e71716359a9710fc165ccca)

man: importd also provides the option of import-fs for machinectl (#19477)

(cherry picked from commit 96ae72ce1ad41674078e45b197df35ad18041dc2)
(cherry picked from commit 59cde3bba171abfefd8bf25e4ed07d43700c5e84)

systemd-coredump: Add conflict with shutdown.target

Otherwise a coredump started at the inconvinient moment can stop
shutdown.target leaving the system in a halfway-down state:

Pulling in shutdown.target/start from systemd-poweroff.service/start
Added job shutdown.target/start to transaction.
...
Keeping job shutdown.target/start because of systemd-poweroff.service/start
...
[ OK ] Stopped target Remote File Systems.
shutdown.target: starting held back, waiting for: systemd-networkd.socket
sysinit.target: stopping held back, waiting for: remount_tmp.service
systemd-coredump.socket: Incoming traffic
...
systemd-coredump@0-243-0.service: Trying to enqueue job systemd-coredump@0-243-0.service/start/replace
Added job systemd-coredump@0-243-0.service/start to transaction.
Pulling in systemd-journald.socket/start from systemd-coredump@0-243-0.service/start
Added job systemd-journald.socket/start to transaction.
Pulling in system.slice/start from systemd-journald.socket/start
Added job system.slice/start to transaction.
Pulling in -.slice/start from system.slice/start
Added job -.slice/start to transaction.
Pulling in system-systemd\x2dcoredump.slice/start from systemd-coredump@0-243-0.service/start
Added job system-systemd\x2dcoredump.slice/start to transaction.
Pulling in system.slice/start from system-systemd\x2dcoredump.slice/start
Pulling in shutdown.target/stop from system-systemd\x2dcoredump.slice/start
Added job shutdown.target/stop to transaction.
...
Keeping job systemd-poweroff.service/stop because of umount.target/stop
Keeping job shutdown.target/stop because of systemd-coredump@0-243-0.service/start

(cherry picked from commit 4e947bd04944e58df4103eee4cb8180b5008f143)
(cherry picked from commit e11d3ec13c1ee7af65893e94d09d8b3b66cd99c9)

network: dhcp4: downgrade log level when interface is removed

(cherry picked from commit e558d4f47a9c01b007fc193cabcf0dea8370a5f1)
(cherry picked from commit 0881deb1951a55701cf6ea743132458459e3a650)

set boot time from monotonic time (#19444)

utmp: calculate boot timestamp from monotonic timestamp instead of realtime timestamp
(cherry picked from commit f813b62316395205f4c744cde43885081b5f88ae)
(cherry picked from commit 05a09679982a8062e934a3590fc1c62798dbb82f)

network: ndisc: fix ipv6 route preference for routes with Gateway=_ipv6ra

(cherry picked from commit 086a351ad9c39f49d050822b28e22aa461edec29)
(cherry picked from commit 4f475a445a87cd5d53b85fac0bb3bad9fcbd6315)

network: neighbor: downgrade log level

As commented in the code, kernel sends messages about neighbors after
a link is removed.

(cherry picked from commit 27a213392f642fdd2a9dbce914bbfda9a72aafc1)
(cherry picked from commit beaae1f8d1d958e95117550604aa6462d1a636b8)

network: link: downgrade log level

The error is harmless, and will be ignored. Let's downgrade log level.

(cherry picked from commit 83e7c37b19bd36c78b235ac3047b758fcf82ad78)
(cherry picked from commit 1db3be80337b79e3b9afda9d50c61e6aed5aff28)

selinux: do not crash if policy becomes unavailable after reload

https://bugzilla.redhat.com/show_bug.cgi?id=1944171
This was in F33, systemd-246.13, but the logic in the code didn't change.

Thread 1 (Thread 0x7fb5f0341b80 (LWP 1974)):
№0  selabel_lookup_common (rec=0x0, translating=0, key=0x55f616ac4750 "/run/user/1000/systemd/units/invocation:systemd-tmpfiles-clean.service", type=40960) at label.c:167

'rec' is the handle that we passed.

№1  0x00007fb5f13ae87f in selabel_lookup_raw (rec=<optimized out>, con=con@entry=0x7fffef307380, key=key@entry=0x55f616ac4750 "/run/user/1000/systemd/units/invocation:systemd-tmpfiles-clean.service", type=type@entry=40960) at label.c:256
        lr = <optimized out>

'rec' is passed through as is to selabel_lookup_common().

№2  0x00007fb5f1561b2d in selinux_create_file_prepare_abspath (abspath=0x55f616ac4750 "/run/user/1000/systemd/units/invocation:systemd-tmpfiles-clean.service", mode=40960) at ../src/basic/selinux-util.c:368
        filecon = 0x0
        r = <optimized out>
        __PRETTY_FUNCTION__ = "selinux_create_file_prepare_abspath"
        __func__ = "selinux_create_file_prepare_abspath"

№3  0x00007fb5f1561ec3 in mac_selinux_create_file_prepare (path=<optimized out>, mode=40960) at ../src/basic/selinux-util.c:431
        r = 0
        abspath = 0x55f616ac4750 "/run/user/1000/systemd/units/invocation:systemd-tmpfiles-clean.service"
        __PRETTY_FUNCTION__ = "mac_selinux_create_file_prepare"

We checked label_hnd != NULL, but then we apparently called
avc_netlink_check_nb(), which reset label_hnd. Yay for global state!

