machine-tags: optionally support key/value pairs as machine tags
Other systems (kubernetes…) allow tagging machines with key/value pairs.
Let's extend our allowed syntax slightly to allow that too. Thankfully,
we enforced a pretty strict ruleset on machine tags, hence we can
introduce this without breaking compatibility.
This basically allows tags to contain "=". If so, then the left-hand
side of it must be unique among machine tags.
When matching against a machine tag, we apply the same rules as before.
This means, that if people want to check if a tag with value applies
they can do:
ConditionMachineTag=foo=bar
If they just want to check if "foo=" is set to anything, they can use
the usual glob matching:
Josh Hoffer [Thu, 4 Jun 2026 00:19:33 +0000 (17:19 -0700)]
boot/stub: honor PE SectionAlignment when loading inner kernel
The stub copies the embedded kernel PE into an xmalloc_pages()
allocation with AllocateAnyPages, which only guarantees EFI_PAGE_SIZE
(4 KiB) alignment.
The arm64 kernel declares SectionAlignment = SZ_64K. When _text is not
64K-aligned the kernel's EFI stub reallocates and copies the image,
which can fail with EFI_OUT_OF_RESOURCES on memory-constrained firmware
(e.g. U-Boot, bounded by CONFIG_SYS_MALLOC_LEN rather than full DRAM).
The failure is non-deterministic since AllocateAnyPages returns whatever
page the allocator finds first.
Plumb SectionAlignment through pe_kernel_info() and allocate via
xmalloc_aligned_pages(). For alignment <= EFI_PAGE_SIZE (e.g. x86_64) it
reduces to a plain AllocatePages(), so the change is free there.
SectionAlignment comes from the PE header, which the spec requires to be
a power of 2. Sanitize it in pe_kernel_info() right where it is parsed:
a non-conforming value falls back to plain page alignment (matching the
behavior of older systemd-stub versions that ignored the field) rather
than propagate something that would break xmalloc_aligned_pages()'s
over-alignment maths, with a log_warning() so the fallback stays
diagnosable.
Co-developed-by: Claude <claude@anthropic.com> Closes: #42443 Reported-By: Agathe Porte <agathe.porte@oss.qualcomm.com> Tested-By: Agathe Porte <agathe.porte@oss.qualcomm.com>
Kai Lüke [Thu, 28 May 2026 13:07:16 +0000 (22:07 +0900)]
sysext: Allow to (re)start units from extension-release metadata file
Up to now we recommended to use TARGET.upholds/ symlinks to start units
when an extension is loaded. However, this has some drawbacks. First,
for services that should not be tried to be started all the time we have
to resort to hiding them through a target that gets uphold and then
uses regular .wants/ for the actual service. Second, we actually leak
services on extension unload even if the unit has disappeared with the
extension. Third, to affect a service through a drop-in or a config
change from a confext/sysext and that service is already running, we
need a way to restart/reload it instead of just starting it.
Similar to EXTENSION_RELOAD_MANAGER=1, add a EXTENSION_RESTART_UNITS=
and a EXTENSION_RELOAD_OR_RESTART_UNITS= setting to the
extension-release metadata file, carrying a whitespace-separated list
of units to restart/reload on merge/refresh/unmerge after the daemon
reload. Also detect when the unit has vanished which is normally the
case when the unit was part of the unmerged extension, and stop it
explicitly to prevent it leaking. When the extension itself ships the
binary it should use EXTENSION_RESTART_UNITS= to make sure the new
binary is picked up. Since starting through this setting does not work
when the extension is mounted from the initrd, extensions should still
ship at least a .wants/ symlink to start at boot but can also continue
to ship a .upholds/ symlink for backwards compatibility without any
drawback and still benefit from the unit stopping triggered by the new
setting. While there are cases where one could want to set
EXTENSION_RESTART_UNITS= without requiring a daemon reload (e.g., an
env var file change instead of a unit drop-in), we now do an implicit
daemon reload when we have to restart units so that we know we work on
the right state and we spare users remembering to set this setting in
addition to prevent running into this issue.
Accept NSS aliases for canonicalized user records (#42452)
This PR fixes userdb lookups for NSS users that are resolved through an
alias but returned with a canonical user name.
Some NSS providers, such as SSSD, can successfully resolve a user by an
alias-like name, for example a Kerberos/AD UPN (for example
testuser@example.test) while returning a passwd record with the
canonical login name.
