Vunny Sodhi [Wed, 21 Jan 2026 10:27:55 +0000 (12:27 +0200)]
pam_systemd_home: Use PAM_TEXT_INFO for token prompts
The prompts asking the user to physically authenticate
or confirm presence on a security token are informational
requests for action, not error conditions.
This commit changes the message type to PAM_TEXT_INFO,
which is more appropriate for guiding the user through
the authentication process.
shared/fdset: add detailed debug logging to fdset_new_fill()
Currently, when fdset_new_fill() fails to open /proc/self/fd or
encounters an error while processing individual file descriptors
(such as fcntl or fstat failures), it returns a silent error code.
For debugging rarely reproducible failures it becomes difficult to
know the exact cause of failure
This commit updates the function to use log_debug_errno() for all
error paths and hence provides better visibility into why FD collection
failed, including the path of the problematic FD (via fd_get_path)
and its inode type.
Daan De Meyer [Wed, 21 Jan 2026 10:25:36 +0000 (11:25 +0100)]
mkosi: Install libucontext in Arch/Fedora images
Split out of #39771
We don't use make use of libucontext yet but merging this early makes
sure my mkosi cached images don't get invalidated every time I switch
between my other work and the fiber branch.
sysupdate: add simple "freshness" validation to systemd-sysupdate
In order to make "freeze" attacks against the update logic harder let's
add the ability to encode a "Best Before" date into SHA256SUMS directory
listings: if the current time is already beyond that time, we'll ignore
the SHA256SUMS as "stale" and fail the upgrade. Or in other words: the
freeze attack will now result in a client-side error eventually, instead
of success state.
The best before data is encoded in an optional pseudo-file listed in SHA256SUMS:
any file named BEST-BEFORE-YYYY-MM-DD.
Yu Watanabe [Tue, 20 Jan 2026 09:41:11 +0000 (18:41 +0900)]
stat-util: make proc_mounted() not update errno
Typically, proc_mounted() is used in error handling. Hence, it is better
to make it not update the original errno.
Currently, there are two places that returns wrong error code:
- pidref_get_capability() in src/basic/capability-util.c
```c
_cleanup_fclose_ FILE *f = fopen(path, "re");
if (!f) {
if (errno == ENOENT && proc_mounted() == 0)
return -ENOSYS;
return -errno;
}
```
- fdset_new_fill() in src/shared/fdset.c
```c
d = opendir("/proc/self/fd");
if (!d) {
if (errno == ENOENT && proc_mounted() == 0)
return -ENOSYS;
return -errno;
}
```
Rather than fixing them, let's make proc_mounted() not update errno,
otherwise we may make a similar failure in a future.
safforddr [Tue, 13 Jan 2026 18:27:20 +0000 (13:27 -0500)]
tpm2: allow use of recoverable sealing keys
In some use cases it is desirable to use a recoverable (ie duplicatable)
sealing key. Currently objects have the attribute TPMA_OBJECT_FIXEDTPM
and TPMA_OBJECT_FIXEDPARENT hard coded, which will not work with a
recoverable sealing key. This patch sets the object's attributes from
the sealing key's attributes, so that both types of sealing keys will work.
Introduce 'fixate-volume-key' option to repart/cryptsetup to pin the exact LUKS volume key hash (#40343)
Add an option to generate the expected volume key hash for LUKS volumes
by systemd-repart
and put it to crypttab, make systemd-cryptsetup check it upon attaching.
The format of the hash
matches what's currently being measured to TPM2 PCR with
tpm2-measure-pcr=.
sd-varlink: ensure that "any" actually means "any but null"
The new "any" type was implemented by accident that it actually meant
"any but null" – unless marked as "any?" in which case it actually meant
truly any, including null. The spec change in
https://github.com/varlink/varlink.github.io/pull/43 otoh suggested that
"any" really means anything, and "any?" apparently too.
I think the implementation in code makes more sense than the spec change
however, hence let's add some checks/tests to ensure the behaviour of
the code is made explicitly and cared for.
I will prep a spec change to make the spec follow the code on this too.
Nick Rosbrook [Mon, 19 Jan 2026 18:29:52 +0000 (13:29 -0500)]
resolve: include current DNS server in JSON again
The current_dns_server_json object in dns_configuration_json_append() is
always NULL, because the logic to dump the current DNS server to JSON
was removed by mistake in a re-factoring commit. Add that logic back.
Fixes c6b6ac63ea ("resolve: drop unnecessary preparation of empty arrays").
Vitaly Kuznetsov [Tue, 13 Jan 2026 16:43:22 +0000 (17:43 +0100)]
TEST-58-REPART: Add a test for fixate_folume_key
The test checks that the expected hash is correctly recorded to the
generated crypttab and also checks that systemd-cryptsetup handles
the option correctly.