№4  0x00007fb5f1549950 in symlink_atomic_label (from=0x55f6169d8b50 "69a8dcf7a7ac46b29306f2fddbed3edc", to=0x55f616ab8380 "/run/user/1000/systemd/units/invocation:systemd-tmpfiles-clean.service") at ../src/basic/label.c:55
        r = <optimized out>
        __PRETTY_FUNCTION__ = "symlink_atomic_label"

In the logs:

Mar 29 14:48:44 fedorapad.home systemd[1974]: selinux: avc:  received policyload notice (seqno=2)
Mar 29 14:48:44 fedorapad.home systemd[1974]: Failed to initialize SELinux labeling handle: No such file or directory
Mar 29 14:48:44 fedorapad.home systemd[1974]: selinux: avc:  received policyload notice (seqno=3)
Mar 29 14:48:44 fedorapad.home systemd[1974]: selinux: avc:  received setenforce notice (enforcing=0)

(cherry picked from commit 7960ba96d165169999b6ee434a90faadb144ea5e)

network: neighbor: Always add neighbors with replace

We were duplicating setting flags for the message and a combination of
NLM_F_APPEND and NLM_F_CREATE which does not make sense. We should have
been using NLM_F_REPLACE and NLM_F_CREATE since the kernel can
dynamically create neighbors prior to us adding an entry. Otherwise, we
can end up with cases where the message will time out after ~25s even
though the neighbor still gets added. This delays the rest of the setup
of the interface even though the error is ultimately ignored.

(cherry picked from commit 192a9d95ea3e058afd824d38a9cea16ad0a84a57)

kernel-insteall: do not remove the first slash in $ENTRY_DIR

Follow-up for cd0d230e7bf87f979722de7e364619dfa71bd6a2.

Fixes #19456.

(cherry picked from commit 2ff739a6ac4adb44f7ea0f534087ee7276302eee)

boot: Move console declarations to missing_efi.h

These were added to eficonex.h in gnu-efi 3.0.13. Let's move them
to missing_efi.h behind an appropriate guard to fix the build with
recent versions of gnu-efi.

(cherry picked from commit 95ba433a5f34baf92921fb58051bc8241f908c0e)

LoadCredentials: do not assert on invalid syntax

LoadCredentials=foo causes an assertion to be triggered, as we
are not checking that the rvalue's right hand side part is non-empty
before using it in unit_full_printf.

Fixes #19178

# printf [Service]nLoadCredential=passwd.hashed-password.rootn > hello.service
# systemd-analyze verify ./hello.service
...
Assertion 'format' failed at src/core/unit-printf.c:232, function unit_full_printf(). Aborting.
Aborted (core dumped)

process-util: don't allocate max length to read /proc/PID/cmdline

Alternative title: Replace get_process_cmdline()'s fopen()/fread() with
read_full_virtual_file().

When RLIMIT_STACK is set to infinity:infinity, _SC_ARG_MAX will
return 4611686018427387903 (depending on the system, but definitely
something larger than most systems have). It's impractical to allocate this
in one go when most cmdlines are much shorter than that.

Instead use read_full_virtual_file() which seems to increase the buffer
depending on the size of the contents.

(cherry picked from commit 7b7a060e83d6c7de8705904d71978ba4664f0a65)

pid1: do not use generated strings as format strings (#19098)

The generated string may include %, which will confuse both the
xprintf call, and the VA_FORMAT_ADVANCE macro.

Pass the generated string as an argument to a "%s" format string
instead.

(cherry picked from commit 7325a2b2d15af09a9389723d6153050130c0bd36)

network: fix ipv6 tunnel encapsulation limit (#19087)

The encapsulation limit of IPv6 tunnel can not be set to 4, which is the default value of the encapsulation limit.

(cherry picked from commit 6b1ed5e7e68fc5992a7bdabe4a05a7a3e1e1d898)

blockdev-util: actually specify an access mode on open()

Linux is pretty lenient here, but we should specify the access mode.

(cherry picked from commit 86b86107942e84de4eb22944251694c0ae21b3ee)

Revert "resolved: gracefully handle with packets with too large RR count"

This reverts commit fdfffdaf20a18a50c9a6d858359cf4af6d2f4c8b.

There are multiple reports that this breaks lookups for people, and reverting
this commit, even on the main branch (approx. v248-rc4), fixes the issue.

https://github.com/systemd/systemd/issues/18917#issuecomment-799421587
https://bodhi.fedoraproject.org/updates/FEDORA-2021-1c1a870ceb

man: document differences in clean exit status for Type=oneshot

See commit 1f0958f640b87175cd547c1e69084cfe54a22e9d .

(cherry picked from commit f055cf77862bc580f3afbfaac161d1c060f39411)

shared/calendarspec: when mktime() moves us backwards, jump forward

When trying to calculate the next firing of 'Sun *-*-* 01:00:00', we'd fall
into an infinite loop, because mktime() moves us "backwards":

Before this patch:
tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00
tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00
tm_within_bounds: good=0 2021-03-29 01:00:00 → 2021-03-29 00:00:00
...

We rely on mktime() normalizing the time. The man page does not say that it'll
move the time forward, but our algorithm relies on this. So let's catch this
case explicitly.

