Luca Boccassi [Mon, 24 Nov 2025 20:07:00 +0000 (20:07 +0000)]
fido2: fix enrolling when UV is required ('alwaysUv')
When a Yubikey or other fido2 device has FIPS mode enabled, UV will
always be required and cannot be disabled. Unhelpfully, when it is not
sent down, the hardware token (not the library) returns a generic
FIDO_ERR_MISSING_PARAMETER:
Jeremy Kerr [Fri, 11 Jul 2025 01:34:05 +0000 (09:34 +0800)]
udev-builtin-net_id: Extend persistent naming support to MCTP interfaces
Now that we have Management Component Transport Protocol (MCTP) transports
available over USB, it would be helpful to apply udev's persistent
naming rules to MCTP interfaces, to follow the USB hub/port topology.
Enable persistent naming for ARPHRD_MCTP-type devices, using a "mc" name
prefix, and add appropriate definitions for the v260 naming sheme.
Popax21 [Tue, 9 Dec 2025 01:56:01 +0000 (02:56 +0100)]
nss-resolve: add env var to specify resolved ifindex
Adds a new `SYSTEMD_NSS_RESOLVE_INTERFACE` environment variable to the nss-resolve module, whose value is subsequently passed down to the `ifindex` resolved lookup option.
This allows name lookups to be constrained to a just single interface for e.g. captive portal browsers.
* 6f15bdaae7 Update architecture match for 50-pid-max.conf (v3)
* 333cc1fcc5 Downgrade depends to recommends for IPC endpoint of respective libnss modules
* ab99a1b51a Revert "Update architecture match for 50-pid-max.conf"
* b93d7f855a Update changelog for 259~rc3-1 release
* 95c7f8a3d6 Install new udev rule
* 89509d9692 d/t/tests-in-lxd: re-construct --pin-packages arguments for autopkgtest
* 6b77249c71 d/extra/dbus-1: rename systemd-localed-read-only.conf
* 819831c19a Update architecture match for 50-pid-max.conf
* 0ddff89e9d Mirror dmi_arches from meson.build into debian/udev.install
* 398e8791db d/t/control: pull in optional libs for boot-and-services too
* c727922ad5 Update changelog for 259~rc2-1 release
* 8faf105531 Install new varlinkctl bash completion script
* f4b4cea2be d/t/control: ensure unit-tests autopkgtest pulls in dlopened libraries for test
* 7e8aba9883 Update changelog for 259~rc1-1 release
* 5953c42402 Update symbols file for v259~rc1
* 353125ccfa Install new files for v259~rc1
* ca22d1ca4f Drop patches, all merged upstream
* 32c75efca2 d/t/unit-config: fix python decorator copypasta
* e32179d633 d/rules: disable sysv compat in upstream builds
* cf77bd44be Install new files for upstream build
* aa564e5d3b kernel-install: skip 55-initrd.install when an initrd is already staged
In setup_output() we assume stdout has been set up properly
before stderr, hence the stdout we're inheriting from must
be writable (or more precisely, would have been adjusted to be).
Hence no need to duplicate it.
Mike Yuan [Sat, 22 Nov 2025 18:23:53 +0000 (19:23 +0100)]
core/exec-invoke: split out maybe_inherit_stdout_from_stdin(), use exec_input_is_inheritable()
Note that exec_input_is_inheritable() rightfully refuses EXEC_INPUT_FILE,
in which case std_output would have been reset in service_fix_stdio()
already.
While at it, use the generic fallback logic of first trying user manager
stdout when stdin is not writable.
Mike Yuan [Sat, 22 Nov 2025 06:10:09 +0000 (07:10 +0100)]
core/execute-serialize: clean up stdio serialization
* Do not interleave root_directory_as_fd with stdio fields
* Do not use different serialization key for different modes
pointing to same path
* Escape stdio file paths (as per 9be46b1da8b01c3f47e6c050185f2b45484d6300)
Luca Boccassi [Wed, 3 Dec 2025 18:59:34 +0000 (18:59 +0000)]
core: set Result=start-limit-hit when a unit is rate limited
There is currently no way to figure out a rate limit was hit on a unit,
as the last result is stripped in order to keep reporting the first
result, which is useful in case of a watchdog failure, which is the
reason why it was changed as such.
