Yu Watanabe [Sat, 21 Jun 2025 15:38:58 +0000 (00:38 +0900)]
musl: add several missing statx macros
glibc's sys/stat.h includes linux/stat.h, and we have copy of it from
the latest kernel, hence all new flags are always defined.
However, musl's sys/stat.h does not include linux/stat.h, and moreover,
they conflict with each other, hence we cannot include both header
simultaneously. Let's define missing macros to support musl.
musl: introduce dummy gshadow header file for userdb
Even 'gshadow' meson option is disabled, src/shared/userdb.c and
src/shared/user-record-nss.c include gshadow.h unconditionally.
Let's introduce dummy header to make them compiled gracefully.
Daan De Meyer [Sun, 2 Nov 2025 13:17:36 +0000 (14:17 +0100)]
sd-bus: Pass --user and --quiet to systemd-stdio-bridge if local
If we're switching users but not entering a container, then we can
assume that new switches for systemd-stdio-bridge are available, so
make use of them in that case.
Daan De Meyer [Sun, 2 Nov 2025 12:52:15 +0000 (13:52 +0100)]
stdio-bridge: Add --quiet option
When we use stdio-bridge via sd-bus to connect to a bus of a different
user, container or host, stdio-bridge should not log at error level but
at debug level as it's invoked by the sd-bus library and sd-bus should
generally not log above debug level.
We can't actually use the --quiet option yet as that would break connecting
to hosts running older versions of systemd but let's already add the option
now in preparation for a brighter future.
efivars: seek back to beginning in each efi_get_variable() loop
We try to read again from the beginning, hence let's seek back.
Apparently efivarfs doesn't strictly require this, but it's really weird
that it doesn't.
efivars: don't bother with realloc() if we have no interest in the old data
We shouldn't ask glibc to keep the old data around (which realloc() is
about), given we overwrite it entirely anyway. Let's hence speed things
up here, and allow glibc to just allocate a new block for us (and
shorten the code a bit)
We have no sensible way to detect why strptime() fails, hence
the fallback path as it is now would fire on glibc systems too,
pointlessly. Let's guard it behind ifdeffery.
* efdd7a6377 Install new file for upstream build
* 9ebdc6099e d/rules: enable 10-systemd-logind-root-ignore-inhibitors.rules.example on Ubuntu
* 1255cc7663 initramfs-tools: only skip chzdev rules if zdev_early=0
* 4675b281ee d/t/boot-and-services: skip apparmor test on armhf
* 214d6e37b2 d/t/boot-and-services: run transient unit to check syslog messages
* f4e196aa26 d/t/boot-and-services: tweak test_rsyslog regex
* dbd366a43e Install new files for upstream build
* bb7f8ef532 Install new files for upstream build
* efa7cee8a7 Install new file for upstream build
* 95aa1d1685 Install new file for upstream build
* b770f0f01b kernel-install: skip 55-initrd.install when an initrd generator is configured
* af8d1e3134 Update changelog for 258.1-2 release
* 2d0e73cd14 d/libnss-systemd.postinst: Ensure module is enabled for all four databases
journald: do not allow persistent journal storage in the initrd
If the user managed to configure persistent storage in the journal
in the initrd, e.g. by creating /var/log/journal with default of 'auto',
we could end up writing entries there. Let's make sure this doesn't
happen.
journald: allow default storage mode to be configured
So far the idea was that the default is 'auto', and if appropriate, the
distribution will create /var/log/journal/ to tell journald to use persistent
mode. This doesn't work well with factory resets, because after a factory reset
obviously /var/log is gone. That old default was useful when journald was new
and people were reluctant to enable persistent mode and instead relied on
rsyslog and such for the persistent storage. But nowadays that is rarer, and
anyway various features like user journals only work with persistent storage,
so we want people to enable this by default. Add an option to flip the default
and distributions can opt in. The default default value remains unchanged.