With this patch:
$ TZ=Europe/Dublin faketime 2021-03-21 build/systemd-analyze calendar --iterations=5 'Sun *-*-* 01:00:00'
Normalized form: Sun *-*-* 01:00:00
    Next elapse: Sun 2021-03-21 01:00:00 GMT
       (in UTC): Sun 2021-03-21 01:00:00 UTC
       From now: 59min left
       Iter. #2: Sun 2021-04-04 01:00:00 IST
       (in UTC): Sun 2021-04-04 00:00:00 UTC
       From now: 1 weeks 6 days left           <---- note the 2 week jump here
       Iter. #3: Sun 2021-04-11 01:00:00 IST
       (in UTC): Sun 2021-04-11 00:00:00 UTC
       From now: 2 weeks 6 days left
       Iter. #4: Sun 2021-04-18 01:00:00 IST
       (in UTC): Sun 2021-04-18 00:00:00 UTC
       From now: 3 weeks 6 days left
       Iter. #5: Sun 2021-04-25 01:00:00 IST
       (in UTC): Sun 2021-04-25 00:00:00 UTC
       From now: 1 months 4 days left

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1941335.

(cherry picked from commit 129cb6e249bef30dc33e08f98f0b27a6de976f6f)

shared/calendarspec: abort calculation after 1000 iterations

We have a bug where we seem to enter an infinite loop when running in the
Europe/Dublin timezone. The timezone is "special" because it has negative SAVE
values. The handling of this should obviously be fixed, but let's use a
belt-and-suspenders approach, and gracefully fail if we fail to find an answer
within a specific number of attempts. The code in this function is rather
complex, and it's hard to rule out another bug in the future.

(cherry picked from commit 169615c9a8cdc54d748d4dfc8279be9b3c2bec44)

resolved: propagate correct error variable

(cherry picked from commit 4cba52cc7a2191d0b38e605801c60d8648bc67e2)

log: protect errno in log_open()

Commit 0b1f3c768ce1bd1490a5e53f539976dcef8ca765 has introduced log_open()
calls after exec fails post-fork. However, the log_open() call itself could
change the value of errno, which, for me, manifested in:

$ coredumpctl gdb
...
Failed to invoke gdb: Success

Fix this by using PROTECT_ERRNO in log_open().

(cherry picked from commit 0e557eef37c9ebcc8f5c19fc6fc44b6fd617cc5d)

shell-completion: systemd-run: add missing options

Closes #19044.

(cherry picked from commit c23bb96b388f371e44c4f1756801dec2b4e72307)

logs-show: add missing newline in warning message

(cherry picked from commit 17e90001643d07a7353ba88417e12be2ff0fa042)

blockdev-util: fix access to possibly invalidated dirent struct

Let's copy out the string we need from the dirent, there's no reason to
believe the dirent struct might live for longer than one loop iteration.

(cherry picked from commit c68fc3514ddd53abd7ecfd22afb07aa0ad785c5c)

repart: make sure to grow partition table after growing backing loopback file

This fixes the --size= switch, i.e. where we grow a disk image: after
growing it we need to expand the partition table so that its idea of the
the medium size matches the new reality. Otherwise our disk size
calculations in the subsequent steps might still use the original
ungrown size.

(This used to work, I guess this was borked when libfdisk learnt the
concept of "minimized" partition tables)

(cherry picked from commit f9b3afae96c72564cd4cd766555845f17e3c12a9)

Wrong index in error message

(cherry picked from commit 6f50c94dfda7c5bd31b364a40038c3d68d1e56ab)

udev: do not try to assign invalid ifname

Fixes #19038.

(cherry picked from commit 5cdb3f70ebe035323f4f079028a262669a2bbbf6)

cg_unified_cached: return ENOMEDIUM if we cannot find a known hierarchy

When the test suite is being run in a foreign environment,
/sys/fs/cgroup might not be set up in a way that we recognize.
Returning ENOMEDIUM causes the tests to be skipped in this case.

Bug: https://bugs.gentoo.org/771819
(cherry picked from commit 2156061fb33811aedb160d1b476793a5b845b143)

dhcp6: fix wrong length for IA_PD dhcp6 option

Fixes an issue introduced by 73b49d433c2c8e6304c8b82538bd4231d070fce4.

When PrefixDelegationHint= is not set, dhcp6_option_append_pd() sets
wrong length for IA_PD option, as `r` is `-EINVAL`.

Fixes #19021.

(cherry picked from commit fa92d38428cdac260e72e280bf1d43539f4ea805)

journald: restore syslog priority *with* facility bits for stream connections when restarting journald

Fixes: #19019
(cherry picked from commit d977ef2542accd3e10a7540b3a8b6d1278cc0041)

man: specify that ProtectProc= does not work with root/cap_sys_ptrace

When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:

https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155

Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.

ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.

Fixes #18997

(cherry picked from commit 301e7cd047c8d07715d5dc37f713e8aa031581b4)

man: DNS/NTP servers received from DHCP server are concatenated with the statically configured ones

Prompted by #9473.

(cherry picked from commit b63dae3168209a06cefe2b9916667b7754b7de34)

ask-password-api: fix error handling on invalid unicode character

The integer overflow happens when utf8_encoded_valid_unichar() returns an error
code. The error code is a negative number: -22. This overflows when it is
assigned to `z` (type `size_t`). This can cause an infinite loop if the value
of `q` is 22 or larger.

To reproduce the bug, you need to run `systemd-ask-password` and enter an
invalid unicode character, followed by a backspace character.

GHSL-2021-052

(cherry picked from commit 37ca78a35cd1b9f13e584ccf3d332413c7875e40)

resolved: disable event sources before unreffing them

We generally operate on the assumption that a source is "gone" as soon
as we unref it. This is generally true because we have the only reference.
But if something else holds the reference, our unref doesn't really stop
the source and it could fire again.

