Luca Boccassi [Mon, 20 Oct 2025 23:39:44 +0000 (00:39 +0100)]
dissect: support mount options when going through mountfsd
RootImageOptions=/ExtensionImages=/MountImages= all support
custom mount options, use the new mountfsd parameters to
configure them if they are specified.
This requires additioanl privileges via polkit due to security
implications of mount options, so document an example policy
that allows to use the nosuid mount option.
Luca Boccassi [Mon, 20 Oct 2025 23:39:16 +0000 (00:39 +0100)]
mountfsd: add support for mount options
RootImageOptions=/ExtensionImages=/MountImages= all support custom
mount options, but mountfsd does not support it. Add varlink
parameters to allow callers to specify mount options so that
those directives can work as expected.
Given the security implications of some mount options (e.g.: ACLs,
SELinux), require additional privileges to use custom mount options.
Pass the list of requested options to polkit details, so that the
policy can check the exact details if needed, for example to only
allow nosuid and reject the rest.
Luca Boccassi [Sat, 25 Oct 2025 17:40:44 +0000 (18:40 +0100)]
core: change mount options settings so that last defined wins
Currently mount options are handled in such a way that the first
definition for a given partition wins, and documented as such.
Change them so that they behave like other options, and the
last specified wins.
Applies to RootImageOptions=, MountImages= and ExtensionImages=.
Switch from a linked list to an array indexed by the partition
specifier to store them.
Yu Watanabe [Tue, 6 Jan 2026 16:36:20 +0000 (01:36 +0900)]
core: add support for disabling THPs (#39085)
Transparent Hugepages (THP) is a Linux kernel feature that manages
memory using larger pages (2MB on x86, compared to the default 4KB). The
main goal is to improve memory management efficiency and system
performance, especially for memory-intensive applications. However, it
can cause drawbacks in some scenarios, such as memory regression and
latency spikes. THP policy is governed for the entire system via
/sys/kernel/mm/transparent_hugepage/enabled.
However, it can be overridden for individual workloads via prctl(2) call.
MemoryTHP= is used to disable THPs at exec-invoke to stop providing THPs
for workloads where the drawbacks outweigh the advantages. When set to
"disable", MemoryTHP= disables THPs completely for the process,
irrespective of global THP controls.
Usama Arif [Mon, 15 Sep 2025 12:33:28 +0000 (13:33 +0100)]
core: introduce MemoryTHP= unit file setting
Transparent Hugepages (THP) is a Linux kernel feature that manages
memory using larger pages (2MB on x86, compared to the default 4KB).
The main goal is to improve memory management efficiency and system
performance, especially for memory-intensive applications.
However, it can cause drawbacks in some scenarios, such as memory
regression and latency spikes. THP policy is governed for the entire
system via /sys/kernel/mm/transparent_hugepage/enabled.
However, it can be overridden for individual workloads via prctl(2)
call.
MemoryTHP= is used to disable THPs at exec-invoke to stop
providing THPs for workloads where the drawbacks outweigh the advantages.
When set to "disable", MemoryTHP= disables THPs completely for the
process, irrespecitive of global THP controls.
When set to "madvise", MemoryTHP= disables THPs for the process except
when specifically madvised by the process with MADV_HUGEPAGE or MADV_COLLAPSE.
Luca Boccassi [Mon, 17 Nov 2025 14:44:18 +0000 (14:44 +0000)]
Drop support for sysvinit scripts
As announced by a few releases now, finally drop support for
sysvinit scripts.
Keep rc-local generator for now, as it's really a distinct
feature even though from the same era.
Luca Boccassi [Mon, 17 Nov 2025 14:58:27 +0000 (14:58 +0000)]
rc-local and sysvinit are independent, adjust meson/units/docs
They are separate and independent settings, so adjust meson rules
and unit files accordingly. It is possible to enable support for
rc-local script without support for sysvinit scripts, and viceversa.
This will become useful later when sysvinit scripts support is
removed.
Derek J. Clark [Tue, 6 Jan 2026 04:07:21 +0000 (20:07 -0800)]
hwdb: Add missing vendor names for older AYANEO devices
Adds AYADEVICE and AYA NEO vendor names. Early founders editon and 2021 models used these DMI values instead of AYANEO
Derek J. Clark [Tue, 6 Jan 2026 03:01:30 +0000 (19:01 -0800)]
hwdb: Add missing scancodes for Lenovo Legion devices
Adds missing scancodes for Lenovo Legion Go, Go S, and Go 2. When long
pressing the power button the device should issue a LEFTMETA + F16
combo. The LEFTMETA code fires properly, but the F16 is not mapped.
