Kai Lueke [Thu, 27 Nov 2025 08:49:15 +0000 (17:49 +0900)]
sysext: Get verity user certs from given --root=
The verity user certs weren't looked up in the given --root= for
systemd-sysext which made it fail to set up extensions with a strict
image policy.
Look up verity user certs from inside the --root= when we operate on
images in it. The main use case where this matters is when the initrd
sets up the extensions for the final system and thus systemd-sysext
should do the same thing as it would do in the final system.
man/systemd.socket: Document JoinsNamespaceOf= support
This has been supported since systemd v242 (specifically commit 7619cb32f0 if I’m not mistaken; added to NEWS in commit 4107452e51), but
the man page still claimed otherwise.
Yu Watanabe [Sun, 4 Jan 2026 18:12:26 +0000 (03:12 +0900)]
nss-systemd: always fill sg_adm and sg_mem in shadow groups (#40218)
The `sg_adm` and `sg_mem` fields are not always set in shadow groups,
which can lead to issues with foreign tools like shadow's `sg` command.
Since other NSS implementations properly set these fields and it would
otherwise be impossible to access `administrators` and `members`
information from JSON files, it's bets to always fill these fields.
Even though `sg` is a nice example which should be already installed,
the issue itself can be reproduced with this simple program as well. It
relies on filled `sg_adm` and `sg_mem` fields just like `sg` does:
2. Verify that group actually exists
```
$ userdbctl group sg-poc
Group name: sg-poc
Disposition: regular
GID: 6123
Admins: root
Service: io.systemd.NameServiceSwitch
```
3. Run `sg` to switch into group `sg-poc` as regular user, this time
with setuid, i.e. no strace as before
```
$ sg sg-poc
sg: list.c:169: is_on_list: Assertion `NULL != list' failed.
Aborted (core dumped) sg sg-poc
```
shared/install: ignore aliasing failure when doing presets
In recent Fedora, preset-all fails:
[ 155s] Failed to preset unit: File '/buildroot/etc/systemd/user/dbus.service'
already exists and is a symlink to /usr/lib/systemd/user/dbus-broker.service
[ 155s] ‣ "systemctl --root=/buildroot --global preset-all" returned non-zero exit code 1.
Strictly speaking, this is an error in configuration. The presets specify that
both dbus-broker.service and dbus-daemon.service shall be enabled and they both
claim the 'dbus.service' alias. But this kind of error is very easy to make.
Failing the preset operation is too harsh, since in most cases the system will
work fine without an alias and changes in unrelated components can cause the
conflict.
Let's reuse the same logic that was added in ad5fdd391248432e0c105003a8a13f821bde0b8e: when enabling the unit through
'preset' or 'preset-all', print the message, but suppress the error. When
enabling through 'enable', fail the operation.
Fill sg_adm and sg_mem in nss_pack_group_record_shadow to stay
compatible with other NSS getsgnam implementations which set these
members to NULL terminated string arrays.
Tools like shadow's sg would trigger a NULL pointer dereference with
groups only found through nss-systemd otherwise.
nss-systemd: set sg_adm/sg_mem in intrinsic groups
The sg_adm and sg_mem fields are supposed to point to a NULL terminated
string array. If these are NULL, some foreign tools like shadow's sg
trigger NULL pointer dereferences (or fortunately their asset() calls).
Previously, if execution failed, we'd log at error level both from the
child and the parent, and we were using a bogus variable for the argument
name:
$ build/systemd-inhibit list
Failed to execute : No such file or directory
list failed with exit status 1.
In general, we can and should assume that the program the user is calling
is well behaved, so it'll log the error on its own if appropriate. So we
shouldn't log on "normal errors", but only if the child is terminated by
a signal.
And since the program name is controlled by the user, use quotes everywhere
to avoid ambiguity.
Now:
$ build/systemd-inhibit false
(nothing)
$ build/systemd-inhibit bash -c 'kill -SEGV $$'
src/basic/process-util.c:895: 'bash' terminated by signal SEGV.
Fixes https://github.com/systemd/systemd/issues/39167. As described in the
issue, we documented various string values in the BLI, but bootctl didn't use
the string values. At the time menu-force and menu-hidden were added, using
numerical values for compatibility made sense. But that stopped being needed
when a string value that didn't have a strictly equivalent numerical value and
a feature flag were added.
When converting a large number to menu-force, message is downgraded to debug,
since the severity of the issue is very minor. Debug messages are added in
other places when the requested setting is modified too.
switch-root: don't do rm_rf() of old superblock on switch root if pivot_root() worked
We do the rm_rf_children() call only because in some cases we cannot
pivot_root() and hence the orginal root superblock stays pinned, and we
thus have to empty it to minimize its memory use. But if pivot_root()
worked (and the umount() for the old root), then there's really no need
to do this work.
