]> git.ipfire.org Git - thirdparty/systemd.git/log
thirdparty/systemd.git
38 hours agobless-boot: avoid false maybe-uninitialized warning 42843/head
Yu Watanabe [Thu, 2 Jul 2026 08:31:38 +0000 (17:31 +0900)] 
bless-boot: avoid false maybe-uninitialized warning

Obserbed with GCC-11 on Ubuntu.
```
In file included from ../src/shared/format-table.h:7,
                 from ../src/bless-boot/bless-boot.c:11:
../src/bless-boot/bless-boot.c: In function ‘verb_set’:
../src/basic/log.h:187:27: error: ‘source2’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
  187 |                         ? log_internal(_level, _e, PROJECT_FILE, __LINE__, __func__, __VA_ARGS__) \
      |                           ^~~~~~~~~~~~
../src/bless-boot/bless-boot.c:458:40: note: ‘source2’ was declared here
  458 |         const char *target, *source1, *source2;
      |                                        ^~~~~~~
In file included from ../src/shared/format-table.h:7,
                 from ../src/bless-boot/bless-boot.c:11:
../src/basic/log.h:187:27: error: ‘source1’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
  187 |                         ? log_internal(_level, _e, PROJECT_FILE, __LINE__, __func__, __VA_ARGS__) \
      |                           ^~~~~~~~~~~~
../src/bless-boot/bless-boot.c:458:30: note: ‘source1’ was declared here
  458 |         const char *target, *source1, *source2;
      |                              ^~~~~~~
In file included from ../src/shared/format-table.h:7,
                 from ../src/bless-boot/bless-boot.c:11:
../src/basic/log.h:187:27: error: ‘target’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
  187 |                         ? log_internal(_level, _e, PROJECT_FILE, __LINE__, __func__, __VA_ARGS__) \
      |                           ^~~~~~~~~~~~
../src/bless-boot/bless-boot.c:458:21: note: ‘target’ was declared here
  458 |         const char *target, *source1, *source2;
      |                     ^~~~~~
cc1: all warnings being treated as errors
```

38 hours agoci/build-test: try to build with OPENSSL_NO_DEPRECATED
Yu Watanabe [Wed, 1 Jul 2026 19:47:32 +0000 (04:47 +0900)] 
ci/build-test: try to build with OPENSSL_NO_DEPRECATED

38 hours agocrypto-util: drop unused symbol
Yu Watanabe [Wed, 1 Jul 2026 19:46:51 +0000 (04:46 +0900)] 
crypto-util: drop unused symbol

38 hours agocrypto-util: make OpenSSL UI API symbols optional during dlopen
Yu Watanabe [Wed, 1 Jul 2026 18:47:06 +0000 (03:47 +0900)] 
crypto-util: make OpenSSL UI API symbols optional during dlopen

Previously, if systemd was built with OpenSSL UI support, it would fail
to load libcrypto at runtime if the library lacked UI support, requiring
a recompilation of systemd to fix.

Let's relax this strict requirement by making the UI methods optional
during dlopen(). openssl_ui_supported() is added to dynamically check
if all required UI symbols were successfully loaded.

38 hours agocrypto-util: allow loading private keys from engine/provider without UI support
Yu Watanabe [Wed, 1 Jul 2026 18:33:04 +0000 (03:33 +0900)] 
crypto-util: allow loading private keys from engine/provider without UI support

OpenSSL UI is not a mandatory feature to load private keys from an engine
or a provider. Let's allow loading private keys even if OpenSSL UI is not
supported.

Note that even if OPENSSL_NO_UI_CONSOLE is set, the type UI_METHOD is
always defined. Hence, the `#ifndef` condition in the definition of
struct OpenSSLAskPasswordUI is unnecessary and can be dropped.

38 hours agocrypto-util: drop redundant logs
Yu Watanabe [Wed, 1 Jul 2026 18:38:03 +0000 (03:38 +0900)] 
crypto-util: drop redundant logs

The called functions already log errors internally.