Go and Go S devices detect as AT Translated Set 2 Keyboard, while Go 2
detects as AT Raw Set 2 Keyboard, hence the multiple entries.
Signed-off-by: Derek J. Clark <derekjohn.clark@gmail.com>
Yu Watanabe [Mon, 5 Jan 2026 12:21:59 +0000 (21:21 +0900)]
TEST-13-NSPAWN: remove pulled image on exit
Otherwise, if the VM is unexpectedly rebooted, then `importctl --user pull-tar`
may fail as the file may already exist.
```
[ 123.351751] TEST-13-NSPAWN.sh[3946]: + run0 -u testuser importctl --user pull-tar file:///var/tmp/image-tar/kurps.tar.gz nurps --verify=checksum -m
[ 123.541603] TEST-13-NSPAWN.sh[4311]: Enqueued transfer job 3. Press C-c to continue download in background.
[ 123.552456] TEST-13-NSPAWN.sh[4311]: Pulling 'file:///var/tmp/image-tar/kurps.tar.gz', saving as 'nurps'.
[ 123.552788] TEST-13-NSPAWN.sh[4311]: Operating on image directory '/home/testuser/.local/state/machines'.
[ 123.819942] TEST-13-NSPAWN.sh[4311]: Got 1% of file:///var/tmp/image-tar/kurps.tar.gz.
[ 124.156557] TEST-13-NSPAWN.sh[4311]: * shutting down connection #0
[ 124.156896] TEST-13-NSPAWN.sh[4311]: * Could not open file /var/tmp/image-tar/kurps.tar.gz.sha256
[ 124.157223] TEST-13-NSPAWN.sh[4311]: * closing connection #-1
[ 124.159198] TEST-13-NSPAWN.sh[4311]: * Could not open file /var/tmp/image-tar/kurps.nspawn
[ 124.159493] TEST-13-NSPAWN.sh[4311]: * closing connection #-1
[ 124.159818] TEST-13-NSPAWN.sh[4311]: Acquired 68.5M.
[ 124.160395] TEST-13-NSPAWN.sh[4311]: Download of file:///var/tmp/image-tar/kurps.tar.gz complete.
[ 124.160664] TEST-13-NSPAWN.sh[4311]: Transfer failed: Could not read a file:// file
[ 124.160923] TEST-13-NSPAWN.sh[4311]: Settings file could not be retrieved, proceeding without.
[ 124.404733] TEST-13-NSPAWN.sh[4311]: * shutting down connection #1
[ 124.405162] TEST-13-NSPAWN.sh[4311]: Acquired 79B.
[ 124.406170] TEST-13-NSPAWN.sh[4311]: Download of file:///var/tmp/image-tar/SHA256SUMS complete.
[ 124.406734] TEST-13-NSPAWN.sh[4311]: SHA256 checksum of file:///var/tmp/image-tar/kurps.tar.gz is valid.
[ 124.455446] TEST-13-NSPAWN.sh[4311]: Failed to rename to final image name to /home/testuser/.local/state/machines/.tar-file:\x2f\x2f\x2fvar\x2ftmp\x2fimage-tar\x2fkurps\x2etar\x2egz: File exists
[ 124.457251] TEST-13-NSPAWN.sh[4311]: Exiting.
```
Workaround for issue #38240.
Nick Rosbrook [Mon, 5 Jan 2026 14:29:53 +0000 (09:29 -0500)]
mkosi: stop using noble-proposed for qemu
The qemu update migrated to noble-updates a couple weeks ago, so it is
no longer necessary to enable noble-proposed (or add the associated apt
pinning config).
Nick Rosbrook [Fri, 19 Dec 2025 16:01:49 +0000 (11:01 -0500)]
ukify: omit .osrel section when --os-release= is empty
The primary motivation for this is to allow users of ukify to build
UKI-like objects, without having them later be detected as a UKI by
tools like kernel-install and bootctl.
The common code used by these tools to determine if a PE binary is a UKI
checks that both .osrel and .linux sections are present. Hence, adding
a mechansim to skip .osrel provides a way to avoid being labeled a UKI.
Mike Yuan [Sun, 4 Jan 2026 22:21:14 +0000 (23:21 +0100)]
idn: drop support for libidn
The current tree doesn't even compile with libidn(1) after 2c7bdaf9f144ad339c72628579183fc849f2b794, which included
a non-existent call to check_dlopen_blocked() somehow.
Hence, it feels safe to just nuke legacy support from
our repo.
Kai Lueke [Thu, 27 Nov 2025 08:49:15 +0000 (17:49 +0900)]
sysext: Get verity user certs from given --root=
The verity user certs weren't looked up in the given --root= for
systemd-sysext which made it fail to set up extensions with a strict
image policy.