The original lookup name was not preserved. Later, the userdb worker
checked whether the returned record matched the requested name with
user_record_matches_user_name(). Since the requested name was
testuser@example.test, but the record only contained testuser, the
lookup was rejected as:
`io.systemd.UserDatabase.ConflictingRecordFound`
This also caused pam_systemd to fail opening sessions for such users
with:
`pam_systemd(...:session): Failed to get user record`
In my case, this broke graphical logins for Samba users logging in with
a UPN on systems where SSSD canonicalizes the NSS result.
My solution preserves the requested name as a UserRecord alias when an
NSS lookup by name succeeds but the returned pw_name differs from the
requested name.
This allows user_record_matches_user_name() to accept the canonicalized
NSS result instead of treating it as a conflicting record.
The patch does not invent new aliases. It only records the name that NSS
itself already accepted and resolved successfully.
I'm not an expert on working with systemd, so I'm asking for a review of
my PR.
Liu Zhangjian [Tue, 9 Jun 2026 13:15:52 +0000 (21:15 +0800)]
repart: fix SizeMinBytes/SizeMaxBytes rounding direction
The ltype parameter for SizeMinBytes and SizeMaxBytes in the config
parsing table was reversed. SizeMinBytes should round UP (ltype > 0)
to ensure the partition is at least the specified size, while
SizeMaxBytes should round DOWN (ltype < 0) to ensure the partition
doesn't exceed the specified size.
This matches the documentation in repart.d.xml which correctly states:
- SizeMinBytes: 'rounded upwards'
- SizeMaxBytes: 'rounded downwards'
The same fix is applied to PaddingMinBytes and PaddingMaxBytes which
share the same config_parse_size4096 parser.
Fixes: #42526 Co-developed-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Liu Zhangjian <liuzhangjian@uniontech.com>
sysupdate: refuse reboot/pending logic when --component= is used (#42578)
Fixes #42330
The `pending` and `reboot` verbs, and the `--reboot` switch, decide
whether to reboot by comparing the newest installed version against the
booted OS version (`IMAGE_VERSION=` from os-release). When a component
is selected via
`--component=`, this ends up comparing the component's version against
the unrelated host OS version; by design these live in separate version
spaces, so the comparison is meaningless and reboot decisions become
arbitrary: depending on the relative version strings, sysupdate either
always reboots or never does.
### Example from the issue:
% /usr/lib/systemd/systemd-sysupdate --component=containerd reboot
Newest installed version '2.3.0' is older than booted version
'20260527200656'.
This refuses the combination with a clear error instead of silently
performing a bogus comparison:
- `verb_pending_or_reboot()` rejects `--component=` for the
`pending`/`reboot` verbs (mirroring the existing `--root=`/`--image=`
rejection).
- `verb_update_impl()` rejects `--reboot` combined with `--component=`,
before any update work is done.
Correctly tracking a per-component "booted" version (which could be
"none", making a reboot always apply) is a larger feature and left for
the future, as the reporter suggested.
The daemon (`sysupdated`) and `updatectl` don't perform this
host-version comparison, so the change is confined to the
`systemd-sysupdate` CLI.
Documentation and a negative regression test (TEST-72) are included.
### AI-use Disclosure:
I took assistance from Claude Opus 4.8 to scope out the issue, help with
writing proper comments/documentation, and help with writing the PR
description.
Armaan Sandhu [Sat, 13 Jun 2026 09:25:12 +0000 (14:55 +0530)]
sysupdate: address review feedback on component/reboot guard
Move the --reboot/--component= rejection into parse_argv() alongside the
other cross-option checks, and tighten TEST-72 to assert the specific
guard message rather than merely a non-zero exit.
Armaan Sandhu [Sat, 13 Jun 2026 07:25:51 +0000 (12:55 +0530)]
sysupdate: refuse reboot/pending logic when a component is selected
The `pending` and `reboot` verbs, as well as the `--reboot` switch, compare
the newest installed version against the booted OS version (IMAGE_VERSION= from
os-release). When a component is selected via --component=, this compares the
component's version against the unrelated host OS version, which by design live
in separate version spaces. The result is arbitrary reboot decisions: depending
on the relative version strings sysupdate would either always or never reboot.
Refuse the combination with a clear error instead of silently performing a
bogus comparison. Correctly tracking a per-component booted version is left as a
future feature.
Ronan Pigott [Mon, 15 Jun 2026 23:58:42 +0000 (16:58 -0700)]
pam: use default auth pam_deny.so
run0 doesn't actually use the auth pam stack, since polkit does the
requisite authorization. However, if the service type is left undefined
pam falls back to the definitions of the "other" service, which, at
least in Arch Linux but possibly more, includes pam_warn.so to notify
the user about this apparent error.
