core/exec-invoke: relax restriction for process name length
Previously, we limit the length of process name by 8.
This relax the restriction then at least process comm or
program_invocation_name contains the untrucated process name.
Yu Watanabe [Sat, 25 Oct 2025 06:34:44 +0000 (15:34 +0900)]
test: extend start limit interval
As the modified service requires about ~10 seconds for stopping, the
service never hit the start limit even if we tried to restart the
service more than 5 times.
This also checks that the service is actually triggered by dbus method
call.
Daniel Hast [Fri, 24 Oct 2025 22:47:59 +0000 (18:47 -0400)]
tree-wide: add basic validation of --background argument
Check whether the argument of the `--background` option of
`systemd-run`, `run0`, `systemd-nspawn`, `systemd-vmspawn`, and
`systemd-pty-forward` is either empty or looks like an ANSI color code,
and reject invalid values when parsing arguments.
We consider a string to look like an ANSI color code if it consists of
one or more sequences of ASCII digits separated by semicolons. This
permits every valid ANSI color code, and should reject anything that
results in garbled output.
Michal Sekletar [Fri, 24 Oct 2025 10:55:20 +0000 (12:55 +0200)]
coredump: handle ENOBUFS and EMSGSIZE the same way
Depending on the runtime configuration, e.g. sysctls
net.core.wmem_default= and net.core.rmem_default and on the actual
message size, sendmsg() can fail also with ENOBUFS. E.g. alloc_skb()
failure caused by net.core.[rw]mem_default=64MiB and huge fdinfo list
from process that has 90k opened FDs.
We should handle this case in the same way as EMSGSIZE and drop part of
the message.
Yu Watanabe [Mon, 20 Oct 2025 10:40:28 +0000 (19:40 +0900)]
core: increment start limit counter only when we can start the unit
Otherwise, e.g. requesting to start a unit that is under stopping may
enter the failed state.
This makes
- rename .can_start() -> .test_startable(), and make it allow to return
boolean and refuse to start units when it returns false,
- refuse earlier to start units that are in the deactivating state, so
several redundant conditions in .start() can be dropped,
- move checks for unit states mapped to UNIT_ACTIVATING from .start() to
.test_startable().
Frantisek Sumsal [Thu, 23 Oct 2025 08:28:07 +0000 (10:28 +0200)]
test: properly wait for the forked process
The process forked off by `systemd-notify --fork` is not a child of the
current shell, so using `wait` doesn't work. This then later causes a
race, when the test occasionally fails because it attempts to start a
new systemd-socket-activate instance before the old one is completely
gone:
[ 1488.947744] TEST-74-AUX-UTILS.sh[1938]: Child 1947 died with code 0
[ 1488.947952] TEST-74-AUX-UTILS.sh[1933]: + assert_eq hello hello
[ 1488.949716] TEST-74-AUX-UTILS.sh[1948]: + set +ex
[ 1488.950112] TEST-74-AUX-UTILS.sh[1950]: ++ cat /proc/1938/comm
[ 1488.945555] systemd[1]: Started systemd-networkd.service - Network Management.
[ 1488.950365] TEST-74-AUX-UTILS.sh[1933]: + assert_in systemd-socket systemd-socket-
[ 1488.950563] TEST-74-AUX-UTILS.sh[1951]: + set +ex
[ 1488.950766] TEST-74-AUX-UTILS.sh[1933]: + kill 1938
[ 1488.950766] TEST-74-AUX-UTILS.sh[1933]: + wait 1938
[ 1488.950766] TEST-74-AUX-UTILS.sh[1933]: .//usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.socket-activate.sh: line 14: wait: pid 1938 is not a child of this shell
[ 1488.950766] TEST-74-AUX-UTILS.sh[1933]: + :
[ 1488.951486] TEST-74-AUX-UTILS.sh[1952]: ++ systemd-notify --fork -- systemd-socket-activate -l 1234 --now socat ACCEPT-FD:3 PIPE
[ 1488.952222] TEST-74-AUX-UTILS.sh[1953]: Failed to listen on [::]:1234: Address already in use
[ 1488.952222] TEST-74-AUX-UTILS.sh[1953]: Failed to open '1234': Address already in use
[ 1488.956831] TEST-74-AUX-UTILS.sh[1933]: + PID=1953
[ 1488.957078] TEST-74-AUX-UTILS.sh[102]: + echo 'Subtest /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.socket-activate.sh failed'
[ 1488.957078] TEST-74-AUX-UTILS.sh[102]: Subtest /usr/lib/systemd/tests/testdata/units/TEST-74-AUX-UTILS.socket-activate.sh failed
Yu Watanabe [Thu, 23 Oct 2025 00:35:03 +0000 (09:35 +0900)]
rereadpt: always update kernel partition tables from userspace in an incremental fashion (#39390)
Let's address #38672 comprehensively: let's avoid BLKRRPART as much as
we can, and always do careful userspace controlled, incremental updates
to the kernel partition tables.
