Daan De Meyer [Mon, 13 Oct 2025 08:43:16 +0000 (10:43 +0200)]
sd-id128: Drop _sd_const_ from sd_id128_in_setv()
Both the const and pure attributes disallow modifying input arguments
but sd_id128_in_setv() clearly modifies its ap input argument by iterating
over it with va_arg() so drop the _sd_const_ attribute from
sd_id128_in_setv().
test: check the next elapse timer timestamp after deserialization
When deserializing a serialized timer unit with RandomizedDelaySec= set,
systemd should use the last inactive exit timestamp instead of current
realtime to calculate the new next elapse, so the timer unit actually
runs in the given calendar window.
Luca Boccassi [Tue, 26 Aug 2025 18:12:53 +0000 (19:12 +0100)]
sysext: do not attempt to unlock images interactively
These images are not using a passphrase, they are using keys
or at most TPM-based sealing (not yet implemented, for contexts).
Do not use the interactive helper, as it will block and ask the
user for a password if it fails to find the signing cert, which
is not useful for this tool.
Since mountfsd was added in 702a52f4b5d49cce11e2adbc740deb3b644e2de0 the
caps bounding set line was commented. That's an accident. Fix that. (We
need to add a bunch of caps to the list).
This fixes two things: first of all it ensures we take the override
status output field properly into account, instead of going directly to
the regular one.
Moreover, it ensures that we bypass auto for both notice + emergency,
since both have the same "impact", and, don't limit this for notice
only.
UID entry in the machine state file is introduced in v258,
hence when a host is upgraded to v258, the field does not exist in the
file, thus the variable 'uid' is NULL.
core/bpf-firewall: replace unnecessary unit_setup_cgroup_runtime() with unit_get_cgroup_runtime()
Except for the test, bpf_firewall_compile() is only called by the following:
cgroup_context_apply() -> cgroup_apply_firewall() -> bpf_firewall_compile()
and in the early stage of cgroup_context_apply(), it checks if the cgroup
runtime exists. Hence, it is not necessary to try to allocate the
runtime in bpf_firewall_compile().
Mike Yuan [Thu, 25 Sep 2025 20:28:33 +0000 (22:28 +0200)]
core/cgroup: make sure deserialized accounting data is not voided
Currently, cgroup_path is (de-)serialized after all the cached
accounting data. This is bogus though, since unit_set_cgroup_path()
destroys the CGroupRuntime object and starts afresh, discarding
all deserialized values. This matters especially for IP accounting,
whose BPF maps get recreated on reload/reexec and the previous values
are exclusively retrievable from deserialization. Let's hence swap things
around and serialize cgroup_path first, accounting data only afterwards.
Felix Pehla [Sat, 27 Sep 2025 13:01:06 +0000 (15:01 +0200)]
shared/bootspec: parse 'uki' boot entry option
Commit e2a3d562189c413de3262ec47cdc1e1b0b13d78b (as part of #36314)
makes sd-boot recognize a 'uki' stanza in a boot loader entry and
uapi-group/specifications@3f2bd8236d7f9ce6dedf8bda9cadffd0d363cb08 adds
it to the BLS, but bootctl and other components parsing said config do
not know about it, leading to the error message
`Unknown line 'uki', ignoring.` when attempting to parse the same entry.
This commit makes it get parsed the same way that that 'efi' is.
In the commit c960ca2be1cfd183675df581f049a0c022c1c802, the logic of
updating ACL on device node was moved from logind to udevd, but at that
time, mistakenly removed the logic for static nodes.
man: fix advice regarding thread safety of libsystemd
The prohibition to move libsystemd objects between threads was added in 64a7ef8bc06b5dcfcd9f99ea10a43bde75c4370f ('man: be more explicit about thread
safety of sd_journal'). At the time, this was valid, because we were using the
mempool for allocation and it apparently didn't handle access from different
threads. Sadlly, the commit links to a bugzilla entry referenced in the commit
is not publicly visible anymore, so the details are murky. But we stopped using
the mempool in a5d8835c78112206bbf0812dd4cb471f803bfe88 ('mempool: only enable
mempool use when linked to libsystemd-shared.so'), with subsequent followup in b01f31954f1c7c4601925173ae2638b572224e9a ('Turn mempool_enabled() into a weak
symbol'). The restriction added in the man page is not necessary since then.