But rate limiting is also an important information to provide to
users, so allow the Result property to reflect it when it
happens.
man/systemd-boot: say that /EFI/systemd/drivers is for hardware
In aad0d11e7c6f1f7dcc7b00173140c74b8abf88cc we stopped supporting XBOOTLDR
with a different fs driver. This was the primary example that comes to mind
when we talk about loading filesystem drivers in the firmware. Since we don't
want people to do load such drivers, use a different example.
docs/BOOT_LOADER_INTERFACE: use full variable names once
We said in the header that "all EFI variables use the vendor UUID 4a67b082-0a4c-41cf-b6c7-440b29bb8c4f", but people not familiar with
UEFI might not know that this is concatenated with the variable name.
Let's use the full form once — when introducing the variable — to
make it easier to grep and search for.
While at it, use sembreaks in the document. This makes subsequent
changes much easier to review. (It also shows that some sentences
are rather long and thus hard to understand.)
Haiyue Wang [Wed, 17 Dec 2025 08:02:31 +0000 (16:02 +0800)]
meson: fix BPF build warnings due to MS extensions
Fix BPF program build warnings on Linux-6.19.0-rc1, more detail is [1]:
A). clang-bpf
[781/2458] Generating src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.unstripped.o with a custom command
In file included from ../src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.c:3:
./vmlinux.h:60263:3: warning: declaration does not declare anything [-Wmissing-declarations]
60263 | struct ns_tree;
| ^~~~~~~~~~~~~~
./vmlinux.h:80251:2: warning: declaration does not declare anything [-Wmissing-declarations]
80251 | struct __fs_path;
| ^~~~~~~~~~~~~~~~
./vmlinux.h:96184:2: warning: declaration does not declare anything [-Wmissing-declarations]
96184 | struct freelist_tid;
| ^~~~~~~~~~~~~~~~~~~
./vmlinux.h:114441:2: warning: declaration does not declare anything [-Wmissing-declarations]
114441 | struct renamedata;
| ^~~~~~~~~~~~~~~~~
./vmlinux.h:118480:2: warning: declaration does not declare anything [-Wmissing-declarations]
118480 | union pipe_index;
| ^~~~~~~~~~~~~~~~
./vmlinux.h:130452:4: warning: declaration does not declare anything [-Wmissing-declarations]
130452 | struct freelist_counters;
| ^~~~~~~~~~~~~~~~~~~~~~~~
6 warnings generated.
B). gcc-bpf
meson setup -Dbpf-compiler=gcc build
[1040/2458] Generating src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.unstripped.o with a custom command
In file included from ../src/network/bpf/sysctl-monitor/sysctl-monitor.bpf.c:3:
./vmlinux.h:60263:31: warning: declaration does not declare anything
60263 | struct ns_tree;
| ^
./vmlinux.h:80251:25: warning: declaration does not declare anything
80251 | struct __fs_path;
| ^
./vmlinux.h:96184:28: warning: declaration does not declare anything
96184 | struct freelist_tid;
| ^
./vmlinux.h:114441:26: warning: declaration does not declare anything
114441 | struct renamedata;
| ^
./vmlinux.h:118480:25: warning: declaration does not declare anything
118480 | union pipe_index;
| ^
./vmlinux.h:130452:49: warning: declaration does not declare anything
130452 | struct freelist_counters;
| ^
[1] https://git.kernel.org/torvalds/c/639f58a0f480
"bpftool: Fix build warnings due to MS extensions"
Andrew Halaney [Mon, 15 Dec 2025 21:47:17 +0000 (15:47 -0600)]
man/systemd.exec: Make EnvironmentFile error conditions more explicit
It is not entirely clear what happens when EnvironmentFile fails in the
prior wording. With the new wording it should now be clear that if it
fails to process the file the service will fail, and if it is prefixed
with "-" all errors are silently ignored.
