cgroup-util: Always open cgroupv2 attribute files in O_NONBLOCK mode
As explained in https://lore.kernel.org/all/20250419183545.1982187-1-shakeel.butt@linux.dev/,
writing to memory.max or memory.high triggers synchronous memory reclaim
if the limit is lowered. This can end up taking nonnegligible amounts
of time, completely blocking pid1 from doing any other work while the
reclaim is ongoing.
To address this problem, the kernel going to add O_NONBLOCK semantics
to memory.max and memory.high. If the file is opened with O_NONBLOCK,
the synchronous memory reclaim is skipped and only triggered later
without blocking the process writing the file. Let's make sure we make
use of this by opening cgroupv2 attribute files with O_NONBLOCK.
We opt to do this for all cgroupv2 attribute files, to make sure that
if the same problem happens elsewhere in the future and is fixed in the
same way, we immediately take advantage of that fix without having to
make changes in systemd as well. We probably never want to block when
writing cgroupv2 attributes and any cases where we do want to block should
indicate so explicitly instead of blocking by default.
Since shim 16, it is not possible anymore to override the security arch
protocol to avoid signature check and measurements.
Also on Dell servers, EFI_SECURITY2_ARCH_PROTOCOL is not implemented, so
unexpected measurements on PCR 4 were still happening.
This just loads and run the kernel pe. We verify that there is no
relocation needed. Also for simplification, we assume and verify that
the base address is expected to be 0.
Mike Yuan [Fri, 6 Jun 2025 19:47:39 +0000 (21:47 +0200)]
sd-varlink: hook up fd passing control with SO_PASSRIGHTS
This is a tricky one, because we effectively turn fd passing input
toggle into a tristate: unset, disabled, and enabled; whereas unset
and disabled were identical previously. *Unset* state silently
ignores SCM_RIGHTS passed by invoking recv() instead of recvmsg(),
and for disabled we now disable SO_PASSRIGHTS completely.
The plot thickens when it comes to the server, since we want to
turn off the SO_PASSRIGHTS already on the listening socket so that
there's no race between accept() and recvmsg() wrt SO_PASSRIGHTS state.
However, if we do this unconditionally, the existing use case of
creating a custom connection callback and enabling fd passing there
would be broken.
Hence, let's introduce a new flag,
SD_VARLINK_SERVER_FD_PASSING_INPUT_STRICT, which when set
ties the enablement of fd passing to SO_PASSRIGHTS in server,
and set it for all our varlink servers.
Refer to the previous commit for the rationale behind return value
change in sd_varlink_set_allow_fd_passing_input().
Mike Yuan [Mon, 9 Jun 2025 22:01:53 +0000 (00:01 +0200)]
sd-varlink: unify AF_UNIX check in sd_varlink_set_allow_fd_passing_output()
Currently, the socket type is only checked if the fd passing is
being enabled. The special handling seems unnecessary though,
as in the disable case, either fd passing is already false and
would be caught by the (... == !!b) shortcut at the beginning,
or the AF_UNIX check wouldn't have succeeded in the first place,
for the initial toggle to true. Hence, just uniformly check
AF_UNIX.
While at it, sd_varlink_set_allow_fd_passing_*() oddly return 1
iff changed and !b, which doesn't fit into our coding style and
I can't come up with any use case for such behavior. Let's
return 1 on changed and 0 otherwise.
sd_varlink_set_allow_fd_passing_input() will be fixed in the later
commits with other enhancements.
Mike Yuan [Fri, 6 Jun 2025 19:01:33 +0000 (21:01 +0200)]
core/socket: introduce AcceptFileDescriptors=
This controls the new SO_PASSRIGHTS socket option in kernel v6.16.
Note that I intentionally choose a different naming scheme than
Pass*=, since all other Pass*= options controls whether some extra
bits are attached to the message, while this one's about denying
file descriptor transfer and it feels more explicit this way.
And diverging from underlying socket option name is precedented
by Timestamping=. But happy to change it to just say PassRights=
if people disagree.
Arkadiusz Bokowy [Thu, 12 Jun 2025 14:20:29 +0000 (16:20 +0200)]
sd-bus: Preserve interfaces addition order
When adding a new interface to the object add it at the end of the list.
This way, when iterating over the list, e.g., during handling introspect
call, the order of returned interfaces will mach the order in which they
were added.
Luca Boccassi [Mon, 16 Jun 2025 22:28:57 +0000 (23:28 +0100)]
fstab-generator: set mode=0755 with root=tmpfs
If mode= is not set in rootflags= add mode=0755 when a tmpfs
is used on the rootfs, otherwise it will be group/world writable
as that's the default mode for tmpfs filesystems.