The text in the man page was arguably incorrect in calling the code
"thread-agnostic". If the code does not support being touched from threads at
all and has global state to tied to the main thread, it is not "agnostic", but
just doesn't support threads.
(I'm looking into https://github.com/systemd/python-systemd/issues/143, and
with the current scheme, the python-systemd module and all python code using
libsystemd would be very hard to use. With the change to free-threaded python
in python3.13, i.e. the replacement of single Global Interpreter Lock by
locking on individual objects, this limitation would become even more
constraining.)
Anton Tiurin [Mon, 15 Sep 2025 19:32:39 +0000 (12:32 -0700)]
networkd: fia xRequiredOperationalStateForOnline serializtion
In integration tests (for example TEST-85-NETWORK-NetworkctlTests)
LINK_OPERSTATE_RANGE_INVALID and required_for_online == -1 are serialized as
```
"RequiredForOnline": "true",
"RequiredOperationalStateForOnline": [null, null]
```
Such link should be reported as required_for_online=False and not
serialize nulls.
machined: do not allow unprivileged users to shell into the root namespace
We intend to make self-registering machines an unprivileged operation,
but currently that would allow an unprivileged user to register a
process they own in the root namespace, and then login as any
user they like, including root, which is not ideal.
Forbid non-root from shelling into a machine that is running in
the root user namespace.
Let's never bother with old TPM 1.x structures, they are not mentioned
in the TCG for TPM2 spec at all. However, the spec does say we should
check the Size field of the relevant structs, before accessing them,
hence do that.
On older versions, if the flag is anything other than AT_SYMLINK_NOFOLLOW,
it returns EINVAL, so we can detect it and call the kernel syscall directly
ourselves.
Using the glibc wrappers when possible is prefereable so that programs
like fakeroot can intercept its calls and redirect them.
In systemd <= 257, each set_audit tristate value had special meaning,
- true: enable the kernel audit subsystem,
- false: disable the kernel audit subsystem,
- negative: keep the current kernel audit subsystem state.
And the default is true, rather than negative. So, users sometimes
explicitly pass an empty string to Audit= setting to keep the state.
But since f48cf2a96dfdc23fe30ba0f870125fe55cab64c7 (v258), the negative
value is mistakenly used as 'really unspecified' even if an empty string
is explicitly specified.
This makes negative values handled as unspecified as usual, and assign a new
positive value AUDIT_KEEP for when an empty string is explicitly specified.
Also, make the Audit= setting accept "keep" setting, and suggest to use "keep"
rather than an empty string.
So, arch-chroot currently uses a rather cursed setup:
it sets up a PID namespace, but mounts /proc/ from the outside
into the chroot tree, and then call chroot(2), essentially
making it somewhere between chroot(8) and a full-blown
container. Hence, the PID dirs in /proc/ reveal the outer world.
The offending commit switched chroot detection to compare
/proc/1/root and /proc/OUR_PID/root, exhibiting the faulty behavior
where the mentioned environment now gets deemed to be non-chroot.
Now, this is very much an issue in arch-chroot. However,
if /proc/ is to be properly associated with the pidns,
then we'd treat it as a container and no longer a chroot.
Also, the previous logic feels more readable and more
honestly reported errors in proc_mounted(). Hence I opted
for reverting the change here. Still note that the culprit
(once again :/) lies in the arch-chroot's pidns impl, not
systemd.
It's not well-formed to begin with. And util-linux's mount(8)
is pretty much ubiquitously employed, hence it will be rejected
elsewhere too. Just stop pretending it is valid just because
glibc parser is sloppy.
core: if we cannot decode a TPM credential skip over it for ImportCredential=
let's skip over credentials we cannot decode when they are found with
ImportCredential=. When installing an OS on some disk and using that
disk on a different machine than assumed we'll otherwise end up with a
broken boot, because the credentials cannot be decoded when starting
systemd-firstboot. Let's handle this somewhat gracefully.