38 hours agocrypto-util: move functions
Yu Watanabe [Wed, 1 Jul 2026 18:29:29 +0000 (03:29 +0900)] 
crypto-util: move functions

Implementations for loading private/public keys and X.509 certificates
were scattered. Group them together to improve readability.

38 hours agocrypto-util: make OpenSSL ENGINE API symbols optional during dlopen
Yu Watanabe [Wed, 1 Jul 2026 05:44:39 +0000 (14:44 +0900)] 
crypto-util: make OpenSSL ENGINE API symbols optional during dlopen

If systemd is compiled with OpenSSL 3 headers but executed in an environment
where OpenSSL 4 (libcrypto.so.4) is loaded, dlopen_many_sym_or_warn() will
fail because OpenSSL 4 completely removes the deprecated ENGINE API. This
breaks the ability to dynamically fallback and seamlessly upgrade OpenSSL
without recompiling systemd.

To fix this, drop the ENGINE API symbols from the mandatory DLSYM_ARG() list.
Instead, try to load them via DLSYM_OPTIONAL() after the library is opened.
load_key_from_engine() is updated to check for their presence and return
-EOPNOTSUPP if the loaded OpenSSL version does not provide them.

38 hours agocrypto-util: drop dlopen_libcrypto() from static functions
Yu Watanabe [Wed, 1 Jul 2026 05:32:24 +0000 (14:32 +0900)] 
crypto-util: drop dlopen_libcrypto() from static functions

38 hours agomemory-util: drop unused memdup_reverse()
Yu Watanabe [Tue, 30 Jun 2026 16:55:39 +0000 (01:55 +0900)] 
memory-util: drop unused memdup_reverse()

With the previous commit, now the function is unused anymore.
Let's drop it.

38 hours agocrypto-util: drop manual endianness handling in rsa_pkey_from_n_e()
Yu Watanabe [Tue, 30 Jun 2026 15:39:53 +0000 (00:39 +0900)] 
crypto-util: drop manual endianness handling in rsa_pkey_from_n_e()

Currently, rsa_pkey_from_n_e() uses architecture-specific `#if` branches
and memdup_reverse() to handle big-endian RSA components (n and e)
before passing them directly to OSSL_PARAM_construct_BN().

We can simplify this by parsing the raw big-endian bytes into BIGNUMs
first using BN_bin2bn(), which natively expects big-endian data. We
can then push these BIGNUMs into OSSL_PARAM_BLD. This delegates the
data format handling entirely to OpenSSL and successfully removes the
platform-specific code.

38 hours agocrypto-util: simplify openssl_extract_public_key()
Yu Watanabe [Tue, 30 Jun 2026 15:33:27 +0000 (00:33 +0900)] 
crypto-util: simplify openssl_extract_public_key()

Drop memstream and i2d_PUBKEY_fp(). We can simply use i2d_PUBKEY()
which automatically allocates the necessary buffer for us.

Note that dropping the secure erase (erase_and_freep()) in favor of
OPENSSL_free() is intentional and safe, as the buffer only holds
public key material which does not need to be securely wiped.

38 hours agocrypto-util: use correct cleanup function for OpenSSL buffers
Yu Watanabe [Tue, 30 Jun 2026 15:00:11 +0000 (00:00 +0900)] 
crypto-util: use correct cleanup function for OpenSSL buffers

Buffers allocated by OpenSSL must be freed with OPENSSL_free().
Fortunately, we do not enable the secure heap, so OPENSSL_free()
is currently equivalent to free(), but let's fix this for correctness.

38 hours agocrypto-util: simplify pubkey_fingerprint()
Yu Watanabe [Tue, 30 Jun 2026 14:56:43 +0000 (23:56 +0900)] 
crypto-util: simplify pubkey_fingerprint()

There is no need to call i2d_PublicKey() twice. Passing a pointer
to NULL allows OpenSSL to automatically allocate the necessary buffer.