This creates a bit of logspam, as systemd does actually call pam_setcred
in its generic pam code, which depends on the auth pam stack, creating a
warning message in the journal on every invocation of run0.
pam_deny.so is a no-op, which avoids falling back to the other pam
service.
dongshengyuan [Wed, 17 Jun 2026 05:06:21 +0000 (13:06 +0800)]
hibernate: fix swap selection and prefer swap that can hold image
When multiple swap devices exist, prefer one with enough free space
to hold the hibernation image over one that cannot, regardless of
priority. If no swap can fit, fall back to priority-first selection.
This avoids deterministically failing hibernation when the
highest-priority swap is too small but a lower-priority one fits.
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com> Co-developed-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
report: add support for signing reports via varlink backends + make report a varlink service (#42595)
This adds the following:
1. systemd-report gains a new --sign= option, taking a boolean. If true,
this makes systemd-report generate + systemd-report upload generate a
signed report, instead of a regular one. The signatures are collected
from Varlink-based backends.
2. One such backend is added which does a simple Ed21159 based signing
scheme.
3. this adds a new metrics source which just reports text files
symlinked into a special dir as metrics. This is used to report the Ed21159 public key as metric, by default, if it exists.
4. finally, systemd-report itself is turned into a varlink service. this
is useful for example for extracting a report from a system coming in
via the varlink/http bridge.
I thought a long time about the format of signing of reports. Initially
i intended to do this like homed's user record signing, i.e. require
normalization of the record, then normalize the record, and write it out
in dense form, since the result. Finally insert the resulting hash into
the user record itself. People have pointed me to the inherent messiness
of signing JSON this way though, as it requires any participant that
wishes to sign/authenticate records this way to implement the exact same
normalization/formatting rules, and in particular in the area of
floating point numbers (of which metrics presumably will have many) this
is quite problematic.
This signing hence goes a different way. instead of expecting
signer+verifier to independently come to the same normalized text form
of the json data, let's instead output a JSON-SEQ sequence, where the
first object is the report, and any subsequent objects are one signature
each. the signatures are supposed to cover the precise binary
representation of the first element in the JSON-SEQ stream. (i.e. from
the RS to the NL).
or in other words: a verifier would receive the JSON-SEQ stream, split
it up before each RS. Then it would leave object 1 unparsed for the
moment, and parse objects 2…n. It would then authenticate object 1's
precise binary representation with objects 2…n. Once that checks out, it
would parse object 1, and use it as report.
Luca Boccassi [Fri, 29 May 2026 10:23:23 +0000 (11:23 +0100)]
udev: run workers in sibling cgroup and use cgroup.kill
Since a1f4fd387603673a79a84ca4e5ce25b439b85fe6 udev processes
run in an 'udev' subcgroup, to avoid killing control processes
when clearing workers. But the main process is still in the same
cgroup, so the atomic cgroup.kill cannot be used.
If the main subcgroup exists, try to create a sibling 'workers'
cgroup, and use it for workers processes, and use cgroup.kill if
available.
This is especially useful as rules can spawn arbitrary programs/scripts
and TasksMax= is set to unlimited.
Luca Boccassi [Fri, 19 Jun 2026 18:35:16 +0000 (19:35 +0100)]
core: add LUOSession= unit setting (#42530)
Acquiring a LUO session from /dev/liveupdate requires privileges, and
also the device is a single-owner driver so only a single process can
open it at any given time.
Add a LUOSession= service settings that allows units running without
privileges to get a session assigned to them.
The kernel imposes a 64 chars limit on session names, which is too short
to avoid clashes, so derive a hash from joining the unit name with the
parameter name, that way two units using the same setting don't clash.
Revert "units: drop After=network-online.target from imds services"
IMDS access requires networking, hence we need to run after
network-online.target. Everything else would be racy and result in
likely timeouts, because we might try to contact the network too early.
Fix handling of `UKI/SBAT` and `UKI/Firmware` config entries. (#42478)
This fixes 2 issues with `ukify`:
`config_list_prepend` needs a list. The 2 more used entries are
specially treated (parsed into a list) and therefore happen to work, but
trying to set `UKI/Firmware` throws a type error, as it is passed as
just a string.
The `UKI/SBAT` config entry is a list but used the default `config_push`
value which sets it if unset (which also failed since its default of
`[]` is not `None`) - change this to `config_list_prepend`.
I did consider adding a `config_list_append`, but as far as I'm aware,
the order of sbat entries should not change the outcome anyway.
Luca Boccassi [Fri, 19 Jun 2026 11:00:37 +0000 (12:00 +0100)]
crypto-util: support OpenSSL 4
OpenSSL 4 broke ABI, so we need to look for both SONAMEs.