This leaves handling for LoadCredential=/SetCredential= as it is (i.e.
failure to decrypt results in service failure), because it is a lot more
explicit and focussed as opposed to ImportCredentials= which looks
everywhere, uses globs and so on and is hence very vague and unfocussed.
basic/efivars: read EFI variables using one read(), not two
In https://github.com/systemd/systemd/issues/38842 it is reported that we're again
having trouble accessing EFI variables:
[ 292.212415] H (udev-worker)[253]: Reading EFI variable /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
...
[ 344.397961] H (udev-worker)[253]: Detected slow EFI variable read access on LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f: 52.185510s
We don't know what causes the slowdown, but it seems reasonable to avoid
unnecessary read() calls. We would read the 4-byte attr first, and then the
actual value later. But our code always reads the value (and discards the attr
in all cases except one, when _writing_ the variable), so let's optimize for
the case where we read the value and read the whole contents in one readv().
Tobias Heider [Mon, 25 Aug 2025 14:07:54 +0000 (16:07 +0200)]
stub: fix file path handling for loaded kernel
- Actually pass the new memory file path to parent_loaded_image->FilePath
- Restore old parent_loaded_image if Linux returns
- Pass the same kernel_file_path in load_via_boot_services path
- s/Re-use/Patch in comment explaining what we are doing
Luca Boccassi [Sun, 24 Aug 2025 19:51:23 +0000 (20:51 +0100)]
repart: do not fail when CopyBlocks= is used in the initrd
When running in the initrd --root= is automatically set to /sysroot or /sysusr
but then using CopyBlocks fails due to a security measure:
root@particle-caba-1e47:~# systemd-repart --dry-run=no /dev/vda
No machine ID set, using randomized partition UUIDs.
Automatic discovery of backing block devices not permitted in --root= mode, refusing.
I'm seeing this in the initrd (with the dev_ksmg_record line added to clarify
where the error is coming from):
[ 6.114232] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.2
[ 6.116842] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.2".
[ 6.134115] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.2".
[ 6.139427] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.3
[ 6.144327] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.3".
[ 6.149442] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.3".
[ 6.155091] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.3
[ 6.160118] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.3".
[ 6.164814] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.3".
[ 6.169201] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.3
[ 6.173990] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.3".
[ 6.183104] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.3".
[ 6.187746] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.3
[ 6.192825] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.3".
[ 6.197733] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.3".
[ 6.203015] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.3
[ 6.207184] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.3".
[ 6.211943] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.3".
[ 6.216703] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.4
[ 6.221944] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.4".
[ 6.226803] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.4".
[ 6.231238] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.4
[ 6.236078] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.4".
[ 6.241845] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.4".
[ 6.247976] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.4
[ 6.252545] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.4".
[ 6.256146] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.4".
[ 6.260651] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.4
[ 6.265151] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.4".
[ 6.269755] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.4".
[ 6.276206] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.4
[ 6.280034] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.4".
[ 6.284603] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.4".
[ 6.288710] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.5
[ 6.293312] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.5".
[ 6.297763] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.5".
[ 6.302438] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.5
[ 6.306948] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.5".
[ 6.310797] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.5".
[ 6.315097] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.5
[ 6.319033] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.5".
[ 6.323593] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.5".
[ 6.328834] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.5
[ 6.333057] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.5".
[ 6.337644] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.5".
[ 6.341152] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.5
[ 6.345436] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.5".
[ 6.349824] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.5".
[ 6.354306] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.6
[ 6.358131] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.6".
[ 6.366568] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.6".
[ 6.371139] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.6
[ 6.375207] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.6".
[ 6.378681] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.6".
[ 6.382820] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.6
[ 6.387143] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.6".
[ 6.392192] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.6".