Signed-off-by: Andrew Halaney <ahalaney@netflix.com>
Luca Boccassi [Tue, 16 Dec 2025 21:44:57 +0000 (21:44 +0000)]
test: fix race condition in TEST-80-NOTIFYACCESS
In some cases systemd is faster to send the SIGHUP
than the script is to start the 'sleep' and background
it, so it never gets interrupted later and the test
is left hanging waiting for it.
[ 5028.410588] systemd[1]: Starting reload-timeout.service...
[ 5028.429544] reload-timeout.sh[165]: + set -o pipefail
[ 5028.429544] reload-timeout.sh[165]: + COUNTER=0
[ 5028.429841] reload-timeout.sh[165]: + trap sighup_handler SIGHUP
[ 5028.429841] reload-timeout.sh[165]: + export SYSTEMD_LOG_LEVEL=debug
[ 5028.429841] reload-timeout.sh[165]: + SYSTEMD_LOG_LEVEL=debug
[ 5028.429841] reload-timeout.sh[165]: + systemd-notify --ready
[ 5028.432891] systemd[1]: reload-timeout.service: Got notification message from PID 165: READY=1
[ 5028.432908] systemd[1]: reload-timeout.service: Changed start -> running
[ 5028.432983] systemd[1]: reload-timeout.service: Job 409 reload-timeout.service/start finished, result=done
[ 5028.432997] systemd[1]: Started reload-timeout.service.
[ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Job for reload-timeout.service finished.
[ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Got result done/Success for job reload-timeout.service.
[ 5028.433941] TEST-80-NOTIFYACCESS.sh[164]: Bus n/a: changing state RUNNING → CLOSED
[ 5028.436949] TEST-80-NOTIFYACCESS.sh[99]: + systemctl reload --no-block reload-timeout.service
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state UNSET → OPENING
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: sd-bus: starting bus by connecting to /run/systemd/private...
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state OPENING → AUTHENTICATING
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Executing dbus call org.freedesktop.systemd1.Manager ReloadUnit(reload-timeout.service, replace)
[ 5028.444523] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state AUTHENTICATING → RUNNING
[ 5028.445202] reload-timeout.sh[165]: + wait_for_signal
[ 5028.445586] reload-timeout.sh[169]: + sleep infinity
[ 5028.447285] reload-timeout.sh[165]: ++ sighup_handler
[ 5028.447285] reload-timeout.sh[165]: ++ echo hup1
[ 5028.444886] systemd[1]: reload-timeout.service: Trying to enqueue job reload-timeout.service/reload/replace
[ 5028.445228] systemd[1]: reload-timeout.service: Installed new job reload-timeout.service/reload as 491
[ 5028.445240] systemd[1]: reload-timeout.service: Enqueued job reload-timeout.service/reload as 491
[ 5028.446601] systemd[1]: reload-timeout.service: Service has no extensions to reload.
[ 5028.446799] systemd[1]: reload-timeout.service: Changed running -> reload-signal
[ 5028.446881] systemd[1]: Reloading reload-timeout.service...
[ 5028.451343] TEST-80-NOTIFYACCESS.sh[167]: Bus n/a: changing state RUNNING → CLOSED
[ 5028.452421] TEST-80-NOTIFYACCESS.sh[99]: + timeout 10 bash -c 'until [[ $(systemctl show reload-timeout.service -P SubState) == "reload-signal" ]]; do sleep .5; done'
[ 5028.460676] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state UNSET → OPENING
[ 5028.460676] TEST-80-NOTIFYACCESS.sh[172]: sd-bus: starting bus by connecting to /run/systemd/private...