(I also tested using tmpfiles to instead change this, since we already set
access mode for /var/log/journal through tmpfiles. Unfortunately, tmpfiles runs
too late, after journald has already started, so if tmpfiles creates the
directory, it'll only be used after a reboot. This probably could be made to
work by adding a new service to flush the journal, but that becomes complicated
and we lose the main advantage of simplicity.)
man: stop inventing custom entity names for docbook
For some reason, the entity names configured in custom-entities.ent
used abbreviated names. This just creates unnecessary confusion, so update
to use the same name as the config dict.
musl: avoid multiple evaluations in CPU_ISSET_S() macro
musl's CPU_ISSET_S() macro does not avoid multiple evaluations, and it
only accepts simple variable or constant.
Fixes the following error.
```
../src/shared/cpu-set-util.c: In function ‘cpu_set_to_mask_string’:
../src/shared/cpu-set-util.c:101:41: warning: operation on ‘i’ may be undefined [-Werror=sequence-point]
101 | if (CPU_ISSET_S(--i, c->allocated, c->set))
| ^
```
glibc defines HOST_NAME_MAX as 64 and our code rely on that, but musl
defines the constant as 255. Let's provide our own definition for the
maximum length.
Mike Yuan [Sat, 4 Oct 2025 23:46:40 +0000 (01:46 +0200)]
core: expose transactions with ordering cycle
Closes #3829
Alternative to #35417
I don't think the individual "WasOnDependencyCycle" attrs on units
are particularly helpful and comprehensible, as it's really about
the dep relationship between them. And as discussed, the dependency
cycle is not something persistent, rather local to the currently
loaded set of units and shall be reset with daemon-reload (see also
https://github.com/systemd/systemd/issues/35642#issuecomment-2591296586).
Hence, let's report system state as degraded and point users to
the involved transactions when ordering cycles are encountered instead.
Combined with log messages added in 6912eb315fabe0bbf25593ab897265fa79a7e24b
it should achieve the goal of making ordering cycles more observable,
while avoiding all sorts of subtle bookkeeping in the service manager.
The degraded state can be reset via the existing ResetFailed() manager-wide
method.
Mike Yuan [Sat, 4 Oct 2025 22:39:50 +0000 (00:39 +0200)]
core/transaction: assign unique ids to transactions and encode them in log
Preparation for later commits, but I think this one makes
a ton of sense on its own. When debug logging is enabled
it's otherwise difficult to dig up the portion of journal
for transaction construction.
musl: avoid conflict between fcntl.h and basic-forward.h
glibc defines AT_FDCWD as -100, but musl defines it as (-100).
In basic-forward.h, we also define AT_FDCWD as -100, hence musl's fcntl.h
conflicts with forward.h. This is for avoiding the conflict.
Yu Watanabe [Sat, 21 Jun 2025 17:16:25 +0000 (02:16 +0900)]
musl: meson: gracefully disable gshadow, nss, and idn support
- musl does not support gshadow, and does not provide gshadow.h,
- musl does not support nss, and does not provide nss.h which is necessary
for each nss modules,
- musl does not provide NI_IDN.
Yu Watanabe [Mon, 9 Jun 2025 04:00:37 +0000 (13:00 +0900)]
musl: meson: check existence of renameat2()
musl-1.2.5 does not provide renameat2(). Note, it is added by
https://github.com/kraj/musl/commit/05ce67fea99ca09cd4b6625cff7aec9cc222dd5a,
hence hopefully it will be provided by musl-1.2.6 or newer.
Yu Watanabe [Mon, 9 Jun 2025 04:37:38 +0000 (13:37 +0900)]
musl: meson: make musl not define wchar_t in their header
Otherwise, musl defines wchar_t as int, which conflicts with the
assumption by sd-boot, i.e. wchar_t is 2 bytes.
Fixes the following build error:
```
In file included from ../src/boot/efi-log.h:4,
from ../src/boot/linux_x86.c:13:
../src/boot/efi.h:19:24: error: conflicting types for 'wchar_t'; have 'short unsigned int'
19 | typedef __WCHAR_TYPE__ wchar_t;
| ^~~~~~~
In file included from /usr/include/stddef.h:19,
from ../src/boot/efi.h:9:
/usr/include/bits/alltypes.h:10:13: note: previous declaration of 'wchar_t' with type 'wchar_t' {aka 'int'}
10 | typedef int wchar_t;
| ^~~~~~~
```
Yu Watanabe [Mon, 9 Jun 2025 15:29:46 +0000 (00:29 +0900)]
musl: meson: explicitly set _LARGEFILE64_SOURCE
glibc sets it when _GNU_SOURCE is defined, however, musl does not.