Try libcrypto.so.3 first, and fallback to libcrypto.so.4,
so that the older and more stable version is used if both
are installed, giving distros time to fix regressions.
jmestwa-coder [Sat, 13 Jun 2026 17:58:08 +0000 (23:28 +0530)]
catalog: bound item offsets against the mmap in the binary reader
The binary catalog reader trusted two values straight from a (possibly
hostile) database: open_mmap() summed header_size + n_items *
catalog_item_size in uint64 with no overflow check, and find_id() added
the matched item's offset to the map base with no upper bound. Reachable
through sd_journal_get_catalog() with $SYSTEMD_CATALOG set, this let
catalog_get()/catalog_list() strdup() a string starting outside the
mapping. Guard the size math with MUL_SAFE/INC_SAFE and reject item
offsets that fall outside the file.
Will Fancher [Fri, 15 May 2026 01:09:54 +0000 (21:09 -0400)]
cryptsetup: Invalidate ineffective try_discover_key before trying
A single incorrect password attempt from the user would be tried
twice, because the first failed try would think it was the
try_discover_key method that failed, and would invalidate that instead
of the actual failed password. This resulted in the user being
prompted one fewer time than they should be.
Luca Boccassi [Thu, 18 Jun 2026 15:46:32 +0000 (16:46 +0100)]
journalctl: dlopen gcrypt in the --setup-keys path
journalctl needs gcrypt to set up the journal sealing
keys and other such operations, but gets no dlopen note
with the dependency. Add the dlopen macro with a recommends
level so it can be skipped, but gets pulled in by default
on user/desktop systems.
Yu Watanabe [Wed, 17 Jun 2026 03:25:14 +0000 (12:25 +0900)]
meson: add -mstackrealign on i386 with musl and libucontext
On i386 with musl and libucontext, many tests crash with SIGSEGV
when using fibers implemented on top of ucontext APIs.
For example:
```
929/1498 libsystemd - systemd:test-event-future FAIL 0.97s killed by signal 11 SIGSEGV
/* test_sd_event_run_timer */
run-suspend-timer: Scheduling fiber
/home/pmos/build/src/systemd-261-rc3/tools/test-crash-trace.sh: line 18: 19994 Segmentation fault (core dumped) "$@"
===== exit 139 — replaying under gdb =====
/* test_sd_event_run_timer */
run-suspend-timer: Scheduling fiber
Program received signal SIGSEGV, Segmentation fault.
0xf7d68be3 in sd_event_add_time_relative (e=0xf7ffd3f0, ret=0xf7b01fa0, clock=1, usec=10000, accuracy=0, callback=0x565564ad <inner_timer_handler>, userdata=0xf7b01fa4) at ../src/libsystemd/sd-event/sd-event.c:1455
1455 void *userdata) {
Thread 1 (process 20485 "test-event-futu"):
#0 0xf7d68be3 in sd_event_add_time_relative (e=0xf7ffd3f0, ret=0xf7b01fa0, clock=1, usec=10000, accuracy=0, callback=0x565564ad <inner_timer_handler>, userdata=0xf7b01fa4) at ../src/libsystemd/sd-event/sd-event.c:1455
t = 17868423377094431728
r = <optimized out>
#1 0x565574c7 in sd_event_run_timer_fiber (userdata=0x0) at ../src/libsystemd/sd-event/test-event-future.c:329
inner = 0xf7ffd3f0
source = 0x0
counter = 0
r = <optimized out>
#2 0xf7dab308 in fiber_entry_point () at ../src/libsystemd/sd-future/fiber.c:208
_cleanup_log_unset_prefix_5 = 0x0
__unique_prefix_c6 = 0x5655bb30
f = 0xf7b06840
__func__ = "fiber_entry_point"
fake_stack_save = <optimized out>
#3 0xf7b032ae in setcontext () from /lib/libucontext.so.1
No symbol table info available.
#4 0x00000000 in ?? ()
No symbol table info available.
```
Building systemd with -mstackrealign makes all observed failures
disappear, suggesting a stack alignment issue in the interaction
between compiler-generated code and the ucontext implementation.
This resembles historical stack alignment issues in glibc's i386
makecontext() implementation, which required fixes to preserve the
expected stack alignment.
As a workaround, add -mstackrealign when building on i386 with musl
and libucontext.
Acquiring a LUO session from /dev/liveupdate requires privileges,
and also the device is a single-owner driver so only a single
process can open it at any given time.
Add a LUOSession= service settings that allows units running
without privileges to get a session assigned to them.