This simply iterates through blkid's partition parsing, and turns it
into a BLKPG ioctls, adding, updating, removing partitions as necessary,
suppressing unnecessary changes. This has the major benefit that the
call becomes truly idempotent: if nothing changed then nothing is
removed/readed, like BLKRRPART is doing it.
This then ports over all code currently doing partition refreshing,
specifcially: udev, repart, and homed.
tree-wide: open block device locks in writable mode
udev's block device locking protocol has one pitfall not even the
example in the documentation got right so far (even though this is
explained in all detail above): udev's rescanning is only triggered when
an fd that is opened for writing is closed. This means that if a
separate locking fd is opened on a block device – one that is maintained
independently of the fd actually used for writing – it must be opened for
writing too, so that closing the lock definitely triggers a rescan. This
matters in cases where the lock fd is kept for longer than the fd used
for writing to disk. (Because otherwise udev might get the
IN_CLOSE_WRITE event, but when it tries to rescan will find the device
locked, and never retry because no IN_CLOSE_WRITE is triggred anymore.)
Let's fix that across the codebase, at 4 places:
1. in makefs (a lock fd is kept, and mkfs then invoked as child, which
uses a different fd, and the lock fd is closed only once the child
died)
2. in udevadm lock (embarassing!): which is intended to be used to wrap tools
that modify disk contents, very similar to the makefs case. The lock
is also kept until after the tool exited.
3. In storagetm: the kernel nvme-tcp layer writes to the device
directly, we just keep a lock fd.
blockdev-util: rename BlockDeviceLookupFlag to plural
This is a flags type and a flag function argument, let's name it in
plural, because it allows many flags combinations. Internally, the
implementation already used plural, but let's fix the prototypes too.
* 5650452e6b Install new files for upstream build
* 607afcd060 salsa: disable arm64/ppc64el again
* b1bb6d4849 systemd-tests: drop unused overrides
* b3790a36ca getty-static: add missing Documentation=
* 1cea27caba Backport patch to fix autopkgtest with new util-linux due to file move
* 2e74a7f969 Update changelog for 258.1-1 release
* 9250e242b9 Make /run/lock world writable by default
Luca Boccassi [Mon, 20 Oct 2025 23:37:44 +0000 (00:37 +0100)]
mountfsd: allow privileged users to mount bare unprotected filesystems
This is useful when we start to call mountfsd from root, for example
from the tests where we just use a simple squashfs/erofs.
Note that this requires the caller to be root, and it will be rejected
otherwise, as such images are classified as 'unprotected' and the
enforced policy does not accept them for unprivileged users.
Disable abort in log_assert in libsystemd/libudev (#39307)
See the second commit for details.
I think we might want to apply the same treatment to nss and pam
modules. Asserting in such "plugin code" seems iffy. But this PR doesn't
change those in any way.
Ryan Brue [Mon, 18 Aug 2025 17:12:26 +0000 (12:12 -0500)]
man: Clarify usage of /usr/share/factory/ in programs
As discussed in this thread:
https://github.com/redhat-performance/tuned/issues/798#issuecomment-3197697654
/usr/share/factory/ is not intended to be read from by programs,
but the wording in the FHS can be misread to think that programs
should be using /usr/share/factory/ as the vendor supplied configuration
directory rather than something like /usr/lib/foo/ or /usr/share/foo/.
This commit points developers to the UAPI configuration spec for how to
make their programs hermetic /usr/ compatible.
Do not use "critical assert_return" in libsystemd or libudev
Previously, when compiled in developer mode, a call into libsystemd with
invalid parameters would result in an abort. This means that it's effectively
impossible to install such libsystemd in a normal system, since various
third-party programs may now abort. A shared library should generally never
abort or exit the calling program.
In python-systemd, the test suite calls into libsystemd, to check if the proper
return values are received and propagated through the Python wrappers.
Obviously with libsystemd compiled from git, the test suite now fails
in a nasty way.
So rework the code to set assert_return_is_critical similarly to how we handle
mempool enablement: the function that returns true is declared as a week
symbol, and we "opt in" by linking a file that provides the function in
libsystemd-shared. Effectively, libsystemd and libudev always have
assert_return_is_critical==false, and our binaries and modules enable it
conditionally.
