Nick Rosbrook [Fri, 20 Mar 2026 15:23:39 +0000 (11:23 -0400)]
socket-util: filter out VMADDR_CID_ANY in vsock_get_local_cid()
It has been observed on some systems[1] that ssh-issue may print out:
Try contacting this VM's SSH server via 'ssh vsock%4294967295' from host.
i.e. it suggests connecting with VMADDR_CID_ANY, which is not valid. It
seems that IOCTL_VM_SOCKETS_GET_LOCAL_CID may return VMADDR_CID_ANY in
some cases, e.g. when vsock is not full initialized or so.
Treat VMADDR_CID_ANY as special in vsock_get_local_cid(), the same as
VMADDR_CID_LOCAL and VMADDR_CID_HOST, and return an error.
Nick Rosbrook [Fri, 20 Mar 2026 15:13:28 +0000 (11:13 -0400)]
ssh-proxy: return an error if user supplies VMADDR_CID_ANY
Right now, if a user tries to pass VMADDR_CID_ANY to systemd-ssh-proxy,
an assert is triggered:
$ ssh vsock%4294967295
Assertion 'cid != VMADDR_CID_ANY' failed at src/ssh-generator/ssh-proxy.c:21, function process_vsock_cid(). Aborting.
mm_receive_fd: recvmsg: expected received 1 got 0
proxy dialer did not pass back a connection
This is becauase the value returned from vsock_parse_cid is not checked
before being passed to process_vsock_string. Add a check to prevent
that.
sd-json: when parsing optionally insist top-level variant is object or array
Typically, the top-level JSON object has to be an object, in any json
document we parse, hence let's add a simple way to enforce that.
Make use of this in various places.
(Note, various other JSON parsers insist on this logic right from the
beginning, but I actually thinking making this insisting optional like
this patch does it is the cleaner approach)
When Clang is used (which sets CONFIG_PAHOLE_HAS_BTF_TAG), btf_type_tag
support is enabled. As a result, an rcu type tag is added to
task_struct::cred:
Luca Boccassi [Fri, 20 Mar 2026 00:43:26 +0000 (00:43 +0000)]
test: skip D-Bus FD truncation test with dbus-daemon
dbus-daemon intentionally disconnects peers when FDs get
truncated. Detect it and skip it in that case, as the purpose
of the test is not to exercise the D-Bus implementation, but
our library.
When running with dbus-broker (Fedora, etc) we'll get full
coverage.
firstboot: permit setting the static hostname via a system credential
For the IMDS case there's value in being able to set the static
hostname, instead of just the transient one. Let's introduce
firstboot.hostname, which only applies to first boot, and write the
static hostname. This is different from system.hostname which applies to
any boot, and writes the transient hostname.
udev: tag DMI id device with "systemd", so that we can order units after it
For various usecases it is useful to read relevant data from the DMI
udev device, but this means we need a way to wait for it for this to be
probed to be race-free. Hence tag it with "systemd", so that
sys-devices-virtual-dmi-id.device can be used as synchronization point.
This is very similar to write_string_file_atomic(), but is intentionally
kept separate (after long consideration). It focusses on arbitrary
struct iovec data, not just strings, and hence also doesn't do stdio at
all. It's hence a lot more low-level.
We might want to consider moving write_string_file*() on top of
write_data_file_atomic_at(), but for now don't.
Michael Vogt [Wed, 18 Mar 2026 10:38:48 +0000 (11:38 +0100)]
shared: extract `socket_forward_new()` helper from socket-proxyd
This commit extracts the socket forwarding code from the existing
socket-proxyd into a new shared helper that will be used by the
varlinkctl protocol upgrade support code and is used as is in
the socket-proxyd.c.
It tries to keep the changes as small as possible, its mostly
renaming like:
* connection_create_pipes -> socket_forward_create_pipes
* connection_shovel -> socket_forward_shovel
* connection_enable_event_sources -> socket_forward_enable_event_sources
* traffic_cb -> socket_forward_traffic_cb
and a new socket_forward_new() that creates/starts the forwarding.