The kernel imposes a 64 chars limit on session names, which is
too short to avoid clashes, so derive a hash from joining the
unit name with the parameter name, that way two units using
the same setting don't clash.
The previous policy was primarily written from a standpoint
that AI models are not very good and we didn't wanna waste any
time reviewing PRs generated by AI. Now that AI models have become
actually good and their output is just as good as regular contributions,
let's stop requiring the disclosure as its pointless to still have it,
it doesn't really matter anymore whether a patch was written with or
without
AI. It's up to the author to make sure they're not wasting our time by
submitting unreviewed, untested code upstream, regardless of whether
that
code is written by an AI or not.
The new policy is inspired by https://github.com/lxc/incus/pull/3506,
with
various removals to be less adverse to the usage of AI.
Luca Boccassi [Wed, 17 Jun 2026 10:29:26 +0000 (11:29 +0100)]
mkosi: clean up generated rpm pre scripts in suse builds
2026-06-17T10:11:08.3789573Z Untracked files:
2026-06-17T10:11:08.3790064Z (use "git add <file>..." to include in what will be committed)
2026-06-17T10:11:08.3790566Z systemd-network.pre
2026-06-17T10:11:08.3790908Z systemd-resolve.pre
Daan De Meyer [Wed, 17 Jun 2026 08:10:12 +0000 (08:10 +0000)]
docs: Update AI usage policy
The previous policy was primarily written from a standpoint
that AI models are not very good and we didn't wanna waste any
time reviewing PRs generated by AI. Now that AI models have become
actually good and their output is just as good as regular contributions,
let's stop requiring the disclosure as its pointless to still have it,
it doesn't really matter anymore whether a patch was written with or without
AI. It's up to the author to make sure they're not wasting our time by
submitting unreviewed, untested code upstream, regardless of whether that
code is written by an AI or not.
The new policy is inspired by https://github.com/lxc/incus/pull/3506, with
various removals to be less adverse to the usage of AI.
Paul Meyer [Sat, 13 Jun 2026 10:07:45 +0000 (12:07 +0200)]
vmspawn: don't abort VM launch when an optional swtpm fails to start
When start_tpm() failed under TPM autodetect (arg_tpm <= 0), the swtpm
block logged "Failed to start tpm, ignoring" but then fell through to
event_add_child_pidref() with the still-unset child PidRef. That returns
-ESRCH (PIDREF_NULL fails its pidref_is_set() guard), and the VM launch
fails. Register the child only on start_tpm() success.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Paul Meyer [Sat, 13 Jun 2026 09:38:02 +0000 (11:38 +0200)]
vmspawn: fix QEMU target names for ppc64/mips64el/mipsel hosts
architecture_to_qemu_table mapped four 64-bit/LE architectures to wrong
qemu-system-<target> names: MIPS64_LE and MIPS_LE both to "mips" (the BE
MIPS32 target), and PPC64/PPC64_LE to "ppc" (32-bit PowerPC). The string
feeds both find_qemu_binary() ("qemu-system-" + name) and the
firmware.json architecture match, so on those hosts vmspawn looked up a
wrong or nonexistent binary and never matched a firmware descriptor. Map
them to the real targets: mips64el, mipsel, and ppc64 (qemu-system-ppc64
runs LE pSeries guests; there is no qemu-system-ppc64le).
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Paul Meyer [Sat, 13 Jun 2026 09:24:13 +0000 (11:24 +0200)]
vmspawn: reject oversized fstab.extra credential before int-cast merge
The fstab.extra merge prepends the existing credential via
asprintf("%.*s", (int) existing->size, …). MachineCredential.size is
size_t, so for a credential >INT_MAX the (int) cast yields a negative
precision, which C treats as omitted — turning %.*s into an unbounded
read past the allocation. Reject such a credential up front with EFBIG;
for all realistic sizes the merge is unchanged.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Paul Meyer [Sat, 13 Jun 2026 08:57:46 +0000 (10:57 +0200)]
vmspawn: return negative errno from qemu_config_key()/_section_impl()
errno_or_else() already returns a negative errno, so "return
-errno_or_else(EIO)" returned a positive value on fprintf()/ferror()
failure. Callers checking "r < 0" therefore missed the write error and
treated it as success. Drop the spurious negation; these were the only
two "-errno_or_else" uses in the tree.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Paul Meyer [Sat, 13 Jun 2026 08:37:20 +0000 (10:37 +0200)]
vmspawn: null freed fields and drain subscribers before bridge teardown
vmspawn_varlink_context_free() discarded the sd_varlink_server_unref()
and vmspawn_qmp_bridge_free() return values, leaving ctx->varlink_server
and ctx->bridge dangling. No current handler reads those fields, but use
the assign-back idiom so the fields are NULL during any synchronous
callback regardless of future changes.