Let's explicitly define it to make getdents64() and struct dirent64
available even when building with musl.
Daan De Meyer [Wed, 12 Nov 2025 13:05:54 +0000 (14:05 +0100)]
run0: Never ask --empower sessions for polkit auth
A --empower session is effectively root without being UID 0, so it
doesn't make sense to enforce polkit authentication in those. Let's
add the empower group, add --empower sessions to that group and ship
a polkit rule to skip authentication for all users in the empower
group.
(As a side-effect this will also allow users to add themselves to this
group outside of 'run0 --empower' to mimick NOPASSWD from sudo)
musl does not set tm_wday when it is explicitly requested.
The check is not necessary at all, it is just for safety.
Let's skip it when built with musl.
musl: time-util: make parse_gmtoff() accept extended timezone offset format
musl v1.2.5 does not support %z specifier in strptime(). Since
https://github.com/kraj/musl/commit/fced99e93daeefb0192fd16304f978d4401d1d77
%z is supported, but it only supports strict RFC-822/ISO 8601 format,
that is, 4 digits with sign (e.g. +0900 or -1400), but does not support
extended format: 2 digits or colon separated 4 digits (e.g. +09 or -14:00).
Let's add fallback logic to make it support the extended timezone spec.
Yu Watanabe [Tue, 11 Nov 2025 17:29:34 +0000 (02:29 +0900)]
tree-wide: drop redundant inclusion of linux/prctl.h
sys/prctl.h anyway includes linux/prctl.h and actually these .c files
includes sys/prctl.h. Hence, it is not necessary to explicitly include
linux/prctl.h.
Yu Watanabe [Tue, 11 Nov 2025 22:30:01 +0000 (07:30 +0900)]
musl: locale-util: explicitly check existence of locale file
musl's newlocale() always provides a locale object even the requested
locale does not exist. Let's explicitly check the existence of the
requested locale file.
Yu Watanabe [Tue, 11 Nov 2025 23:59:06 +0000 (08:59 +0900)]
systemctl: fix edit and cat verbs with --global flag (#39606)
The --global flag has been broken since commit d77d42ed3ae95ee035dce4707777b077d1a9bf8b, which added a
blanket restriction on acquiring D-Bus connections when
arg_runtime_scope is RUNTIME_SCOPE_GLOBAL. This was done to prevent
crashes, but inadvertently broke legitimate use cases like 'systemctl
edit --global' and 'systemctl cat --global'.
The issue is that verb_edit() and verb_cat() were unconditionally
calling acquire_bus(), which triggers the restriction and fails with
"--global is not supported for this operation."
This commit fixes the issue by making bus acquisition conditional,
following the same pattern used in verb_enable():
- Only acquire the bus when install_client_side() returns NO (i.e., for
system and user scopes)
- For client-side operations (--global, --root, etc.), skip bus
acquisition and use mangle_names() instead of expand_unit_names()
- Update find_paths_to_edit() and verb_cat() to handle NULL bus by
forcing client-side path lookups
- Skip bus-dependent checks (unit_is_masked, need_daemon_reload) when
bus is NULL
This allows both 'systemctl edit --global' and 'systemctl cat --global'
to work correctly by performing all operations client-side without
requiring a connection to the system or user manager.
Yu Watanabe [Tue, 11 Nov 2025 23:54:09 +0000 (08:54 +0900)]
sd-path: add new type SD_PATH_SEARCH_SYSCTL (#38680)
Aim of this patches set, is to add a new type SD_PATH_SEARCH_SYSCTL for
sd_path_lookup() and sd_path_lookup_strv(). This new type is used to get the
directories list used by systemd-sysctl:
bootctl: calculate secureboot state taking MokSBStateRT into account (#39298)
shim is often used as part of the EFI boot chain with Linux kernels.
shim has an option to disable all verification of binaries it loads.
This can be performed by end-user using mokutil / mokmanager EFI app,
which set BootServices only variable MokSBState. shim honors that, and
mirrors it as readonly MokSBStateRT for the post-ExitBootService access.