All log_error_errno() got downgraded to log_debug_errno().
Michael Vogt [Thu, 19 Mar 2026 15:05:52 +0000 (16:05 +0100)]
units: allow io.systemd.Hostname to be available earlier
Currently the varlink interface for hostname is only available
after sysinit. This means it is not available until systemd-firstboot
is finished. But there is information like the boot-id in there that
is useful to get early.
My use-case is to query the system early via the varlink-http-bridge
and currently I can't get data from io.systemd.Hostname until
systemd-firstboot is completed which is a bit limiting.
So to fix it this commit sets DefaultDependencies=no on both the socket
and service units.
It also changes hostnamed.c to use
bus_open_system_watch_bind_with_description() which means we will
reconnect once dbus is available. This mimics what resolved-bus.c
is doing (and which was originally introduced in d7afd945b).
tests: drop _weak_ from the SYSTEMD_TEST_TABLE definition
This will cause test binaries that reference SYSTEMD_TEST_TABLE,
e.g. by trying to iterate over the test list, to fail if no tests are
defined. I think this is the correct thing to do, as the lack of tests
indicates some kind of mistake.
This file was a bit strange… It was shoehorning a manual test into
the intro block and not using the rest of the TEST machinery. Let's
convert it into a normal executable with a run function as we do
in other similar cases.
systemd-timesyncd always runs as an unprivileged user via the service
file, so the code to resolve the systemd-timesync user, drop privileges
adjust file ownership/permissions, or even create the directory cannot
do anything useful and is unnecessary.
With the planned extraction of the socket-forward code its useful
to have a basic way to validate the functionality. So add a basic
test that ensures at least base functionality is intact.
test-time-util: restore relaxation of check is special timezones
Fixup for 514fa9d39ae9935ef1e014a3dd48dd5856007df2. We are now getting
failures in CI i386 builds in Fedora rawhide:
TZ=Europe/Lisbon, tzname[0]=WET, tzname[1]=WEST
@212545617716594 → Sun 1976-09-26 00:26:57 WET → @212542017000000 → Sun 1976-09-26 00:26:57 CET
src/test/test-time-util.c:450: Assertion failed: Expected "ignore" to be true
Restore the conditionalization for CAT, EAT, WET that was removed
in the refactoring.
Chris Down [Thu, 19 Mar 2026 13:15:44 +0000 (21:15 +0800)]
dissect-image: Consolidate verity validation and setup
The verity consistency checks and verity setup code also have parallel
blocks for root and usr that do basically identical work. Let's
consolidate them and reduce the footprint for bugs or deviance to
manifest.
Chris Down [Thu, 19 Mar 2026 13:10:21 +0000 (21:10 +0800)]
dissect-image: Merge partition handler code
dissect-image has six(!) different branches with basically the same
code. Let's avoid that and reduce the spaces for bugs or differing
behaviour to subtly creep in.
Daan De Meyer [Thu, 19 Mar 2026 10:34:25 +0000 (11:34 +0100)]
ci: Update prompt to reduce time spent re-checking comments
I noticed looking at the logs that claude spends a lot of time re-checking
existing comments, so let's update the prompt to hopefully reduce
the amount of comments that it re-checks.
Luca Boccassi [Wed, 18 Mar 2026 23:04:03 +0000 (23:04 +0000)]
userdb: add birthDate field to JSON user records (#40954)
Add an optional field that can be used to store a user's birth date.
userdb already stores personal metadata (`emailAddress`, `realName`,
`location`) so `birthDate` is a natural fit.