Also drain subscribers before freeing the bridge, so subscriber teardown
can't run against a half-freed bridge.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Paul Meyer [Sat, 13 Jun 2026 08:01:27 +0000 (10:01 +0200)]
vmspawn: reject --initrd= without --linux= for directory boot
determine_kernel() ran boot-entry discovery under a !arg_linux guard
only. With --initrd= but no --linux=, discovery overwrote arg_initrds
with the discovered entry's own initrds (leaking the user's strv) and
set arg_linux, so verify_arguments()'s "--initrd= needs --linux=" check,
which runs afterwards, never fired: the user's --initrd= was
silently discarded. Reject the combination before discovery. This also
keeps the discovery store leak-free.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Paul Meyer [Sat, 13 Jun 2026 07:58:53 +0000 (09:58 +0200)]
vmspawn: don't leak prior arg_directory in ephemeral branch
The ephemeral-snapshot branch did a bare arg_directory = strdup(...),
orphaning the -D/--directory allocation from parse_argv.
Use free_and_strdup(), matching the idiom already used elsewhere in
the file.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Paul Meyer [Sat, 13 Jun 2026 07:25:28 +0000 (09:25 +0200)]
vmspawn: enforce an identifier grammar for QEMU config types/ids/keys
qemu_config_section()/qemu_config_key() write section types and keys
unquoted ([type], key = …), but the type check only rejected '\n' while
the structurally identical id/key checks rejected more, even though the
unquoted type slot is the most sensitive. Replace the three ad-hoc
denylists with one allowlist matching QEMU's identifier grammar
([A-Za-z0-9._-], non-empty). This is merely hardening, all callers pass
constant input today.
For the value check use string_is_safe() for now, which is a bit
stricter than QEMUs own config validation.
Add test-vmspawn-qemu-config covering both.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: Paul Meyer <katexochen0@gmail.com>
Luca Boccassi [Tue, 16 Jun 2026 21:40:20 +0000 (22:40 +0100)]
sd-dlopen: fix build on 'hppa'
On hppa '.equ' is overridden, so even this workaround ('.set' is
overridden on alpha) causes a build failure:
cc -Isrc/basic/libbasic.a.p -Isrc/basic -I../src/basic -Isrc/fundamental -I../src/fundamental -Isrc/systemd -I../src/systemd -Isrc/version -I../src/version -fdiagnostics-color=always -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -Wextra -std=gnu17 -O0 -g -Wno-missing-field-initializers -Wno-unused-parameter -Wno-nonnull-compare -Warray-bounds -Warray-bounds=2 -Wdate-time -Wendif-labels -Werror=bool-compare -Werror=discarded-qualifiers -Werror=flex-array-member-not-at-end -Werror=format=2 -Werror=format-signedness -Werror=implicit-function-declaration -Werror=implicit-int -Werror=incompatible-pointer-types -Werror=int-conversion -Werror=missing-declarations -Werror=missing-parameter-name -Werror=missing-prototypes -Werror=overflow -Werror=override-init -Werror=pointer-sign -Werror=return-type -Werror=sequence-point -Werror=shift-count-overflow -Werror=shift-overflow=2 -Werror=strict-flex-arrays -Werror=undef -Wfloat-equal -Wimplicit-fallthrough=5 -Winit-self -Wlogical-op -Wmissing-include-dirs -Wmissing-noreturn -Wnested-externs -Wold-style-definition -Wpointer-arith -Wredundant-decls -Wshadow -Wstrict-aliasing=2 -Wstrict-prototypes -Wsuggest-attribute=noreturn -Wunterminated-string-initialization -Wunused-function -Wwrite-strings -Wzero-as-null-pointer-constant -Wzero-length-bounds -fdiagnostics-show-option -fexcess-precision=standard -fno-common -fstack-protector -fstack-protector-strong -fstrict-flex-arrays=3 -fno-math-errno --param=ssp-buffer-size=4 -Wno-unused-result -Werror=shadow -fPIC -fno-strict-aliasing -fstrict-flex-arrays=1 -fvisibility=hidden -fno-omit-frame-pointer -include config.h -isystem../src/include/glibc -isystem../src/include/override -isystemsrc/include/override -isystem../src/include/uapi -fvisibility=default -MD -MQ src/basic/libbasic.a.p/compress.c.o -MF src/basic/libbasic.a.p/compress.c.o.d -o src/basic/libbasic.a.p/compress.c.o -c ../src/basic/compress.c
/tmp/ccxm7Waj.s: Assembler messages:
/tmp/ccxm7Waj.s:2085: Error: bad or irreducible absolute expression; zero assumed
/tmp/ccxm7Waj.s:2085: Error: junk at end of line, first unrecognized character is `,'
/tmp/ccxm7Waj.s:2268: Error: bad or irreducible absolute expression; zero assumed
/tmp/ccxm7Waj.s:2268: Error: junk at end of line, first unrecognized character is `,'
/tmp/ccxm7Waj.s:2544: Error: bad or irreducible absolute expression; zero assumed
/tmp/ccxm7Waj.s:2544: Error: junk at end of line, first unrecognized character is `,'
/tmp/ccxm7Waj.s:2800: Error: bad or irreducible absolute expression; zero assumed
/tmp/ccxm7Waj.s:2800: Error: junk at end of line, first unrecognized character is `,'
/tmp/ccxm7Waj.s:2956: Error: bad or irreducible absolute expression; zero assumed
/tmp/ccxm7Waj.s:2956: Error: junk at end of line, first unrecognized character is `,'
'.equiv' works on all architecures, but breaks on CentOS 9 due to binutils
2.35. Use an ifdef. Can be dropped and switch to '.equiv' once binutils 2.36
is the baseline.