Look up verity user certs from inside the --root= when we operate on
images in it. The main use case where this matters is when the initrd
sets up the extensions for the final system and thus systemd-sysext
should do the same thing as it would do in the final system.
man/systemd.socket: Document JoinsNamespaceOf= support
This has been supported since systemd v242 (specifically commit 7619cb32f0 if I’m not mistaken; added to NEWS in commit 4107452e51), but
the man page still claimed otherwise.
Yu Watanabe [Sun, 4 Jan 2026 18:12:26 +0000 (03:12 +0900)]
nss-systemd: always fill sg_adm and sg_mem in shadow groups (#40218)
The `sg_adm` and `sg_mem` fields are not always set in shadow groups,
which can lead to issues with foreign tools like shadow's `sg` command.
Since other NSS implementations properly set these fields and it would
otherwise be impossible to access `administrators` and `members`
information from JSON files, it's bets to always fill these fields.
Even though `sg` is a nice example which should be already installed,
the issue itself can be reproduced with this simple program as well. It
relies on filled `sg_adm` and `sg_mem` fields just like `sg` does:
2. Verify that group actually exists
```
$ userdbctl group sg-poc
Group name: sg-poc
Disposition: regular
GID: 6123
Admins: root
Service: io.systemd.NameServiceSwitch
```
3. Run `sg` to switch into group `sg-poc` as regular user, this time
with setuid, i.e. no strace as before
```
$ sg sg-poc
sg: list.c:169: is_on_list: Assertion `NULL != list' failed.
Aborted (core dumped) sg sg-poc
```
shared/install: ignore aliasing failure when doing presets
In recent Fedora, preset-all fails:
[ 155s] Failed to preset unit: File '/buildroot/etc/systemd/user/dbus.service'
already exists and is a symlink to /usr/lib/systemd/user/dbus-broker.service
[ 155s] ‣ "systemctl --root=/buildroot --global preset-all" returned non-zero exit code 1.
Strictly speaking, this is an error in configuration. The presets specify that
both dbus-broker.service and dbus-daemon.service shall be enabled and they both
claim the 'dbus.service' alias. But this kind of error is very easy to make.
Failing the preset operation is too harsh, since in most cases the system will
work fine without an alias and changes in unrelated components can cause the
conflict.
Let's reuse the same logic that was added in ad5fdd391248432e0c105003a8a13f821bde0b8e: when enabling the unit through
'preset' or 'preset-all', print the message, but suppress the error. When
enabling through 'enable', fail the operation.
Fill sg_adm and sg_mem in nss_pack_group_record_shadow to stay
compatible with other NSS getsgnam implementations which set these
members to NULL terminated string arrays.
Tools like shadow's sg would trigger a NULL pointer dereference with
groups only found through nss-systemd otherwise.
nss-systemd: set sg_adm/sg_mem in intrinsic groups
The sg_adm and sg_mem fields are supposed to point to a NULL terminated
string array. If these are NULL, some foreign tools like shadow's sg
trigger NULL pointer dereferences (or fortunately their asset() calls).
Previously, if execution failed, we'd log at error level both from the
child and the parent, and we were using a bogus variable for the argument
name:
$ build/systemd-inhibit list
Failed to execute : No such file or directory
list failed with exit status 1.
In general, we can and should assume that the program the user is calling
is well behaved, so it'll log the error on its own if appropriate. So we
shouldn't log on "normal errors", but only if the child is terminated by
a signal.
And since the program name is controlled by the user, use quotes everywhere
to avoid ambiguity.
Now:
$ build/systemd-inhibit false
(nothing)
$ build/systemd-inhibit bash -c 'kill -SEGV $$'
src/basic/process-util.c:895: 'bash' terminated by signal SEGV.
Fixes https://github.com/systemd/systemd/issues/39167. As described in the
issue, we documented various string values in the BLI, but bootctl didn't use
the string values. At the time menu-force and menu-hidden were added, using
numerical values for compatibility made sense. But that stopped being needed
when a string value that didn't have a strictly equivalent numerical value and
a feature flag were added.
When converting a large number to menu-force, message is downgraded to debug,
since the severity of the issue is very minor. Debug messages are added in
other places when the requested setting is modified too.
switch-root: don't do rm_rf() of old superblock on switch root if pivot_root() worked
We do the rm_rf_children() call only because in some cases we cannot
pivot_root() and hence the orginal root superblock stays pinned, and we
thus have to empty it to minimize its memory use. But if pivot_root()
worked (and the umount() for the old root), then there's really no need
to do this work.
Dropping this codepath is useful in context of Christian's recent work
to make the original initrd tmpfs unmountable, which means pivot_root()
will work, and thus there's no need to empty the tmpfs anymore, and we
can speed up boot a bit.