38 hours agocrypto-util: drop unused deprecated symbols
Yu Watanabe [Tue, 30 Jun 2026 12:14:47 +0000 (21:14 +0900)] 
crypto-util: drop unused deprecated symbols

38 hours agoresolved: migrate ECDSA verification to OpenSSL 3 EVP API
Yu Watanabe [Tue, 30 Jun 2026 12:05:50 +0000 (21:05 +0900)] 
resolved: migrate ECDSA verification to OpenSSL 3 EVP API

OpenSSL 3.0 deprecated low-level Elliptic Curve (EC) key manipulation
functions (EC_KEY, EC_POINT, EC_GROUP) and direct signature verification
functions like ECDSA_do_verify().

This commit modernizes dnssec_ecdsa_verify_raw() by transitioning to the
provider-aware EVP API:
* Uses OSSL_PARAM arrays and EVP_PKEY_fromdata() to construct the EC
  public key directly from the raw octet string and curve name, avoiding
  deprecated EC_POINT parsing.
* Converts the raw R and S signature components into a DER-encoded ASN.1
  signature using i2d_ECDSA_SIG(), as required by the modern EVP API.
* Uses EVP_PKEY_verify() for the actual signature validation.

Additionally, this drops an outdated TODO comment waiting for raw ECDSA
support in the EVP API, as well as the deprecated warning suppression
macros and fallback code blocks. Unit tests for ECDSA are now run
unconditionally.

38 hours agoresolve: make dnssec_ecdsa_verify_raw() take struct iovec
Yu Watanabe [Tue, 30 Jun 2026 11:16:00 +0000 (20:16 +0900)] 
resolve: make dnssec_ecdsa_verify_raw() take struct iovec

This also
- adds missing assertions,
- moves variable declarations,
- rename variables.

No functional change, just refactoring.

38 hours agoresolve: add unit test for dnssec_ecdsa_verify_raw()
Yu Watanabe [Tue, 30 Jun 2026 11:15:31 +0000 (20:15 +0900)] 
resolve: add unit test for dnssec_ecdsa_verify_raw()

38 hours agoresolved: migrate RSA key construction to OpenSSL 3 EVP API
Yu Watanabe [Tue, 30 Jun 2026 08:00:27 +0000 (17:00 +0900)] 
resolved: migrate RSA key construction to OpenSSL 3 EVP API

OpenSSL 3.0 deprecated low-level key manipulation functions and direct
access to RSA structures (such as RSA_new(), RSA_set0_key(), and
RSA_size()).

This commit modernizes dnssec_rsa_verify_raw() by replacing these
deprecated functions with the provider-aware EVP API:
* Uses OSSL_PARAM_BLD and EVP_PKEY_fromdata() to construct the RSA
  public key directly from the modulus and exponent BIGNUMs.
* Replaces RSA_size() with EVP_PKEY_get_size().

Consequently, the workaround macros suppressing deprecated warnings
(DISABLE_WARNING_DEPRECATED_DECLARATIONS) and the conditional fallback
blocks (#if !defined(OPENSSL_NO_DEPRECATED_3_0)) are no longer needed
and have been dropped. Unit tests are also updated to run unconditionally.

38 hours agoresolve: make dnssec_rsa_verify_raw() take struct iovec
Yu Watanabe [Tue, 30 Jun 2026 07:21:34 +0000 (16:21 +0900)] 
resolve: make dnssec_rsa_verify_raw() take struct iovec

This also
- adds missing assertions,
- moves variable declarations.

No functional change, just refactoring.

38 hours agoresolve: add unit test for dnssec_rsa_verify_raw()
Yu Watanabe [Mon, 29 Jun 2026 19:34:56 +0000 (04:34 +0900)] 
resolve: add unit test for dnssec_rsa_verify_raw()

38 hours agocrypto-util: load several more symbols
Yu Watanabe [Tue, 30 Jun 2026 07:09:37 +0000 (16:09 +0900)] 
crypto-util: load several more symbols

They will be used in later commits.

Note, ECDSA_SIG_new() and ECDSA_SIG_set0() are not deprecated.
They are moved to the section for non-deprecated symbols.