dongshengyuan [Wed, 17 Jun 2026 03:00:49 +0000 (11:00 +0800)]
sysext,sysusers: fix wrong error variable in two error paths
sysext: utimensat() failure was logged with stale r (which is 0 after
the preceding successful write_backing_file call). Pass errno instead
so the actual failure reason is recorded and returned.
sysusers: rename() failure in make_backup() returned the raw positive
errno value. All callers check 'if (r < 0)', so the error was silently
ignored, allowing execution to continue after a failed backup. Return
-errno instead.
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com> Co-developed-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
* 462bd9f5ea Update systemd to version 260.2 / rev 469 via SR 1356344
* 28967f9151 Update systemd to version 260.1 / rev 468 via SR 1353801
* 086bdf7ca5 Update systemd to version 260.1 / rev 467 via SR 1348897
* 8e7d3d3067 Update systemd to version 259.5 / rev 466 via SR 1338788
* 069ac9826b Update systemd to version 259.3 / rev 465 via SR 1336527
* 7ed02aefd6 Update systemd to version 258.5 / rev 464 via SR 1335466
* 811b7f2076 Update systemd to version 258.4 / rev 463 via SR 1332808
* 45a28d7f95 Update systemd to version 258.3 / rev 462 via SR 1329291
* 37342ddc36 Update systemd to version 257.9 / rev 461 via SR 1324470
* 7eafa80da7 Update systemd to version 258.3 / rev 460 via SR 1323386
* 29c9ee6b49 Update systemd to version 257.9 / rev 459 via SR 1321158
* 39613f8d2e Update systemd to version 258.2 / rev 458 via SR 1320482
* c235f1dcf5 Update systemd to version 257.9 / rev 457 via SR 1305565
dongshengyuan [Thu, 11 Jun 2026 07:14:49 +0000 (15:14 +0800)]
core: fix unit_merge() load state check evaluating after state overwrite
The condition on line 1206 checks other->load_state != UNIT_STUB to
decide whether to call the vtable done() callback, but the state was
already overwritten to UNIT_MERGED on line 1198, making the condition
always true.
Save the original load_state before overwriting it, so that units in
UNIT_STUB state (which never went through a load attempt) correctly
skip the done() call.
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com> Co-developed-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Daan De Meyer [Wed, 10 Jun 2026 10:06:14 +0000 (10:06 +0000)]
nsresourced: reclaim ranges from dead namespaces during allocation
The only runtime trigger for registry cleanup is the BPF kprobe that fires
on user namespace destruction; when it is missed (ring buffer overflow,
kprobe missing, fdstore entry dropped), the dead namespace's registry entry
survives and keeps its UID/GID ranges blocked until the manager restarts and
its startup sweep runs. The allocation hot path checked whether a candidate
range was already taken but never whether the namespace holding it was still
alive, so a single dead namespace could permanently starve an allocation.
This is most visible when a parent delegates its entire container UID window
to a child that then dies: every subsequent allocation from the parent fails
with NoDynamicRange even though the ranges are reclaimable.
Add userns_registry_reap_if_dead(), which probes a registered namespace's
liveness via the kernel namespace identifier recorded at allocation time and,
if it is authoritatively dead, releases its registry entry — restoring any
ranges it received via delegation to their ancestors. Call it from the
allocation availability check for both transient registrations and delegated
ranges, walking a chain of dead ancestors in the delegation case. This
mirrors the existing inode-slot stale cleanup and makes allocation
self-healing without waiting for a restart.