Dylan M. Taylor [Fri, 6 Mar 2026 12:34:57 +0000 (07:34 -0500)]
userdb: add birthDate field to JSON user records
Add a birthDate field to the JSON user record, stored internally as a
struct tm with INT_MIN/negative sentinels for unset fields. The field
is serialized as a YYYY-MM-DD string in JSON and validated via
parse_birth_date(), which shares its core logic with
parse_calendar_date() through a new parse_calendar_date_full()
function.
For birth dates, timegm() is called directly (rather than
mktime_or_timegm_usec) to support pre-epoch dates. The wday field is
used to distinguish timegm() failure from a valid (time_t) -1 return.
birthDate is excluded from user_record_self_modifiable_fields(), so
only administrators can set or change it via homectl. The field
remains in the regular (non-privileged) JSON section, keeping it
readable by the user and applications.
Luca Boccassi [Wed, 18 Mar 2026 20:42:46 +0000 (20:42 +0000)]
Translations update from Fedora Weblate (#41164)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
A S Alam [Wed, 18 Mar 2026 18:58:46 +0000 (18:58 +0000)]
po: Translated using Weblate (Punjabi)
Currently translated at 34.9% (93 of 266 strings)
Co-authored-by: A S Alam <aalam@users.noreply.translate.fedoraproject.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pa/
Translation: systemd/main
Daan De Meyer [Wed, 18 Mar 2026 13:32:21 +0000 (14:32 +0100)]
ci: Add back subagents and stop using --json-schema in claude-review
Let's stop using --json-schema and instead have claude write a JSON
file in the repo root which we pass around as an artifact similar to
how we pass around the input. This works around the bug where claude
receives task notifications after producing structured output which
breaks the structured output.
Rename verb functions for consistency and add per-verb constant parameter (#41003)
We often have a pattern where the same verb function is used for
multiple actions. This leads to an antipattern where we figure out what
action needs to be taken from argv[0] multiple times: often once in
arse_argv() to figure out what options are allowed, then once again
implicitly in dispatch_verb(), and then again in the action verb itself.
Let's allow passing a parameter into the verb to simplify this.
This option is exactly like the one in sysusers. (In fact the
implementation is copied too.) It is occasionally useful to be able to
specify and execute some tmpfiles config not through config files but
directly on the command line. This also makes it very easy to test
config with:
SYSTEMD_LOG_LEVEL=debug systemd-tmpfiles --dry-run --inline ...
Dylan M. Taylor [Fri, 6 Mar 2026 12:27:10 +0000 (07:27 -0500)]
time-util: extract parse_calendar_date() from sysupdate
Move the YYYY-MM-DD date parsing and validation logic from
sysupdate-resource.c into a shared parse_calendar_date() function
in time-util, so it can be reused by other subsystems.
Daan De Meyer [Wed, 18 Mar 2026 11:55:45 +0000 (12:55 +0100)]
ci: Stop using subagents in claude-review workflow
As it seems impossible to prevent claude from receiving notifications
about subagents finishing after it has produced structured output, which
breaks the structured output as it has to be the final reply, let's stop
using subagents and background tasks completely to avoid the issue.
Vitaly Kuznetsov [Fri, 13 Mar 2026 12:02:51 +0000 (13:02 +0100)]
measure: make tpm_log_tagged_event() measure CC as well
tpm_log_tagged_event() only measures the event to the TPM while
tpm_log_ipl_event() measures the event both to the TPM and CC. Fix the
inconsistency.
Note, this is a potentially breaking change for TDX guests as systemd will
now measure more stuff to the MRTD/RTMRs, reference values for attestation may
need to be adjusted.