In particular, on_query_timeout() is called with DnsQuery* as userdata, and
it calls dns_query_stop() which invalidates that pointer. If it was ever
called again, we'd be accessing already-freed memory.

I don't see what would hold the reference. sd-event takes a temporary reference,
but on the sd_event object, not on the individual sources. And our sources
are non-floating, so there is no reference from the sd_event object to the
sources.

For #18427.

(cherry picked from commit 97935302283729c9206b84f5e00b1aff0f78ad19)

tree-wide: fix the string concatenation warning with clang-12

e.g.:
./src/shared/dissect-image.c:2218:39: error: suspicious concatenation of string literals in an array initialization; did you mean to separate the elements with a comma? [-Werror,-Wstring-concatenation]
                                      "/usr/lib/os-release\0",
                                      ^
../src/shared/dissect-image.c:2217:39: note: place parentheses around the string literal to silence warning
                [META_OS_RELEASE]   = "/etc/os-release\0"
                                      ^
1 error generated.

See: https://reviews.llvm.org/D85545
(cherry picked from commit 8762049792024df1be9f0b219438220bb9ee547d)

network: Delay addition of IPv6 Proxy NDP addresses

Setting of IPv6 Proxy NDP addresses must be done at the same
time as static addresses, static routes, and other link attributes
that must be configured when the link is up. Doing this ensures
that they are reconfigured on the link if the link goes down
and returns to service.

(cherry picked from commit 12f7469bbe0142d7f360a29ca2b407ce7f5ff096)

Fixes https://github.com/systemd/systemd-stable/issues/89

pkg-config: make prefix overridable again

While we don't support prefix being != /usr, and this is hardcoded
all over the place, variables in pkg-config file are expected
to have overridable base directory.

This is important for at least the following two use cases:

- Installing projects to non-FHS package-specific prefixes for Nix-style
  package managers. Of course, it is then their responsibility
  to ensure systemd can find the service files.
- Installing to local path for development purposes.
  This is a compromise between running a program from a build directory,
  and running it fully installed to system prefix.

You will not want to write to system prefix in either case.

For more information, see also
https://www.bassi.io/articles/2018/03/15/pkg-config-and-paths/

Fixes https://github.com/systemd/systemd/issues/18082

Partially reverts 6e65df89c348242dbd10036abc7dd5e8181cf733

(cherry picked from commit 60bce7c6d9606185114df1bdcd5ea100407688b8)

Fixes https://github.com/systemd/systemd-stable/issues/88

Update resolvectl.xml

fixed typo of filename

(cherry picked from commit 2d8ce4c70114d9163be9ff45bdece1551a7036cc)

oomd: "downgrade" level of message

PID1 already logs about the service being started, so this line isn't necessary
in normal use. Also, by the time it is emitted, the service has already
signalled readiness, so let's not say "starting" but "started".

(cherry picked from commit a19c1a4baaa1dadc80885e3ad41f19a6c6c450fd)

varlink: avoid using dangling ref in varlink_close_unref()

Fixes #18025, https://bugzilla.redhat.com/show_bug.cgi?id=1931034.

We drop the reference stored in Manager.managed_oom_varlink_request in two code paths:
vl_disconnect() which is installed as a disconnect callback, and in manager_varlink_done().
But we also make a disconnect from manager_varlink_done(). So we end up with the following
call stack:

(gdb) bt
0  vl_disconnect (s=0x112c7b0, link=0xea0070, userdata=0xe9bcc0) at ../src/core/core-varlink.c:414
1  0x00007f1366e9d5ac in varlink_detach_server (v=0xea0070) at ../src/shared/varlink.c:1210
2  0x00007f1366e9d664 in varlink_close (v=0xea0070) at ../src/shared/varlink.c:1228
3  0x00007f1366e9d6b5 in varlink_close_unref (v=0xea0070) at ../src/shared/varlink.c:1240
4  0x0000000000524629 in manager_varlink_done (m=0xe9bcc0) at ../src/core/core-varlink.c:479
5  0x000000000048ef7b in manager_free (m=0xe9bcc0) at ../src/core/manager.c:1357
6  0x000000000042602c in main (argc=5, argv=0x7fff439c43d8) at ../src/core/main.c:2909

When we enter vl_disconnect(), m->managed_oom_varlink_request.n_ref==1.
When we exit from vl_discconect(), m->managed_oom_varlink_request==NULL. But
varlink_close_unref() has a copy of the pointer in *v. When we continue executing
varlink_close_unref(), this pointer is dangling, and the call to varlink_unref()
is done with an invalid pointer.

(cherry picked from commit 39ad3f1c092b5dffcbb4b1d12eb9ca407f010a3c)

pid1: return varlink error on the right connection

(cherry picked from commit 8b0f54c9290564e8c27c9c8ac464cdcc2c659ad5)

repart: fix the loop dev support check

Since f17bdf8264e231fa31c769bff2475ef698487d0b the test-repart was
effectively disabled, since `/dev/loop-control` is a character special
file, whereas `-f` works only on regular files. Even though we could use
`-c` to check specifically for character special files, let's use `-e`
just in case.

(cherry picked from commit 3a1bc3fcc02e61683e815091d129b03ad10771ef)

dissect-image: fix volatile images

This makes sure nspawn's --volatile=yes switch works again: there we
have a read-only image that is overmounted by a tmpfs (with the
exception of /usr). This we need to mkdir all mount points even though
the image is read-only.