The function internally does caching which means that the result must
always be the same, the definition of a pure function. The compiler might
be able to optimize some repeated calls to the function.
Daniel Foster [Thu, 17 Jul 2025 23:59:14 +0000 (09:59 +1000)]
tree-wide: extend $LISTEN_FDS protocol with $LISTEN_PIDFDID
Although extremely unlikely, there is a race present in solely checking the
$LISTEN_PID environment variable, due to PID recycling. Fix that by introducing
$LISTEN_PIDFDID, which contains the 64-bit ID of a pidfd for the child process
that is not subject to recycling.
importd: downgrade log message about bound capability set dropping + netns
An unprivileged process cannot reduce its own capability bounding set,
hence, while it is nice to reduce the set, let's not log about it
loudly, in case we are invoked unpriv (which we explicity support these
days after all).
An unpriv process also cannot detach from its netns, hence also
downgrade the warning to a debug message.
importd: support unpacking tarballs to foreign UID range
When invoked unprivileged, let's use a transiently allocated userns, so
that we can properly untar UIDs/GIDs so that the trees appear owned by
the foreign UID/GID range.
importd: clean up how we determine image root in importd backends
Let's introduce a single helper that determines where to download images
to, taking all three primary parameters into account: the image class,
the runtime scope and whether to do runtime or persistency.
Then port everything over to this.
This not only cleans things up, but makes sure the importd backends
actually properly can deal with per-user downloads, as before we never
took the runtime scope into account for determining download location.
The runtime scope logic is internally already in place, let's expose
this via getopt() command line too. This way importd later can propagate
the invocation scope down to the backends.
install-file: add flags to handle RO and syncing failures graceful
When operating in unprivileged mode we might not be able to execute the
necessary operations to make a disk image read-only (because
FS_IMMUTABEL_FL needs privs for example), and syncing (because for that
we might need to open the root inode, but that might not be possible
from the outside).
Let's deal with that by making these operation optional: if they work
great, if not they don't.
copy: make copy_tree_at_full()'s 'to' parameter optional
Sometimes it's quite useful to pin a source dir via an fd, as well as a
target dir the same way, and then ask copy_tree_at_full() to copy the
contents from one to the other. Make this possible, by allowing 'to' be
NULL. (Previously, it had to be non-NULL, i.e. the function would always
create a new dir, no matter what.)
Yu Watanabe [Sun, 19 Oct 2025 04:16:19 +0000 (13:16 +0900)]
ci/oss-fuzz: switch to Ubuntu 24.04
With
https://github.com/google/oss-fuzz/pull/14112 and
https://github.com/google/oss-fuzz/pull/14128,
we can now use Ubuntu 24.04. Let's bump the image version.
Note, the i386 build failure mentioned in the removed comment is related to
https://bugs.launchpad.net/ubuntu/+source/linux-signed-azure/+bug/2071445
https://github.com/actions/runner-images/issues/9977
and has been already fixed.
Yu Watanabe [Sun, 19 Oct 2025 03:38:35 +0000 (12:38 +0900)]
TEST-75-RESOLVED: stop socket units before stopping the main service
Fixes the following warning:
TEST-75-RESOLVED.sh[2251]: ++ restart_resolved
TEST-75-RESOLVED.sh[2251]: ++ systemctl stop systemd-resolved.service
TEST-75-RESOLVED.sh[2271]: Stopping 'systemd-resolved.service', but its triggering units are still active:
TEST-75-RESOLVED.sh[2271]: systemd-resolved-monitor.socket, systemd-resolved-varlink.socket
Hans de Goede [Mon, 20 Oct 2025 18:52:00 +0000 (20:52 +0200)]
hwdb: Add V64x_V65xAU to list of Clevo models where scancode f7+f8 get mapped to touchpad-toggle
Fn + F1 which is the shortcut for toggling the touchpad on/off sends
atkbd scancodes f7 (first press) + f8 (second press) just like on various
other Clevo models. Add the V64x_V65xAU model to the list of models where
these scancodes are mapped to touchpad-toggle.
networkd: call networkd a "network management" rather "network configuration" tool
This has irked me for a while. For me network configuration is the stuff
we store on disk in configuration file. And networkd then *applies* the
configuration. But the units so far claimed that networkd was the
"configuration" itself. Which I guess might make sense to some, but to
me sounds a bit unprecise. Let's clean this up, and call what networkd
is doing "Network Management".
projects / thirdparty / systemd.git / log