The startup sweep grew the same load-probe-release logic, so route it through
the new helper too; its errno return distinguishes alive, no-recorded-id, and
unprobeable-environment cases so the sweep keeps its early-out when lookup by
id isn't possible at all.
Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com>
Luca Boccassi [Mon, 15 Jun 2026 20:33:08 +0000 (21:33 +0100)]
core: add version and structure to LUO json payload
We might want to add more state to the LUO session json payload,
so add a version (to allow clean compat breaks if needed) and nest
the current fdstore contents under a 'units' object, so that more
top-level data can be added in the future without breaking
backward compatibility.
dongshengyuan [Tue, 16 Jun 2026 06:44:15 +0000 (14:44 +0800)]
misc: fix minor error handling issues
fstab-generator: pass k instead of r to bus_error_message() so the
fallback error string reflects the actual bus call failure, not the
accumulated result that was reset to 0 earlier.
networkd-ndisc: return -ENOMEM when newdup() fails, since r is 0 at
that point and the OOM would otherwise be reported as success.
storagetm: add missing NULL check after strndup() for attr_model,
matching the pattern already used for attr_firmware and attr_serial.
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com> Co-developed-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Luca Boccassi [Mon, 15 Jun 2026 20:34:56 +0000 (21:34 +0100)]
core: only attempt to deserialize state from LUO on boot
Avoid trying to query for our LUO session on reexec/softreboot/reload/etc.
Currently /dev/liveupdate is only accessible to root so it's not a big
issue, but this might change in the future, so make sure nobody can
play games with us.
Luca Boccassi [Thu, 4 Jun 2026 19:20:51 +0000 (20:20 +0100)]
obs: prepare ParticleOS images in workflow
Link ParticleOS images in the workflow subproject for the PR,
so that they can be enabled with a click when needed.
But keep disabled by default, as they take a lot of resources,
especially disk space.
dongshengyuan [Tue, 16 Jun 2026 01:07:25 +0000 (09:07 +0800)]
gpt-auto-generator: fix error propagation in add_root_mount()
When generator_write_initrd_root_device_deps() fails, the error was
swallowed by returning 0 (success) instead of r. The two subsequent
calls in the same block correctly return r on failure.
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com> Co-developed-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
dongshengyuan [Tue, 16 Jun 2026 02:38:17 +0000 (10:38 +0800)]
mount: log control command before clearing it in mount_sigchld_event()
control_command and control_command_id were cleared before being passed
to unit_log_process_exit(), so the log always showed an invalid/unknown
command name.
Move both clears after the log call, matching the ordering in
socket_sigchld_event() and service_sigchld_event().
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com> Co-developed-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Daan De Meyer [Mon, 15 Jun 2026 09:06:42 +0000 (09:06 +0000)]
loop-util: shortcut block device fd when it carries no partition table
663f0bf5cb stopped reusing the original block device fd whenever
partition scanning was requested (LO_FLAGS_PARTSCAN) but couldn't be
enabled on the device, so that nested partition tables on devices the
kernel won't scan (e.g. the pmOS/android case) get exposed via a real
loop device.
However that also forced a pointless loop device for any partition that
carries a file system directly, e.g. a btrfs subvolume mounted via
MountImages=. For multi-device btrfs this is fatal: the kernel rejects
seeing the same member via both the original partition and the loop
device, and the mount fails.
A loop device is only ever needed here to expose a nested partition
table. So only refuse the shortcut when the device actually carries one,
probed via gpt_probe(), instead of whenever partition scanning is
disabled. Devices carrying a file system directly (or nothing) take the
shortcut as before.
Add an integration test to cover the failure scenario of the original
issue.
Fixes: https://github.com/systemd/systemd/issues/42520
Replaces: https://github.com/systemd/systemd/pull/42576
Follow-up for 663f0bf5cb79ecaf6dd71441ecdc9dc401e7eae6
Co-Authored-By: Luca Boccassi <luca.boccassi@gmail.com> Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com>
Luca Boccassi [Mon, 15 Jun 2026 21:05:18 +0000 (22:05 +0100)]
report: place Upload() on io.systemd.Report.Uploader rather than io.systemd.Report interface (#42584)
We really want to use io.systemd.Report for the interface provided by
systemd-report itself, not by its backend. hence, rename the interface
that uploading plugins shall implement to io.systemd.Report.Uploader.
Note that we ideally should have a varlink interface definition for that
interface. if we had, we'd have noticed that earlier.
projects / thirdparty / systemd.git / log