Dropping this codepath is useful in context of Christian's recent work
to make the original initrd tmpfs unmountable, which means pivot_root()
will work, and thus there's no need to empty the tmpfs anymore, and we
can speed up boot a bit.
Yu Watanabe [Sat, 3 Jan 2026 03:46:56 +0000 (12:46 +0900)]
core: do not provide non-dynamic user through DBus/Varlink
With a service with DynamicUser= with static user or group, e.g.,
```
$ systemd-run -p DynamicUser=yes -p Group=disk sleep infinity
```
previously the lookup by name and ID through DBus/Varlink are inconsistent:
```
$ busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LookupDynamicUserByUID "u" 6
Call failed: Dynamic user ID 6 does not exist.
$ busctl call org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LookupDynamicUserByName "s" disk
u 6
$ userdbctl group 6
Group name: disk
Disposition: system
GID: 6
Passwords: 1
Service: io.systemd.NameServiceSwitch
$ userdbctl group disk
Group name: disk
Disposition: dynamic
GID: 6
Description: Dynamic Group
Service: io.systemd.DynamicUser
```
With this change, the results of these methods are consistent.
DaanDeMeyer [Fri, 26 Dec 2025 20:58:04 +0000 (21:58 +0100)]
pull-tar: Insist on foreign UID when copying
If we're doing foreign UID range copying, we're going to be joining
a private user namespace before doing the copy. copy_tree() insists
on keeping all UIDs/GIDs the same when copying. Hence, all the
UIDs/GIDs of the files we're copying should be in the private UID
range, which means they need to be owned by the foreign UID range
and we always need to call mountfsd_mount_directory_fd(). So there's
no point in having a fallback path if the source directory is not
foreign UID range owned, we'd simply fail to copy it later. Hence,
insist on the source directory being foreign UID range owned.
Daan De Meyer [Sun, 14 Dec 2025 15:04:57 +0000 (16:04 +0100)]
sd-json: Fix sd_json_variant_type_to_string parameter name
The definition will use i because of the macro, so
let's use i in the declaration as well. We can't
use DECLARE_STRING_TABLE_LOOKUP_TO_STRING() because
sd-json.h is a libsystemd public header.
Daan De Meyer [Wed, 26 Nov 2025 14:52:46 +0000 (15:52 +0100)]
clang-tidy: Block system headers with errors
blkid.h and gmessages.h both use const for arguments that are passed
by value, which is pointless and triggers clang-tidy warnings, so exclude
them from processing.
Daan De Meyer [Mon, 15 Dec 2025 08:08:00 +0000 (09:08 +0100)]
sd-journal: Remove const from function parameter
boot_id is already passed by value, and hence copied.
Since we don't apply const to function parameters
that are copied anywhere else, let's drop the const
here as well for consistency.
Daan De Meyer [Fri, 19 Dec 2025 18:43:21 +0000 (19:43 +0100)]
tree-wide: Use pamh as pam_handle_t parameter name
libpam uses pamh in its function declarations for
the plugin API so let's use the same name in our
tree as well.
Making sure the plugin function definitions match
the plugin function declarations is required to
enable clang-tidy's
readability-inconsistent-declaration-parameter-name
check, but to keep things consistent everywhere we
opt to use pamh tree-wide.
Yu Watanabe [Sat, 25 Oct 2025 04:41:33 +0000 (13:41 +0900)]
libcrypt-util: turn into dlopen() dependency
Note, this drops logging only test case for crypt_preferred_method(),
as that requires explicitly dlopen() the library. But, we should test
that make_salt() and friends automatically dlopen() it.
Yu Watanabe [Sun, 17 Aug 2025 14:03:44 +0000 (23:03 +0900)]
Require libxcrypt-4.4.0 or newer and drop support of libcrypt
libcrypt was no longer built by default since glibc-2.38, and it has been
completely removed since glibc-2.39.
Let's always use libxcrypt, unless when building with musl. As already
major distribution already have libxcrypt-4.4.x, hence let's also bump
the required minimum version to 4.4.0.
libxcrypt cannot be built with musl, hence the previous fallback logic
in libcrypt-util.c are moved to musl/crypt.c.
Note, libxcrypt-4.4.0 was released on 2018-11-20.
See also #38608.
Yu Watanabe [Sun, 17 Aug 2025 15:58:56 +0000 (00:58 +0900)]
Bump required minimum version of libseccomp to 2.4.0
Major distributions already have libseccomp 2.5.x or newer.