[ 6.397109] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.6
[ 6.400991] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.6".
[ 6.405992] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.6".
[ 6.410889] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.6
[ 6.414730] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.6".
[ 6.418266] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.6".
[ 6.422575] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.7
[ 6.429942] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.7".
[ 6.433780] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.7".
[ 6.438509] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.7
[ 6.442293] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.7".
[ 6.447236] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.7".
[ 6.453336] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.7
[ 6.458031] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.7".
[ 6.461948] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.7".
[ 6.465883] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.7
[ 6.470072] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.7".
[ 6.476196] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.7".
[ 6.481182] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:02.7
[ 6.484938] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:02.7".
[ 6.491322] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:02.7".
[ 6.497289] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:03.0
[ 6.501935] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:03.0".
[ 6.505217] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:03.0".
[ 6.509819] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:03.0
[ 6.516078] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:03.0".
[ 6.520942] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:03.0".
[ 6.525178] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:03.0
[ 6.528505] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:03.0".
[ 6.534669] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:03.0".
[ 6.539353] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:03.0
[ 6.543035] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:03.0".
[ 6.547441] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:03.0".
[ 6.553211] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:03.0
[ 6.557452] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/class/pci/0000:00:03.0".
[ 6.562468] systemd-journald[251]: sd-device: Failed to chase symlinks in "/sys/firmware/pci/0000:00:03.0".
[ 6.566955] systemd-journald[251]: dev_kmsg_record: kernel_device=+pci:0000:00:03.1
[ 6.570846] systemd-journald[251]: Too many messages being logged to kmsg, ignoring
The error message was misleading, since it sounds like there's an issue with
symlinks, but the device simply doesn't exist. But I think we should suppress
the message altogether. journald spewing messages like this fills up the logs
for no benefit. The sd_device_new* functions can legitimately be used for
"invalid" devices, e.g. to check if they even exist. We have no idea for what
purpose the caller is creating the device object, so let's not log this at all.
The caller can log if appropriate.
macro: flip ONCE macro to make log_once() and friend actually log once
Previously, ONCE is false for the first time, and true for later times,
hence log_once() and log_once_errno() suppress logging in the first call,
rather than later calls.
Fortunately, ONCE macro is only used in log_once() and log_once_errno(),
hence this only fixes spurious logging.
It seems
- the address sanitizer on fedora 42 reports false-positive, or
- probing partitions in libblkid 2.40.4 has a bug.
Not sure which causes the issue, but anyway the address sanitizer
kills udev-worker when sym_blkid_partition_get_name() is called
in udev-builtin-blkid.c.
```
systemd-udevd[488]: ==488==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffdd716e020 at pc 0x563e3ca66fcb bp 0x7ffdd716d970 sp 0x7ffdd716d968
systemd-udevd[488]: READ of size 8 at 0x7ffdd716e020 thread T0 ((udev-worker))
(snip)
systemd-udevd[488]: HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
systemd-udevd[488]: (longjmp and C++ exceptions *are* supported)
systemd-udevd[488]: SUMMARY: AddressSanitizer: stack-buffer-underflow (/usr/bin/udevadm+0x187fca) (BuildId: 1fb56dbdf0447aba1185d6e34560b782b76098be)
(snip)
systemd-udevd[488]: Command: (udev-worker)
systemd-udevd[488]: ==488==ABORTING
```
machine: do not allow unprivileged users to register other users' processes as machines (#38911)
Registering a process as a machine means a caller can get machined to
send sigterm to it, and more. If an unpriv user is registering, ensure
the registered process has the same uid.
machine: do not allow unprivileged users to register other users' processes as machines
Registering a process as a machine means a caller can get machined
to send sigterm to it, and more. If an unpriv user is registering,
ensure the registered process is actually owned by the user.
generators: fix parameters naming in symlink helper
Coverity gets confused because the names were swapped. The parameters
are all passed in the right position, so there's no functional issue,
but the naming is confusing and trips static analyzers, so fix it.
projects / thirdparty / systemd.git / log