Hence, let's drop the optimizatio of avoiding mkdir() on images that are
read-only, it's wrong and misleading here, since the image itself might
be read-only but our mounts are not.

(cherry picked from commit 334eb5b0999d51efbc38b775fca92a2556c85830)

dissect-image: clean up meaning of DISSECT_IMAGE_MKDIR

Previously handling of DISSECT_IMAGE_MKDIR was pretty weird and broken:
it would control both if we create the top-level mount point when
mounting an image, and the inner mount points for images that consist of
multiple file systems. However, the latter is redundant, since
1f0f82f1311e4c52152b8e2b6f266258709c137d does this too, a few lines
further up – unconditionally!

Hence, let's make the meaning of DISSECT_IMAGE_MKDIR more strict: it
shall be only about the top-level mount point, not about the inner ones
(where we'll continue to create what is missing alwayway). Having a
separate flag for the top-level mount point is relevant, since the mount
point dir created by it will remain on the host fs – unlike the
directories we create inside the image, which will stay within the
image.

This slightly change of meaning is actually inline with what the flag is
actually used for and documented in systemd-dissect.

(cherry picked from commit 9842905ede9c7fdc541724ee5c6db7d46a47405d)

install: refactor find_symlinks() and don't search for symlinks recursively

After all we are only interested in symlinks either in top-level config
directory or in .wants and .requires sub-directories.

As a bonus this should speed up ListUnitFiles() roughly 3-4x on systems
with a lot of units that use drop-ins (e.g. SSH jump hosts with a lot of
user session scopes).

(cherry picked from commit 43b4e3058c106e663bbd5413e7bd106e55d6fd79)

coredumpctl: fflush() stdout before invoking gdb

Fixes: #18936
(cherry picked from commit 48f813c4aab307695b853cbd3ea3c85f22486898)

coredump: omit coredump info when -q is used with the `debug` verb

Skip printing the coredump info table when using the `debug` verb in
combination with the `-q/--quiet` option. Useful when trying to gather
coredump info non-interactively via scripted gdb commands.

Fixes: systemd/systemd#18935
(cherry picked from commit a174da59c299f6197425707f23757dc9149e5fba)

Revert "udev: do not execute hwdb builtin import twice or thrice"

This reverts commit 876c75fe870846b09b54423a6b719d80bc879b27.

The patch seems to cause usb devices to get some attributes set from the parent
PCI device. 'hwdb' builtin has support for breaking iteration upwards on usb
devices. But when '--subsystem=foo' is specified, iteration is continued. I'm
sure it *could* be figured out, but it seems hard to get all the combinations
correct. So let's revert to functional status quo ante, even if does the lookup
more than once unnecessarily.

Fixes #18125.

(cherry picked from commit 451ba55fecd8b494add2001b3ca3c1915c8fd655)

socket-util: refuse ifnames with embedded '%' as invalid

So Linux has this (insane — in my opinion) "feature" that if you name a
network interface "foo%d" then it will automatically look for the
interface starting with "foo…" with the lowest number that is not used
yet and allocates that.

We should never clash with this "magic" handling of ifnames, hence
refuse this, since otherwise we never know what the name is we end up
with.

We should probably switch things from a deny list to an allow list
sooner or later and be much stricter. Since the kernel directly enforces
only very few rules on the names, we'd need to do some research what is
safe and what is not first, though.

(cherry picked from commit e5f8ce13bbaf0d8b9ff597692c67fba0e38b4200)

oomd: add unit test to repro #18926

(cherry picked from commit 399d80ba8c604d57e7df6c5118ea3258cce026d9)

oomd: wrap paths in oomd_insert_cgroup_context with empty_to_root

(cherry picked from commit 50c0578b619e7298375afdffec7a8b3a40a68c21)

oomd: move TAKE_PTR to end of oomd_insert_cgroup_context()

Fixes #18926

(cherry picked from commit 45da27fa053898c1b94c175070a0dd63128875c9)

timedated: fix skipping of comments in config file

Reading file '/usr/lib/systemd/ntp-units.d/80-systemd-timesync.list'
Failed to add NTP service "# This file is part of systemd.", ignoring: Invalid argument
Failed to add NTP service "# See systemd-timedated.service(8) for more information.", ignoring: Invalid argument

:(

(cherry picked from commit 03a81441b1a490f8fc2a19aeb9b23299657c380c)

homed: disable event sources before unreffing them

C.f. 9793530228.

We'd crash when trying to access an already-deallocated object:

Thread no. 1 (7 frames)
#2 log_assert_failed_realm at ../src/basic/log.c:844
#3 event_inotify_data_drop at ../src/libsystemd/sd-event/sd-event.c:3035
#4 source_dispatch at ../src/libsystemd/sd-event/sd-event.c:3250
#5 sd_event_dispatch at ../src/libsystemd/sd-event/sd-event.c:3631
#6 sd_event_run at ../src/libsystemd/sd-event/sd-event.c:3689
#7 sd_event_loop at ../src/libsystemd/sd-event/sd-event.c:3711
#8 run at ../src/home/homed.c:47

The source in question is an inotify source, and the messages are:

systemd-homed[1340]: /home/ moved or renamed, recreating watch and rescanning.
systemd-homed[1340]: Assertion '*_head == _item' failed at src/libsystemd/sd-event/sd-event.c:3035, function event_inotify_data_drop(). Aborting.

on_home_inotify() got called, then manager_watch_home(), which unrefs the
existing inotify_event_source. I assume that the source gets dispatched again
because it was still in the pending queue.