Luca Boccassi [Wed, 18 Mar 2026 12:33:58 +0000 (12:33 +0000)]
sd-dlopen: make macros to generate .notes.dlopen sections public API (#41047)
If this new scheme of adding dependencies is supposed to be used more
widely we need to start making it easy to add them. So add a new
self-contained header that projects can simply include without the need
to link against libsystemd itself. This will allow them to generate
`.notes.dlopen` sections:
```
> readelf -p .note.dlopen ./l2md
String dump of section '.note.dlopen':
[ a] |@FDO
[ 10] [{"feature":"manifest-json","description":"Manifest-based change detection via gzip and JSON parsing","priority":"suggested","soname":["libz.so.1","libsystemd.so.0"]}]
[ c2] |@FDO
[ c8] [{"feature":"manifest-http","description":"HTTP transport for lore.kernel.org manifest fetch","priority":"suggested","soname":["libcurl.so.4"]}]
```
ansi-color: fix SYSTEMD_COLORS=true regression when output is piped
The SYSTEMD_COLORS=true/1/yes no longer forced colors
when stdout was not a TTY (e.g. piped), because the COLOR_TRUE bypass
of the terminal_is_dumb() check was accidentally dropped.
Restore the old behavior by guarding the TTY check with
`m != COLOR_TRUE`, so an explicit boolean "true" value continues to
unconditionally force color output regardless of whether stdout is a TTY
or whether $NO_COLOR is set.
Daan De Meyer [Wed, 18 Mar 2026 10:46:01 +0000 (11:46 +0100)]
ci: Bump number of turns for claude and mention turns in prompt
claude keeps failing by its subagents completing after it has already
written the review for large prs. It seems to run out of turns, tries
to get the subagents to post partial reviews but doesn't seem to stop
them.
Let's insist that it waits for background tasks to stop but let's also
increase the max turns a bit so it doesn't run out as quickly.
Daan De Meyer [Wed, 18 Mar 2026 10:28:55 +0000 (11:28 +0100)]
ci: Enable network isolation for claude and allow most tools
claude wants to use python to access the JSON context so let's allow
it. Since python3 basically allows you to reimplement every other tool,
let's just enable all tools except the web related ones but enable network
isolation so it can't try to exfiltrate anything via python.
repart: add --grain-size= option for partition alignment
Add a --grain-size= CLI option to override the default 4 KiB partition
alignment grain. Setting --grain-size=1M matches the alignment used by
fdisk/parted and fixes misaligned partitions after small fixed-size
partitions like the 16 KiB verity-sig partition.
Also fix context_place_partitions() to re-align the start offset after
each partition, not just once per free area. Without this, a small
partition would cause all subsequent partitions in the same free area
to start at an unaligned offset.
ci: reeanble compilation test with clang -O2, disable -Wmaybe-uninitialized for old gcc
In CI we get spurious failures about unitialized variables with gcc
versions older then (depending on the case) 12, 13, or 14. Let's only
try to do this check with newer gcc which returns more useful results.
At the same time, do compile with both gcc and clang at -O2, just
disable the warning.
The old logic seems to have been confused. We compile with -Wall, at
least in some cases, which includes -Wmaybe-unitialized. So if we
_don't_ want it, we need to explicitly disable it.
tree-wide: extend verbs functions with extra per-verb data parameter
We often have a pattern where the same verb function is used for
multiple actions. This leads to an antipattern where we figure out what
action needs to be taken from argv[0] multiple times: often once in
parse_argv() to figure out what options are allowed, then once again
implicitly in dispatch_verb(), and then again in the action verb itself.
Let's allow passing a parameter into the verb to simplify this.
This matches a pattern we have in conf-parser.h, where we have both
void *userdata (more global) and void *data (per-config item). Here,
I opted for uintptr_t userdata. It seems that most of the time we'll
want to just pass an enum value. This works OK with no casts. I also
tried a void* and union. In both cases, much more boilerplate is needed:
either a cast or a macro to help avoid compiler warnings. uintptr_t
seems generic enough to cover foreseeable usecases with no fuss.
This is a noop refactoring. See next commit for an example.
This series of renaming patches has a few overlapping motivations:
- when functions are named uniformly, it code is more obvious
- I want to add a parameter to all verb functions
- in #40880 uniform naming of verb functions will be necessary too.