Vitaly Kuznetsov [Wed, 14 Jan 2026 08:51:24 +0000 (09:51 +0100)]
cryptsetup: Add fixate-volume-key option to pin the expected volume key hash
The expected hash (SHA265 HMAC signature) uses the exact same algorithm which
is used to calculate sha256 PCR bank digest when 'tpm2-measure-pcr=' is used.
Mike Yuan [Tue, 6 Jan 2026 21:02:17 +0000 (22:02 +0100)]
core/dbus-util: several cleanups for bus_read_mount_options()
* Make sure ret_options is initialized on success.
* Return empty mount options as-is rather than NULL-ing it -
dbus property parser for RootImageOptions relies on it
for resetting options for a specific partition designator.
* Format partition:options properly with strextendf, currently
multiple ":" will be emitted.
* Allow separator to be unset if in_out_format_str is not
needed.
Luca Boccassi [Mon, 19 Jan 2026 16:24:44 +0000 (16:24 +0000)]
portable: pin attached image via image-policy (#40152)
When attaching images generate a policy in the portable drop-in that
matches the partition types and content found while dissecting, so that
it can no longer be changed later without a reattach
Luca Boccassi [Fri, 19 Dec 2025 17:02:03 +0000 (17:02 +0000)]
portable: pin attached image via image-policy
When attaching images generate a policy in the portable drop-in
that matches the partition types and content found while dissecting,
so that it can no longer be changed later without a reattach.
zefr0x [Sat, 17 Jan 2026 19:59:22 +0000 (22:59 +0300)]
busctl: handle `--limit-messages` option under the `wait` verb
Main focus was to not introduce breaking change or duplicated argument.
The `--limit-messages=` option that is used under the `monitor` verb is
reused here. However, both `wait` and `monitor` have contradicting
default behaviors, so it's not the cleanest thing to do.
There was some post-commit discussion about the API in #33961, but the
final name adopted in #34928 wasn't that flexible either to fit nicely
here in the `wait` verbe.
Additionally, there wasn't consideration in #34555 for having uniform
behavrious, so we ended with `wait` verb and `--limit-messages=` option,
rather than `receive` verb with default of continuously receving signals
withtout exit so `--limit-messages=` make more sence and be expectable.
Vitaly Kuznetsov [Mon, 19 Jan 2026 12:42:34 +0000 (13:42 +0100)]
tpm2-util: make tpm2_pcr_extend_bytes() declaration match its implementation
tpm2_pcr_extend_bytes() has differences in parameter names between the
declaration and the implementation, in particular, 'event' in the header is
named 'event_type' in the implementation.
Vitaly Kuznetsov [Mon, 12 Jan 2026 16:05:59 +0000 (17:05 +0100)]
repart: Generate fstab and crypttab late
The immediate need for the change is to allow to capture the expected
LUKS volume key hash and record it to the generated crypttab but it
also seems to make sense to not generate crypttab/fstab before we know
that partition creation succeeded as fstab/crypttab entries are bogus
otherwise.
cyclopentane [Fri, 16 Jan 2026 23:54:51 +0000 (00:54 +0100)]
cryptenroll,cryptsetup,shutdown: only call mlockall if we have CAP_IPC_LOCK
Calling mlockall in an unprivileged process most notably had the effect
of making systemd-cryptenroll OOM while trying to open a normal-sized
argon2 keyslot due to it hitting RLIMIT_MEMLOCK.
Mike Yuan [Fri, 9 Jan 2026 18:06:07 +0000 (19:06 +0100)]
core/unit: drop unneeded unit_modify_nft_set() call during coldplug
We re-realize all unit cgroups upon daemon-reload, and
cgroup_context_apply() would take care of NFT set refreshing.
No need to duplicate that in unit_coldplug().
Mike Yuan [Fri, 16 Jan 2026 19:53:47 +0000 (20:53 +0100)]
core/unit: several cleanups for unit_queue_job_check_and_collapse_type()
* Rename to _mangle_type() - it turned out this one doesn't collapse
anything, but rather mangles the type if reload_if_possible is set.
Hence name accordingly.
* Use -ELIBEXEC rather than -EUNATCH to denote dependency only units.
* Add a comment about the JOB_STOP and load state check.
chase: optimize the special case where no root dir specified
Now that we can recognize the root dir in chaseat() sanely, let's use it
top optimize the very common special case where we have no root dir to
consider, and directly call open_tree().
fd-util: introduce XAT_FDROOT fd shortcut for the root dir
This takes inspiration from AT_FDCWD, but always references the root dir
rather than the cwd. This allows various convenience uses, as we can now
reference the root dir without actually allocating an fd for chaseat(),
fd_get_path() and various others.
The value of XAT_FDROOT is chosen so that it is not a valid fd (essential,
because we do not intend to hook this up everywhere, just where we need
it, just like AT_FCWD only works in some syscalls), and we want uses at
the wrong places to fail cleanly. It also uses a valud outside of the
range where we usually return negative errnos, i.e. < -ERRNO_MAX.
projects / thirdparty / systemd.git / log