I can't reproduce the issue (timing?), but this should
fix #17824, https://bugzilla.redhat.com/show_bug.cgi?id=1899264.

(cherry picked from commit cf5366387b24633284ee92285ea64a282270d591)

homed: wrap some very long lines

(cherry picked from commit 23d24b76f3df765fa6dbe7fe815bd4f8e76c9bb5)

dissect: fix memleak

Fixes #18903.

(cherry picked from commit f91861e49fea01c98ad0e1131b9141830c029f28)

sd-bus: fix memleak in failure path in bus_match_parse()

(cherry picked from commit 8df3f44c90a3e479b717e8cc4bb26c95ebbc5cb0)

sd-bus: fix memstream buffer extraction

I'm getting the following error under valgrind:

==305970== Invalid free() / delete / delete[] / realloc()
==305970==    at 0x483E9F1: free (vg_replace_malloc.c:538)
==305970==    by 0x4012CD: mfree (alloc-util.h:48)
==305970==    by 0x4012EF: freep (alloc-util.h:83)
==305970==    by 0x4017F4: LLVMFuzzerTestOneInput (fuzz-bus-match.c:58)
==305970==    by 0x401A58: main (fuzz-main.c:39)
==305970==  Address 0x59972f0 is 0 bytes inside a block of size 8,192 free'd
==305970==    at 0x483FCE4: realloc (vg_replace_malloc.c:834)
==305970==    by 0x4C986F7: _IO_mem_finish (in /usr/lib64/libc-2.33.so)
==305970==    by 0x4C8F5E0: fclose@@GLIBC_2.2.5 (in /usr/lib64/libc-2.33.so)
==305970==    by 0x49D2CDB: fclose_nointr (fd-util.c:108)
==305970==    by 0x49D2D3D: safe_fclose (fd-util.c:124)
==305970==    by 0x4A4BCCC: fclosep (fd-util.h:41)
==305970==    by 0x4A4E00F: bus_match_to_string (bus-match.c:859)
==305970==    by 0x4016C2: LLVMFuzzerTestOneInput (fuzz-bus-match.c:58)
==305970==    by 0x401A58: main (fuzz-main.c:39)
==305970==  Block was alloc'd at
==305970==    at 0x483FAE5: calloc (vg_replace_malloc.c:760)
==305970==    by 0x4C98787: open_memstream (in /usr/lib64/libc-2.33.so)
==305970==    by 0x49D56D6: open_memstream_unlocked (fileio.c:97)
==305970==    by 0x4A4DEC5: bus_match_to_string (bus-match.c:859)
==305970==    by 0x4016C2: LLVMFuzzerTestOneInput (fuzz-bus-match.c:58)
==305970==    by 0x401A58: main (fuzz-main.c:39)
==305970==

So the fclose() which is called from _cleanup_fclose_ clearly reallocates the
buffer (maybe to save memory?). open_memstream(3) says:

  The locations referred to by these pointers are updated each time the
  stream is flushed (fflush(3)) and  when the stream is closed (fclose(3)).

This seems to mean that we should close the stream first before grabbing the
buffer pointer.

(cherry picked from commit 5963e6f43c4f33d5255ef0fb887cdf382bd51c9e)

run: tweak algorithm for generating unit name from dbus unique name

This reverts behaviour of systemd-run's unit name generation to the
status quo ante of #18871: we chop off the ":1." prefix if we can.
However, to address the issue that the unique name can overrun we then
do what #18871 did as fallback: only chop off the ":" prefix.

This way we should have pretty names that look like they always looked
in the common case, but in the case of a unique name overrun we still
will have names that work.

Follow-up for #18871

(cherry picked from commit e6283cbf48a3821d03ec73252620fc1b04bd4588)

trans_time sec is int32,it will overflow if local system time is later than 2038.

(cherry picked from commit 370d3c31b4637d1b2faeec555da3283e49a6744f)

run: update dbus unique names check

Some code in systemd-run checks that a bus's unique name must start with
`:1.`. However the dbus specification on unique connection names only specifies
that it must begin with a colon. And the freedesktop/dbus implementation allows
allows unique names to go up to `:INT_MAX.INT_MAX`. So update the
current check to only look for a colon at the beginning.

(cherry picked from commit 01584bf9e43db1dfb7ea4ba628f533b3066e81cc)

core: fix mtime calculation of dropin files

Nominally, the bug was in unit_load_dropin(), which just took the last mtime
instead of calculating the maximum. But instead of adding code to wrap the
loop, this patch goes in the other direction.

All (correct) callers of config_parse() followed a very similar pattern to
calculate the maximum mtime. So let's simplify things by making config_parse()
assume that mtime is initialized and update it to the maximum. This makes all
the callers that care about mtime simpler and also fixes the issue in
unit_load_dropin().

config_parse_many_nulstr() and config_parse_many() are different, because it
makes sense to call them just once, and current ret_mtime behaviour make sense.

Fixes #17730, https://bugzilla.redhat.com/show_bug.cgi?id=1933137.

(cherry picked from commit da46a1bc3cd28ac36114002c216196dae004b05c)

udev: add i2c to 60-persistent-input.rules for by-path (#18808)

Add the i2c subsystem to those that create by-path links.
i2c devices may not have IDs so we can't rely on the by-id links
but they (or some of them) should at least have a path that we can use.