[ 5028.462029] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state OPENING → AUTHENTICATING
[ 5028.462029] TEST-80-NOTIFYACCESS.sh[172]: Showing one /org/freedesktop/systemd1/unit/reload_2dtimeout_2eservice
[ 5028.463759] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state AUTHENTICATING → RUNNING
[ 5028.470322] TEST-80-NOTIFYACCESS.sh[172]: Bus n/a: changing state RUNNING → CLOSED
[ 5028.472991] TEST-80-NOTIFYACCESS.sh[99]: + sync_in hup1
[ 5028.472991] TEST-80-NOTIFYACCESS.sh[99]: + read -r x
[ 5028.473839] reload-timeout.sh[165]: + wait 169
[ 5028.473996] TEST-80-NOTIFYACCESS.sh[99]: + test hup1 = hup1
[ 5028.473996] TEST-80-NOTIFYACCESS.sh[99]: + timeout 10 bash -c 'until [[ $(systemctl show reload-timeout.service -P SubState) == "reload-notify" ]]; do sleep .5; done'
[ 5038.477383] systemd[1]: TEST-80-NOTIFYACCESS.service: Failed with result 'exit-code'.
(note how the 'wait' is long after SIGHUP has been processed already)
Vivian Wang [Wed, 17 Dec 2025 06:03:30 +0000 (14:03 +0800)]
stub: Use log_debug if addons has no applicable sections
This can happen expectedly if an addon purely provides .dtbauto
sections, and there's no match for this machine. Reduce the log message
of this case to "debug" level.
This fixes extensions refreshing + verity-protected DDIs.
TEST-50-DISSECT previously passed because confext refreshing
is tested after live mount, the latter of which used to
load libcryptsetup in pid1.
rename() may yield ENOTEMPTY rather than EEXIST for existing dir,
so catch that too. Also, both the source and target must be
writable when exchanging.
Test coverage for this logic (i.e. user units with ExecStartPre=)
will be added later.
Mike Yuan [Tue, 16 Dec 2025 00:54:40 +0000 (01:54 +0100)]
process-util: add a flag for retaining dlopen()-ability
While blocking dlopen() in child generally makes sense, it does
also lead to misery - in the very case of extension/cred refreshing
it then enforces loading of libcryptsetup/libacl in pid1, which
are otherwise never used. Let's add a flag to opt out hence, but
still prohibit it in namespace_fork/enter().
* 9e31235211 pacman: Make sure hookdir exists
* 20009b7f48 make_image: log systemd-repart *.conf files at the --debug level
* b94b415db9 run: Increase string limit for strace when debugging sandbox
* 9f6d9405d6 Ring the terminal bell after the last image has been built
* b509b4246d Add glob in default initrd to exclude some exotic drivers
* 189394b8b9 Allow KernelModules= globs to also match relative to modules root dir
* 92bd086e4e zypper: add --force-resolution flag
* 3637749702 kmod: Only add fully resolved fw path if it exists
* d41ac276c9 Add details to KernelModulesInitrd= doc
* 1b6960ddb1 Fix SplitArtifacts=repart-definitions for addons
* 07464f38d6 Add log_step call in build_kernel_modules_initrd
* 18f5885362 Use proper constants for ansi colors
* 454c1602b6 mkosi-obs: add SplitArtifacts=repart-definitions and use it
* 9e57461af6 Copy repart definitions to staging directory
* 1acab18874 Add SplitArtifacts=repart-definitions
* c5c5c225e8 mkosi-obs: always include verity certificate
* ac5babb8e0 Revert "Use Path.relative_to instead of Path.parts"
* cbb1daeb76 action: Use environment variables instead of inputs
* 97c81eef72 portable: support split roothash
PCR 16 is intended for debugging purposes, and is the only PCR that can
be reset by software. Let's prefer that for testing.
PCR 11 has a purpose (i.e. kernel is measured there on UKI systems, as
are the boot phases), hence let's not use that for testing.
That should remove any interference of boot time ordering and testing
our tpm code, as we will write to PCR 16 only, and reset it before we
rely on it.
This likely, kind of fixes #39582, but the issue mixes two things, PCR
11 issues on real-life hardware, and PCR 11 isues in our artificial
tests. Only the latter is addressed by this PR, the other issue needs
more debugging, but without logs we cannot do much.
Mike Yuan [Sat, 13 Dec 2025 16:56:51 +0000 (17:56 +0100)]
core/service: set unit log context in helper processes that bypass cgroup
Since these helper processes aren't spawned in the unit cgroup,
let's explicitly attach unit log context so that all logging gets
attributed to the unit, including the ones done in library calls.