So let's do this cleanup. Some tools had a mix of functions w/ and
w/o "verb_", which looked messy.
Relicense sd-dlopen.h from LGPL-2.1-or-later to MIT-0 so that
downstream projects can copy/paste the macros directly without
introducing a build dependency on the systemd headers.
Acked-by: Lennart Poettering <lennart@amutable.com> Acked-by: Luca Boccassi <luca.boccassi@gmail.com> Signed-off-by: Christian Brauner <brauner@kernel.org>
man: add sd-dlopen(3) and SD_ELF_NOTE_DLOPEN(3) man pages
Document the new public sd-dlopen.h header and SD_ELF_NOTE_DLOPEN()
macro with associated constants. Includes usage examples for single
and multiple soname annotations.
Signed-off-by: Christian Brauner <brauner@kernel.org>
dlfcn-util: migrate to public SD_ELF_NOTE_DLOPEN() API
Switch all internal callers from the private ELF_NOTE_DLOPEN() macro to
the new public SD_ELF_NOTE_DLOPEN() API from sd-dlopen.h, and remove
the now-redundant macro definitions from dlfcn-util.h.
Signed-off-by: Christian Brauner <brauner@kernel.org>
sd-dlopen: add header-only public API for FDO .note.dlopen ELF metadata
Expose ELF note dlopen annotation macros as a public header-only API in
sd-dlopen.h. This allows any project to embed .note.dlopen metadata in
their ELF binaries by simply including the header - no runtime linkage
against libsystemd is required.
The header provides SD_ELF_NOTE_DLOPEN() and associated macros/constants
implementing the ELF dlopen metadata specification for declaring optional
shared library dependencies loaded via dlopen() at runtime.
Signed-off-by: Christian Brauner <brauner@kernel.org>
noxiouz [Fri, 13 Mar 2026 00:36:08 +0000 (00:36 +0000)]
coredump: capture crashing thread ID and name
Add %I (TID in initial PID namespace) to the core_pattern, so the
kernel passes the crashing thread's TID to systemd-coredump. Use it
to read the thread's comm name from /proc/<tid>/comm and log both as
new journal fields:
COREDUMP_TID= — TID of the crashing thread
COREDUMP_THREAD_NAME= — comm name of the crashing thread
These fields are also stored as xattrs on external coredump files
(user.coredump.tid, user.coredump.thread_name) and displayed by
coredumpctl info alongside the PID line.
For single-threaded processes the TID equals the PID and thread_name
equals comm; for multi-threaded programs with named worker threads
(pthread_setname_np / PR_SET_NAME) this identifies which thread
crashed without needing to open the coredump file itself.
The new fields are optional in the socket forwarding path, so older
systemd-coredump senders are handled gracefully.
find-esp: introduce _full() flavour of ESP/XBOOTLDR discovery functions
These functions take so many return paramaters, and in many of our cases
we don't actually needt them. Hence introduce _full() flavours of the
funcs, and hide the params by default.
Daan De Meyer [Wed, 18 Mar 2026 07:59:48 +0000 (08:59 +0100)]
ci: Enable users without write action to the repo to access claude review
The labelling approach introduced in 6089075265765b43e6666e4d5978292a32501496
means contributors can now trigger the workflow on their own when the label
is added by a maintainer and they update the PR. Hence we need to allow all
users to access the claude code action. This is safe because we already gate
the workflow ourselves to only the contributors that we want to allow.
Additionally, the claude code job has no permissions anymore except read access
to the repository and can execute very limited tools, so this should be safe.
Daan De Meyer [Wed, 18 Mar 2026 08:11:09 +0000 (09:11 +0100)]
ci: Fix artifact name in claude-review workflow
The name doesn't actually matter, it gets replaced with the name
of the file when not archiving. So stop passing a name and pass in
the filename as the name when downloading the artifact.
projects / thirdparty / systemd.git / log