Yu Watanabe [Sat, 3 Jan 2026 03:46:56 +0000 (12:46 +0900)]
core: do not provide non-dynamic user through DBus/Varlink
With a service with DynamicUser= with static user or group, e.g.,
```
$ systemd-run -p DynamicUser=yes -p Group=disk sleep infinity
```
previously the lookup by name and ID through DBus/Varlink are inconsistent:
```
$ busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LookupDynamicUserByUID "u" 6
Call failed: Dynamic user ID 6 does not exist.
$ busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LookupDynamicUserByName "s" disk
u 6
$ userdbctl group 6
Group name: disk
Disposition: system
GID: 6
Passwords: 1
Service: io.systemd.NameServiceSwitch
$ userdbctl group disk
Group name: disk
Disposition: dynamic
GID: 6
Description: Dynamic Group
Service: io.systemd.DynamicUser
```
With this change, the results of these methods are consistent.
DaanDeMeyer [Fri, 26 Dec 2025 20:58:04 +0000 (21:58 +0100)]
pull-tar: Insist on foreign UID when copying
If we're doing foreign UID range copying, we're going to be joining
a private user namespace before doing the copy. copy_tree() insists
on keeping all UIDs/GIDs the same when copying. Hence, all the
UIDs/GIDs of the files we're copying should be in the private UID
range, which means they need to be owned by the foreign UID range
and we always need to call mountfsd_mount_directory_fd(). So there's
no point in having a fallback path if the source directory is not
foreign UID range owned, we'd simply fail to copy it later. Hence,
insist on the source directory being foreign UID range owned.
Daan De Meyer [Sun, 14 Dec 2025 15:04:57 +0000 (16:04 +0100)]
sd-json: Fix sd_json_variant_type_to_string parameter name
The definition will use i because of the macro, so
let's use i in the declaration as well. We can't
use DECLARE_STRING_TABLE_LOOKUP_TO_STRING() because
sd-json.h is a libsystemd public header.
Daan De Meyer [Wed, 26 Nov 2025 14:52:46 +0000 (15:52 +0100)]
clang-tidy: Block system headers with errors
blkid.h and gmessages.h both use const for arguments that are passed
by value, which is pointless and triggers clang-tidy warnings, so exclude
them from processing.
Daan De Meyer [Mon, 15 Dec 2025 08:08:00 +0000 (09:08 +0100)]
sd-journal: Remove const from function parameter
boot_id is already passed by value, and hence copied.
Since we don't apply const to function parameters
that are copied anywhere else, let's drop the const
here as well for consistency.
Daan De Meyer [Fri, 19 Dec 2025 18:43:21 +0000 (19:43 +0100)]
tree-wide: Use pamh as pam_handle_t parameter name
libpam uses pamh in its function declarations for
the plugin API so let's use the same name in our
tree as well.
Making sure the plugin function definitions match
the plugin function declarations is required to
enable clang-tidy's
readability-inconsistent-declaration-parameter-name
check, but to keep things consistent everywhere we
opt to use pamh tree-wide.
Yu Watanabe [Sat, 25 Oct 2025 04:41:33 +0000 (13:41 +0900)]
libcrypt-util: turn into dlopen() dependency
Note, this drops logging only test case for crypt_preferred_method(),
as that requires explicitly dlopen() the library. But, we should test
that make_salt() and friends automatically dlopen() it.
Yu Watanabe [Sun, 17 Aug 2025 14:03:44 +0000 (23:03 +0900)]
Require libxcrypt-4.4.0 or newer and drop support of libcrypt
libcrypt was no longer built by default since glibc-2.38, and it has been
completely removed since glibc-2.39.
Let's always use libxcrypt, unless when building with musl. As already
major distribution already have libxcrypt-4.4.x, hence let's also bump
the required minimum version to 4.4.0.
libxcrypt cannot be built with musl, hence the previous fallback logic
in libcrypt-util.c are moved to musl/crypt.c.
Note, libxcrypt-4.4.0 was released on 2018-11-20.
See also #38608.
Yu Watanabe [Sun, 17 Aug 2025 15:58:56 +0000 (00:58 +0900)]
Bump required minimum version of libseccomp to 2.4.0
Major distributions already have libseccomp 2.5.x or newer.
Let's bump to the required minimum version to 2.4.0, which provides
SCMP_ACT_KILL_PROCESS, SCMP_ACT_LOG, SCMP_ARCH_PARISC, and
SCMP_ARCH_PARISC64.
Note, libseccomp 2.4.0 was released on 2019-03-15.
projects / thirdparty / systemd.git / log