Let's bump to the required minimum version to 2.4.0, which provides
SCMP_ACT_KILL_PROCESS, SCMP_ACT_LOG, SCMP_ARCH_PARISC, and
SCMP_ARCH_PARISC64.
Note, libseccomp 2.4.0 was released on 2019-03-15.
Yu Watanabe [Fri, 2 Jan 2026 00:25:43 +0000 (09:25 +0900)]
network: Support interface-bound ECMP routes in MultiPathRoute= (#39742)
MultiPathRoute= can now specify device-only nexthops without a gateway
address, e.g. MultiPathRoute=@wg0. This enables ECMP configurations over
interfaces that don't use gateway addresses, such as WireGuard tunnels.
The syntax is extended from "address[@device] [weight]" to
"[address]@device [weight]". The address is now optional, but at least
one of gateway or device must be specified. The @ symbol must still be
present for device-only routes, making the syntax unambiguous: @wg0
specifies a device, while a bare IP address specifies a gateway.
Device-only nexthops are only available for IPv4 routes. Device-only
multipath routes for IPv6 are not supported by the kernel's netlink
interface and will be rejected with a warning.
This change is fully backwards compatible. All existing configurations
continue to work unchanged, as they always included a gateway address.
Daan De Meyer [Mon, 22 Dec 2025 14:11:18 +0000 (15:11 +0100)]
vmspawn: Add --user/--system and support user session machined registration
The UX of registering with the user session machined
instance is much better as there won't be an authorization
prompt. To make that available for users, let's add --user
and --system switches for vmspawn. For backwards compat, we'll
still try to register with the system machined instance if the
user machined instance is not available.
DaanDeMeyer [Thu, 25 Dec 2025 18:24:17 +0000 (19:24 +0100)]
openssl-util: Make ret_user_interface required output argument
To avoid the argument accidentally not getting passed anymore during
refactoring, let's make it a required output argument so that callers
are required to provide it.
This was originally introduced to resolve deadlock caused by
dbus broker calling into nss-systemd which in turn goes via
dbus for user lookup. This is now handled differently and
the interface has been sitting unused for half a decade now.
Kill it.
Daan De Meyer [Fri, 12 Dec 2025 16:06:38 +0000 (17:06 +0100)]
string-table: Introduce DECLARE_STRING_TABLE_LOOKUP() and friends
Let's introduce these for the following two reasons:
- Using them makes sure the parameter names match between declaration
and definition (if both use the corresponding macros).
- They make sure developers can't forget the _const_ and _pure_
attributes for the declarations.
This commit also includes some include sorting fixes
quirks: Re-add D330 accel_matrix as identity one (#40226)
When testing to correct accelerometer values I set locally the identity
matrix to override the quirk. The values were fine but removing all the
matrices give incorrect values.
The mistake was thinking that identity matrix is the default one when no
quirks are set. It is, but only when the ACPI doesn't have another one.
Set identity matrix for this device to correct accelerometer values.
tuhaowen [Wed, 31 Dec 2025 02:46:30 +0000 (10:46 +0800)]
udev/scsi_id: increase MAX_SERIAL_LEN from 256 to 512
The current MAX_SERIAL_LEN value of 256 is insufficient for some SCSI
devices with non-standard serial number lengths. In do_scsi_page80_inquiry(),
the required buffer length is calculated as:
where buf[3] contains the serial number length reported by the device.
According to the SCSI specification, this field is an unsigned 8-bit
value, meaning it can theoretically be up to 255 bytes. This results
in a maximum required length of 280 bytes, exceeding the current limit
of 256 bytes.
When this occurs, scsi_id fails with an error message like:
"length 256 too short - need 280"
This has been observed with certain vendor devices that report unusually
long serial numbers in VPD page 0x80.
Increase MAX_SERIAL_LEN to 512 to accommodate the maximum possible
serial number length plus all required prefixes (vendor, model, and
type identifiers), providing sufficient headroom for non-compliant
devices while maintaining reasonable memory usage.
Guiorgy [Wed, 31 Dec 2025 14:58:58 +0000 (18:58 +0400)]
Support Bash completions for short option group in journalctl (#40214)
Currently, the Bash completions for journalctl tries to match the
previous word _**exactly**_, which leads to the following issue:
`journalctl -u dock` correctly auto completes to `journalctl -u
docker.service`, but `journalctl -eu` provides no completions at all,
which is a shame since I never use the `-u` option alone (almost always
`-eu` or `-efu`, I wish the `-e` option was the default but I digress).
The proposed solution is to assume words that start with only a single
dash and consist of only letters are short option groups and handle them
as if the previous word was the short option using the last character,
e.g. `-efu` -> `-u`.