38 hours agoresolve: fix segfault when built with OPENSSL_NO_DEPRECATED_3_0
Yu Watanabe [Tue, 30 Jun 2026 07:06:28 +0000 (16:06 +0900)] 
resolve: fix segfault when built with OPENSSL_NO_DEPRECATED_3_0

In that case, deprecated funcdions are not loaded from libcrypto.so,
and calling them causes segfault.

40 hours agocoredumpctl: use break instead of continue for time bound checks
dongshengyuan [Tue, 30 Jun 2026 10:10:49 +0000 (18:10 +0800)] 
coredumpctl: use break instead of continue for time bound checks

When iterating journal entries with --until (forward scan) or --since
(reverse scan), the code used continue instead of break after crossing
the time boundary.

Since sd_journal_seek_realtime_usec() is called before the loop to
position at the start of the range, sd_journal_next()/previous()
returns entries in monotonically increasing/decreasing time order.
Once an entry's timestamp exceeds arg_until (or falls below arg_since
in reverse), all subsequent entries will also be out of range.

Using continue caused the entire remaining journal to be scanned
unnecessarily. journalctl uses break for the identical pattern in
src/journal/journalctl-show.c.

Fixes: #42808
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com>
40 hours agoudev: Tag debug appliance nodes as xaccess-debug-appliance
Tim Schumacher [Sun, 28 Jun 2026 08:11:08 +0000 (10:11 +0200)] 
udev: Tag debug appliance nodes as xaccess-debug-appliance

This is especially helpful for people who are running headless (i.e.
SSH-only) Android platform development setups with testing devices
attached.

40 hours agoman: add thread-awareness note to sd_bus/sd_event manpages
Luca Boccassi [Tue, 30 Jun 2026 19:34:38 +0000 (20:34 +0100)] 
man: add thread-awareness note to sd_bus/sd_event manpages

This question comes up every now and then, and it is not clearly documented,
so include the thread-aware tag in all bus/event manpages.

40 hours agoman: note that sd-tmpfiles/sysusers --root is not a sandboxing feature
Luca Boccassi [Thu, 2 Jul 2026 08:10:27 +0000 (09:10 +0100)] 
man: note that sd-tmpfiles/sysusers --root is not a sandboxing feature

This seems to be causing enough confusion that it is worth explicitly
mentioning in the docs

41 hours agovmspawn/nspawn: Always use a per-machine runtime subdirectory
Kai Lüke [Mon, 15 Jun 2026 13:11:41 +0000 (15:11 +0200)] 
vmspawn/nspawn: Always use a per-machine runtime subdirectory

Some state files were prefixed with the machine name which protected
against collisions when running concurrent machines in a systemd unit
with RuntimeDirectory= set. However, the socket files tpm.sock and
control were not, which caused a race. Prefixing these socket files
does not work because the path gets too long when both the subdirectory
and the socket file within it get unique identifiers.

Instead of prefixing all files, we can rather always create a
subdirectory and use simple names within in. This makes paths shorter
in the normal case and protects against races with RuntimeDirectory=
were instead of directly reusing RUNTIME_DIRECTORY we also create the
normal per-machine subdirectory. Since this here is about runtime state
it should not impact any running VMs/containers. The ssh-proxy looks
only at the normal case and does not support RUNTIME_DIRECTORY, so no
impact there as well.

42 hours agomeson: fix fs.exists() check for fuzz corpus samples
Daan De Meyer [Thu, 2 Jul 2026 10:30:31 +0000 (10:30 +0000)] 
meson: fix fs.exists() check for fuzz corpus samples

Commit 8355eb6e11 ("meson: Check if files returned by git ls-files
actually exist") checks the paths printed by git ls-files, which are
relative to the project root, with fs.exists(), which resolves them
relative to the test/fuzz subdirectory. As a result, every corpus
sample was silently skipped, and only the generated directives tests
were registered. Resolve the paths against the project source root
instead.