(cherry picked from commit e595edf1a3d7318811325cf97663c4b5a3859c6e)

sd-device: don't use BPF filtering for kernel monitors

BPF filtering accesses fields in the netlink header that are
only filled in by libudev, never by the kernel. Therefore adding
BPF filters for kernel monitors is pointless. Even false filtering
of kernel events might be possible; at least it's hard to prove that
it can't occur.

(cherry picked from commit d8ce385fe3e5be91b6f414415e10f8897e41d942)

Fix path typo in systemd.unit

/etc/systemd/systemd/ => /etc/systemd/system/

(cherry picked from commit 57733518817c1217b9f442ca790ff3f50705b1c8)

udev: when btrfs.ko is not available consider btrfs filesystems not ready

Let's add a special tweak to the btrfs builtin: if /dev/btrfs-control is
not there, let's consider all btrfs file systems as SYSTEMD_READY=0.
This is useful in initrds, where btrfs.ko might be missing. After the
initrd → host transition we can then retigger the device and undo the
SYSTEMD_READY=0 marking.

(cherry picked from commit 97e535c7248cc0457395e2d62b6e7d6c342a0bd2)

man: fix indentation of example

The man page otherwise looks very weirdly aligned.

(cherry picked from commit 8b596d51a9b347f6fe5d130cbb0d26693149ce25)

man: advertise shared drop-ins more

systemd.unit(5) is a wall of text. And this particular feature can be very useful
in the context of resource control. Let's avertise this cool feature a bit more.

Fixes #17900.

(cherry picked from commit a8136f1bc03d1bdf93b9071b4f82123b81a05c8e)

man: fix two issues in udev(7)

Fixed #18050.

(cherry picked from commit 4fc8a70d9f062b7b51c6c808a24ca3fd22df668f)

cgroup: don't generate BPF firewall unsupported warning on wrong unit

Let's generate the warning on a unit that actually needs the BPF
firewall, and not confusingly already for a sibling of one.

(cherry picked from commit a437c5e4da666d16f15649461ce45e0e6d735148)

resolved: don't discard mDNS queries with bad flags

Even though RFC 6762 specifies these bits MUST be zero, it also says they MUST
be ignored on reception.

(cherry picked from commit 2aaf3765974c9f340c0c3d705e9f0609073cf83c)

resolved: don't discard mDNS packets with ip6.arpa RRs

ip6.arpa is also a valid domain name to put in mDNS packets.

(cherry picked from commit 7675501540980eff80c0e055c219e5e1efde6b62)

timedate: do not ignore fix_system argument in SetLocalRTC method

Fixes #18391.

(cherry picked from commit 2be6c4758e3c27a3f502735881a355e5bfae97b0)

dhcp6: do not set T1 and T2 by dhcp6_option_append_pd() in client

Fixes #18090.

(cherry picked from commit 73b49d433c2c8e6304c8b82538bd4231d070fce4)

dhcp6: do not set T1 and T2 by dhcp6_option_append_ia() in client

(cherry picked from commit e7613578b4747488bef9b558dc35e41d7075f18a)

dhcp6: make dhcp6_option_parse_{address,pdprefix}() return -EINVAL when received address or prefix is refused

And then the caller ignores the error.
Otherwise, `ret_liftime_valid` is not set even if they succeeds.

(cherry picked from commit 1e84213a433f8a80c94dea34514744cc4937efd0)

dhcp6: do not use input value before checking

(cherry picked from commit cf6c33bd6b6ca606f0756312bd73ae066c6aa9a8)

bootspec: assume that the root dir is at the top of its file system

Fixes: #17746
(cherry picked from commit eceb61112c8ece03adfb4fcbc83e357875ca0ceb)

man: add a description of how manager env block is set

(cherry picked from commit d51586434677423e97decd0f8c02db0a266dd4e7)

efi stub: accept it if our loaded image has no FilePath field set

The firmware spec doesn't really say whether FilePath of the LoadedImage
protocol may be NULL or not. So far we assumed it to be non-NULL, but
apparently the FreeBSD UEFI chainloader sets it to NULL. Handle this
gracefully.

(Noticed and tracked down by Alexander Schreiber)

Fixes: #18733
(cherry picked from commit 685097b9cadf92d21dfa857c3a7ddc1ba115088e)

man: various improvements to systemd.generator(7)

In particular, make clear the .d/*.conf unit file drop-ins are OK to
generate from generators.

Inspired by: https://lists.freedesktop.org/archives/systemd-devel/2021-February/046148.html

(cherry picked from commit 3acf00a5a4ff656e2799f7f3e2544891b09bbc35)

resolved: add another explanatory message to stub resolv.conf files

Apparently people do "cat /etc/resolv.conf" and not realize that they
are looking at a file in /run.

(cherry picked from commit 2b767e9222809103cb756e368f0d71e906623bca)

cryptsetup: unescape ID_PART_ENTRY_NAME udev property before using it

Fixes: #18729
(cherry picked from commit fadd34dd5af9a26edf2906b237ac212169d39f0c)

man: try to improve documentation of conditions/asserts

Fixes: #18725
(cherry picked from commit 0a6aa7a238e1130ebe1b797a62da06645fb73ad4)

man: correct documentaiton of StandardInput='s defaults in regards to "data"

Fixes: #18710
(cherry picked from commit c6e33c293ecb1cad5f975fe3cd12ec5aff3df221)

man: correct the unit file directory for attached images

Commit 83f72cd65fb8 ("man,docs: document the new unit file directory for
attached images") updated the docs and man page with the new unit file
directory for attached images but included a system.attached ->
systemd.attached typo in the man page portion of the change. Fix the
typo to document the correct path.