* 7de88c66bd Do not mark symlinks as %ghost
* 92c16c1dab Let systemd-{sysusers,shared} conflict with older systemd
* ed6b885327 Version 257.6
* 5a53eac13c Package pcrlock files together with systemd-pcrlock
* 2192e86112 Move mount.ddi symlinks to -container subpackage
* 451184cbea Revert "Disable freezing of user sessions"
* f6af46db12 Backport adb/fastboot udev rules (BZ#2356537)
* f6b814cc0f Backport CI fix
* d304477023 Version 257.5
* 2dc224ae5d Update systemd to version 257.6 / rev 448 via SR 1281804
* 15818e66dd Update systemd to version 257.5 / rev 447 via SR 1278063
* 2480ac89f0 Update 000product to rev 4383
* c381cdada8 update 2025-04-11 16:42
* bb036b2b8e Update systemd to version 257.4 / rev 444 via SR 1252776
* 55ae12d80b Update systemd to version 257.3 / rev 443 via SR 1249841
* a7fcf45b77 Update systemd to version 257.3 / rev 442 via SR 1247443
* 15cb472aeb upgpkg: 257.6-1: new upstream release
* 1c11767e01 upgpkg: 257.5-3: backlight: Drop support for actual_brightness
* 489e88099e upgpkg: 257.5-2: fast-forward to current v257-stable
Yu Watanabe [Mon, 16 Jun 2025 08:55:11 +0000 (17:55 +0900)]
manager: also restart stub listner on reload
Previously, the extra stub listners were stopped but new ones were not
started. Also, the main stub listners were not restarted, hence the
new settings were not applied. This fixes the above two issues.
Note, to fix the issue, we need to keep CAP_NET_BIND_SERVICE capability
to make it allow to bind stub listner later.
Yu Watanabe [Mon, 16 Jun 2025 08:51:49 +0000 (17:51 +0900)]
resolve: several cleanups for manager_dispatch_reload_signal()
- set defaults after all existing configs and setups cleared,
- mention failures are ignored in log messages,
- drop one redundant log message,
- do not return negative errno but exit event loop on critical failure.
Yu Watanabe [Mon, 16 Jun 2025 07:42:38 +0000 (16:42 +0900)]
network/tunnel: rename Ip6TnlMode to TunnelMode
This also makes ip6tnl can be created without specifying Mode= setting,
as the kernel accepts new-link netlink message without the
IFLA_IPTUN_PROTO attribute.
No effective functional change, just refactoring and preparation for
later change.
nsresourced: make sure "tun" driver is properly loaded and accessible
We need access to /dev/net/tun, hence make sure we can actually see
/dev/. Also make sure the module is properly loaded before we operate,
given that we run with limit caps. But then again give the CAP_NET_ADMIN
cap, since we need to configure the network tap/tun devices.
However, even it is not necessary to save the leases for containers
on a persistent storage, still we should save them on somewhere.
Otherwise, leases will be lost when networkd on the host is restarted
or the host side interface is reconfigured.
This introduce PersistLeases=runtime to save and load leases on runtime
storage.
Yu Watanabe [Thu, 12 Jun 2025 09:25:54 +0000 (18:25 +0900)]
udev/rules.d: import hwdb before calling net_id builtin
The commit cdcb1eeeb883b2ecb3992865f458f874900ddb87 adds
ID_NET_NAME_INCLUDE_DOMAIN property support in net_id builtin.
The property is basically set through hwdb. However, previously hwdb was
imported after calling net_id builtin, hence when net_id is called, the
property was never set.
This makes hwdb is imported before calling net_id builtin, so that the
property is set when net_id is called if hwdb has an entry about that
for the interface.
Yu Watanabe [Fri, 13 Jun 2025 08:12:19 +0000 (17:12 +0900)]
network/dhcpv4: add ability to use BOOTP (#34888)
BOOTP can be used to sign a static IP to clients. Instead of using the
four message exchange, and Option 53 (DHCP Message Type) there is only a
two message exchange.
Add the following network option to enable BOOTP:
[DHCPv4]
BOOTP=yes
This will allow a two message request / reply sequence that doesn't
require DHCP message types.
Colin Foster [Wed, 30 Oct 2024 01:50:58 +0000 (20:50 -0500)]
sd-dhcp-client: add ability to support bootp
BOOTP can be used to sign a static IP to clients. Instead of using the
four message exchange, and Option 53 (DHCP Message Type) there is only a
two message exchange. This adds the support for this exchange.
Yu Watanabe [Wed, 11 Jun 2025 09:05:46 +0000 (18:05 +0900)]
network: also check ID_NET_MANAGED_BY property on reconfigure
Previously, the property was checked only when an uevent is received,
so even if an interface has ID_NET_MANAGED_BY property, the interface
will be configured by networkd when reconfiguration is triggered e.g.
when interface state is changed.
Valentin David [Tue, 6 May 2025 12:34:14 +0000 (14:34 +0200)]
stub: call inner kernel directly
Since shim 16, it is not possible anymore to override the security arch
protocol to avoid signature check and measurements.
Also on Dell servers, EFI_SECURITY2_ARCH_PROTOCOL is not implemented, so
unexpected measurements on PCR 4 were still happening.
This just loads and run the kernel pe. We verify that there is no relocation
needed. Also for simplification, we assume and verify that the base address is
expected to be 0.
Yu Watanabe [Wed, 11 Jun 2025 04:02:27 +0000 (13:02 +0900)]
login: drop unnecessary dependency to libacl
With c960ca2be1cfd183675df581f049a0c022c1c802, logind does not handle
ACL anymore, but triggers events for udevd and udevd updates ACL.
Hence, libacl is not necessary for logind.
projects / thirdparty / systemd.git / log