Luca Boccassi [Mon, 15 Dec 2025 22:51:16 +0000 (22:51 +0000)]
ci: remove --quiet from mkosi integration suite run
Given the integration tests take a while to run, it is useful to see
at which point it is while it is running. Sometimes only a test
script or such subset is changed, which means there's no need to
wait for the entire suite to run, especially with the sanitizers
job which is super slow.
Luca Boccassi [Mon, 15 Dec 2025 20:51:04 +0000 (20:51 +0000)]
Translations update from Fedora Weblate (#40097)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Nick Rosbrook [Wed, 10 Dec 2025 21:56:50 +0000 (16:56 -0500)]
mkosi: use qemu from noble-proposed instead of ppa
This is also temporary, but demonstrates that the version of qemu
currently in noble-proposed fixes https://launchpad.net/bugs/2127974,
which will ultimately allow for the fix to be released to noble-updates.
Daan De Meyer [Sun, 14 Dec 2025 12:34:17 +0000 (13:34 +0100)]
namespace: Clone root dir descriptor before use (#39939)
Before doing anything with the root directory file descriptor, let's
make sure we clone it first so that the caller can't mess with mount fd
attributes via mount_setattr() anymore.
We clone during parsing instead of in executor so that the caller can't
mess with the mount fd between invocations.
Daan De Meyer [Fri, 28 Nov 2025 19:28:01 +0000 (20:28 +0100)]
namespace: Clone root dir descriptor before use
Before doing anything with the root directory file descriptor, let's
make sure we clone it first so that the caller can't mess with mount fd
attributes via mount_setattr() anymore.
We clone during parsing instead of in executor so that the caller can't
mess with the mount fd between invocations.
Daan De Meyer [Fri, 28 Nov 2025 18:06:37 +0000 (19:06 +0100)]
mount-util: Add mount_fd_clone() helper
The kernel prevents you from open_tree()'ing an open_tree() fd unless it
was created from the caller's mount namespace. For various use cases, we
want to be able to open_tree() arbitrary mount file descriptors. Turns
out there's a way go get around it by mounting the mount file descriptor
in a throw-away mount namespace and then open_tree()'ing the mount file
descriptor. Let's implement this as a new helper mount_fd_clone() and
add a test for it.
Because move_mount()'ing the original fd makes it pretty useless as it
can't be move_mount()'ed again, we optionally make a second clone which
can replace the original fd so it can be cloned again later.
Kai Lueke [Thu, 11 Dec 2025 10:49:20 +0000 (19:49 +0900)]
sysext: Fix config file support with --root=
Config files for --root= weren't picked up as expected because the
--root= flag got parsed after the config file.
Switch the order of config file and CLI flag parsing while letting the
CLI flags overwrite things set by the config files by tracking state
during parsing.
Daan De Meyer [Wed, 3 Dec 2025 10:08:56 +0000 (11:08 +0100)]
discover-image: Rework image_make()
Currently, image_new() will calculate the image
path as the combination of dir_path and filename,
which is completely broken if filename is absolute
and dir_path is set.
Let's fix this by thoroughly cleaning up the
image_make() interface. Instead of having four
different arguments to pass in the image path,
let's reduce that to two, a file descriptor and a
path. If no file descriptor is provided, we create
own ourselves by opening the given path.
The callsites are updated to pass in an existing file
descriptor when available. Path calculation is moved
to callers instead of image_make().
Daan De Meyer [Thu, 11 Dec 2025 16:21:08 +0000 (17:21 +0100)]
tree-wide: Use meson test -q
meson test output is extremely verbose, printing
a separate line for each successful test. Let's
add -q/--quiet everywhere so it only prints full
lines for skipped and failed tests.
As commented, the unknown values should have been filtered out
in pid1's initial parsing already, and the communication between
pid1 and executor is entirely internal which makes the graceful
practice counterproductive.
projects / thirdparty / systemd.git / log