(cherry picked from commit e4d54220a1ffa6629c0aad717a8b7601c0319657)

sysctl.d: silence warning if net.core.default_qdisc cannot be set

Kernels can be compiled without the attribute. It's fine if this is not
set, so silence the warning.

(cherry picked from commit fa98c99ea7f7c5bec3962fa52f4d3496a9777024)

xdg-autostart-generator: ignore DBusActivatable=true

See https://wiki.gnome.org/HowDoI/DBusApplicationLaunching and
https://wiki.gnome.org/Initiatives/GnomeGoals/DBusActivatable for a description
of this key:
> Instead of the typical UNIX-style fork()/exec() approach to process creation,
> launching an application is done by sending a D-Bus message to the well-known
> name of that application, causing a D-Bus activation.
>
> Starting processes with D-Bus activation ensures that each application gets
> started in its own pristine environment, as a direct descendent of the
> session -- not in the environment of whatever its parent happened to be. This
> is important for ensuring the app ends up in the correct cgroup, for example.

So this motivation is not important for us: we launch stuff ourselves better.

This fixes warnings during boot:
systemd-xdg-autostart-generator[2274]: /etc/xdg/autostart/org.freedesktop.problems.applet.desktop:92: Unknown key name 'DBusActivatable' in section 'Desktop Entry', ignoring.

(cherry picked from commit 36290e0b97ba032cbd71723f2255917924eadc05)

xdg-autostart-generator: reindent

(cherry picked from commit 9f11f565556410f9484db9e4991f6c04eeafffc7)

Recommend drop-ins over modifications to the main config file

As discussed in https://github.com/systemd/systemd/pull/18347.

(cherry picked from commit 09db71a4a3fb9cee19f89cb75ad453caa46209b8)

rfkill: use short writes and accept long reads

I'm seeing the following with kernel-core-5.10.16-200.fc33.x86_64:

$ sudo SYSTEMD_LOG_LEVEL=debug build/systemd-rfkill
Reading struct rfkill_event: got 8 bytes.
A new rfkill device has been added with index 0 and type bluetooth.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Found container virtualization none.
rfkill0: Operating on rfkill device 'tpacpi_bluetooth_sw'.
Writing struct rfkill_event successful (8 of 9 bytes).
Loaded state '0' from /var/lib/systemd/rfkill/platform-thinkpad_acpi:bluetooth.
Reading struct rfkill_event: got 8 bytes.
A new rfkill device has been added with index 1 and type wwan.
rfkill1: Operating on rfkill device 'tpacpi_wwan_sw'.
Writing struct rfkill_event successful (8 of 9 bytes).
Loaded state '0' from /var/lib/systemd/rfkill/platform-thinkpad_acpi:wwan.
Reading struct rfkill_event: got 8 bytes.
A new rfkill device has been added with index 2 and type bluetooth.
rfkill2: Operating on rfkill device 'hci0'.
Writing struct rfkill_event successful (8 of 9 bytes).
Loaded state '0' from /var/lib/systemd/rfkill/pci-0000:00:14.0-usb-0:7:1.0:bluetooth.
Reading struct rfkill_event: got 8 bytes.
A new rfkill device has been added with index 3 and type wlan.
rfkill3: Operating on rfkill device 'phy0'.
Writing struct rfkill_event successful (8 of 9 bytes).
Loaded state '0' from /var/lib/systemd/rfkill/pci-0000:04:00.0:wlan.
All events read and idle, exiting.

We were expecting a read of exactly RFKILL_EVENT_SIZE_V1==8 bytes. But the
structure has 9 after [1].

[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=14486c82612a177cb910980c70ba900827ca0894

For some reason the kernel does not accept the full structure size, but cuts
the write short after 8 bytes:

static ssize_t rfkill_fop_write(struct file *file, const char __user *buf,
size_t count, loff_t *pos)
{
struct rfkill_event ev;

/* we don't need the 'hard' variable but accept it */
if (count < RFKILL_EVENT_SIZE_V1 - 1)
return -EINVAL;

/*
* Copy as much data as we can accept into our 'ev' buffer,
* but tell userspace how much we've copied so it can determine
* our API version even in a write() call, if it cares.
*/
count = min(count, sizeof(ev));
if (copy_from_user(&ev, buf, count))
return -EFAULT;

... so it should accept the full size. I'm not sure what is going on here.

But we don't care about the extra fields, so let's accept a write as long as
it's at least RFKILL_EVENT_SIZE_V1.

Fixes #18677.

(cherry picked from commit a71c09685021cbcecb7566a00342421f635cc002)

rfkill: improve error logging

If we get something of unexpected size, log the sizes. Also, don't log twice.

(cherry picked from commit 6c7afdeab010025c80508effd2b0039bc5181b82)

journald: when we fail to add a new entry to a journal, return the seqno

Fixes: #18005
(cherry picked from commit 0eaee8281d4699903b8b2cce18c836d4a144aee3)

Remove outdated disable_ipv6 docs

This was changed in commit 482efedc081b0c4bf2e77a3dee6b979d9c9a5765,
which was released in v243, to only enable and never disable IPv6.

Signed-off-by: Richard Laager <rlaager@wiktel.com>
(cherry picked from commit f542f3b2ed3cf3e71692d1736f3fdd0ebdc226ef)