Thus presense of MokSBStateRT is an indicator that shim was used during
boot chain.
Some OEM vendors are known to set MokSBState variable, without user
having done so.
When verification is disabled, one should assume secureboot is insecure,
because any EFI binary was allowed to run, including but not limited to
unsigned or revoked:
- grub
- systemd-boot
- UKI
- linux kernel
Linux kernel also has code to check this variable, and correctly report
that Secure Boot is disabled, see:
-
https://github.com/torvalds/linux/blob/3a8660878839faadb4f1a6dd72c3179c1df56787/drivers/firmware/efi/libstub/secureboot.c#L57
With this change bootctl output changes like this:
```diff
System:
Firmware: n/a (n/a)
Firmware Arch: x64
- Secure Boot: enabled (user)
+ Secure Boot: disabled (insecure)
TPM2 Support: yes
Measured UKI: no
Boot into FW: supported
```
This implementation is trying to mimic mokutil behaviour like this one:
```
$ mokutil --sb-state
SecureBoot enabled
SecureBoot validation is disabled in shim
```
As well as the linux kernel behavior of:
```
$ journalctl -b | grep 'Secure boot disabled'
kernel: Secure boot disabled
```
Note that MokSBState is extended into PCR7 as well as also into PCR14.
For more details see https://github.com/rhboot/shim/blob/main/README.tpm
Luca Boccassi [Mon, 10 Nov 2025 02:01:57 +0000 (02:01 +0000)]
dissect: check that roothash in signature matches before selecting partition
If there are multiple verity sig partitions (e.g.: sysupdate and A/B
scheme), dissection will simply pick the last sig partition it encounters,
as no checks are done on the content (like for the usr/root and verity data).
Check that the JSON content matches the requested roothash, if any.
Before:
sda: /usr/lib/udev/rules.d/90-image-dissect.rules:34 IMPORT{builtin}="dissect_image probe": Importing properties from results of builtin command "dissect_image probe".
Dissecting esp partition with label esp and UUID b80070bd-ea4f-49ea-94ab-41a4e4125f80.
Dissecting usr-verity-sig partition with label ParticleOS_27.178_verity_sig and UUID a6d47959-39f7-4686-99b0-660b301d1488.
Dissecting usr-verity partition with label ParticleOS_27.178_verity and UUID d7acad57-995d-297d-bf6c-a58821dcd28a.
Dissecting usr partition with label ParticleOS_27.178 and UUID f5b6aff5-945d-946e-faf4-d482c07f9968.
Dissecting usr-verity-sig partition with label ParticleOS_118.26_verity_sig and UUID c9151ec9-3264-434a-8f42-7b125432d676.
Dissecting usr-verity partition with label ParticleOS_118.26_verity and UUID 88fa8c85-8161-ea32-bf4a-fc8df18d27ae.
Partition UUID '88fa8c85-8161-ea32-bf4a-fc8df18d27ae' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting usr partition with label ParticleOS_118.26 and UUID 52df1859-e144-348d-2cb1-8d6440254719.
Partition UUID '52df1859-e144-348d-2cb1-8d6440254719' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting swap partition with label ParticleOS-swap and UUID 7fe77f77-32fb-4957-8c1e-6c04bd2e435f.
Dissecting root partition with label ParticleOS-root and UUID a5c89fc4-e92c-4e83-913f-8c866b94592e.
Dissecting home partition with label ParticleOS-home and UUID 25885d07-baa2-4992-b6aa-56813aa70cef.
Found for designator root: encrypted+unprotected+unused.
Found for designator usr: verity+signed+encrypted+unprotected+unused.
Found for designator home: encrypted+unprotected+unused.
Found for designator srv: absent.
Found for designator esp: encrypted+unprotected+unused.
Found for designator xbootldr: absent.
Found for designator swap: encrypted+unprotected+unused.
Found for designator root-verity: absent.
Found for designator usr-verity: encrypted+unprotected+unused.
Found for designator root-verity-sig: absent.
Found for designator usr-verity-sig: encrypted+unprotected+unused.
Found for designator tmp: absent.
Found for designator var: absent.
Probed fstype 'btrfs' on partition /dev/sda9.
Probed fstype 'erofs' on partition /dev/sda4.
Probed fstype 'btrfs' on partition /dev/sda10.
Probed fstype 'swap' on partition /dev/sda8.
Root hash in signature JSON data (52df1859e144348d2cb18d644025471988fa8c858161ea32bf4afc8df18d27ae) doesn't match configured hash (f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a).
sda: Failed to load verity signature data from image: Invalid argument
After:
Dissecting usr-verity-sig partition with label ParticleOS_27.178_verity_sig and UUID a6d47959-39f7-4686-99b0-660b301d1488.
Dissecting usr-verity partition with label ParticleOS_27.178_verity and UUID d7acad57-995d-297d-bf6c-a58821dcd28a.
Dissecting usr partition with label ParticleOS_27.178 and UUID f5b6aff5-945d-946e-faf4-d482c07f9968.
Dissecting usr-verity-sig partition with label ParticleOS_118.26_verity_sig and UUID c9151ec9-3264-434a-8f42-7b125432d676.
Root hash in signature JSON data (52df1859e144348d2cb18d644025471988fa8c858161ea32bf4afc8df18d27ae) doesn't match configured hash (f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a).
Dissecting usr-verity partition with label ParticleOS_118.26_verity and UUID 88fa8c85-8161-ea32-bf4a-fc8df18d27ae.
Partition UUID '88fa8c85-8161-ea32-bf4a-fc8df18d27ae' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
Dissecting usr partition with label ParticleOS_118.26 and UUID 52df1859-e144-348d-2cb1-8d6440254719.
Partition UUID '52df1859-e144-348d-2cb1-8d6440254719' does not match expected UUID 'f5b6aff5-945d-946e-faf4-d482c07f9968' derived from usr verity hash, ignoring.
<...>
ID_DISSECT_PART2_DESIGNATOR=usr-verity-sig
ID_DISSECT_PART3_ARCHITECTURE=x86-64
ID_DISSECT_PART3_DESIGNATOR=usr-verity
ID_DISSECT_PART4_ARCHITECTURE=x86-64
ID_DISSECT_PART4_DESIGNATOR=usr
ID_DISSECT_PART4_HAS_VERITY=1
ID_DISSECT_PART4_HAS_VERITY_SIG=1
ID_DISSECT_PART4_ROOTHASH=f5b6aff5945d946efaf4d482c07f9968d7acad57995d297dbf6ca58821dcd28a
ID_DISSECT_PART4_ROOTHASH_SIG=<...>
ID_DISSECT_PART4_VERITY_DEVICE=/dev/disk/by-diskseq/9-part3
ID_DISSECT_PART4_VERITY_SIG_DEVICE=/dev/disk/by-diskseq/9-part2
gvenugo3 [Tue, 11 Nov 2025 17:00:29 +0000 (10:00 -0700)]
systemctl: support --global and --root in edit and cat
Make bus acquisition conditional in verb_edit() and verb_cat(), following
the same pattern used in verb_enable(). When install_client_side() returns
non-zero (indicating --global, --root, offline, or similar scenarios), skip
acquiring a D-Bus connection and perform all operations client-side.
Changes:
- Only acquire bus when install_client_side() returns NO
- Use mangle_names() instead of expand_unit_names() in client-side mode
- Pass force_client_side flag based on bus availability
- Skip bus-dependent operations (need_daemon_reload, etc.) when bus is NULL
This allows 'systemctl edit --global' and 'systemctl cat --global' to work
correctly, fixing the regression introduced by commit d77d42ed3a.
Test cases added to verify:
- Creating and editing global user units with --runtime
- Reading global units with cat --global
- Proper detection and rejection of masked units in client-side mode
- Tests use /run/ instead of /etc/ for safer temporary testing
gvenugo3 [Tue, 11 Nov 2025 16:55:59 +0000 (09:55 -0700)]
systemctl: check if unit is masked in unit_find_paths()
When operating in client-side mode (force_client_side=true), unit_find_paths()
now checks if the unit file is masked (symlinked to /dev/null or empty) and
returns -ERFKILL, matching the behavior of the server-side path.
This centralizes masked unit detection in one place, making it consistent
across both client-side and server-side operations.
projects / thirdparty / systemd.git / log