42 hours agocompress: handle ZSTD_CONTENTSIZE_UNKNOWN when decompressing blobs
Daan De Meyer [Mon, 29 Jun 2026 12:08:27 +0000 (12:08 +0000)] 
compress: handle ZSTD_CONTENTSIZE_UNKNOWN when decompressing blobs

The zstd blob decompression code assumed ZSTD_getFrameContentSize() always
returns the decompressed size, which holds for the journal and coredump blobs
systemd compresses itself with the one-shot ZSTD_compress(). Frames produced by
the streaming API, however, don't record the decompressed size in their header,
so ZSTD_getFrameContentSize() returns ZSTD_CONTENTSIZE_UNKNOWN. Per the zstd
documentation this is not an error, but decompress_blob_zstd() and
decompress_startswith_zstd() bailed out with -EBADMSG regardless.

This broke kexec of kernel images compressed with 'zstd' (e.g. zstd -22), whose
ZBOOT payload is decompressed via decompress_blob().

Treat only ZSTD_CONTENTSIZE_ERROR as fatal and, when the size is unknown, grow
the output buffer as we stream the frame out instead of relying on the recorded
size. Add a regression test that feeds a streaming-compressed (hence
unknown-size) zstd frame through decompress_blob() and decompress_startswith().

42 hours agodocs: Update memory pressure docs for latest GLib support for it
Philip Withnall [Thu, 2 Jul 2026 13:06:50 +0000 (14:06 +0100)] 
docs: Update memory pressure docs for latest GLib support for it

As of GLib 2.90.0 (not yet released), GLib will fully support the spec,
including the `MEMORY_PRESSURE_WATCH` and `MEMORY_PRESSURE_WRITE`
environment variables, which it did not support previously.

See https://gitlab.gnome.org/GNOME/glib/-/merge_requests/5046

44 hours agotest: suppress fails on the Africa/Tripoli (Libya) timezone
Frantisek Sumsal [Thu, 2 Jul 2026 08:30:53 +0000 (10:30 +0200)] 
test: suppress fails on the Africa/Tripoli (Libya) timezone

As it switched between CET and EET multiple times in the past, causing
random fails with certain historical timestamps:

834/1524 test - systemd:test-time-util     FAIL    0.96s   killed by signal 6 SIGABRT
 ...
TZ=Africa/Tripoli, tzname[0]=EET, tzname[1]=CEST
@378687574661411 → Thu 1981-12-31 23:59:34 CET → @378683974000000 → Thu 1981-12-31 23:59:34 EET
src/test/test-time-util.c:450: Assertion failed: Expected "ignore" to be true
/builddir/build/BUILD/systemd-261.1-build/systemd-261.1/tools/test-crash-trace.sh: line 18: 87088 Aborted                    (core dumped) "$@"

45 hours agoukify: show all sections and profiles in inspect JSON output
Paul Meyer [Sun, 7 Jun 2026 17:07:41 +0000 (19:07 +0200)] 
ukify: show all sections and profiles in inspect JSON output

The JSON output keyed every section by name, so a UKI with repeated
sections only showed the last one: in a multi-profile UKI all but one
.profile/.cmdline/.pcrsig were dropped, as were extra .dtbauto/.efifw.

Report the shared base sections by name at the top level (so .cmdline
etc. stay where they were), each profile as its own by-name object under
a new "_profiles" array, and the alternative-set sections (.dtbauto,
.efifw) as arrays.

Co-developed-by: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Paul Meyer <katexochen0@gmail.com>
46 hours agoboot: measure SMBIOS via non-TPM runtime measurements
Paul Meyer [Thu, 2 Jul 2026 07:28:35 +0000 (09:28 +0200)] 
boot: measure SMBIOS via non-TPM runtime measurements

In commit 29c6d1c12549 ("boot: measure select SMBIOS objects
explicitly") we added an explicit SMBIOS measurement in systemd-boot
and systemd-stub, covering cases where firmware doesn't measure SMBIOS
itself. measure_smbios() bailed unless a TPM was present, so it skipped
the measurement on confidential guests that only expose a CC
measurement protocol (e.g. Intel TDX RTMRs).

We can have much higher expectations of the virtual firmware used for
confidential computing, and the firmware is attested, so we can expect
it to always measure SMBIOS in this case. We still do our own
measurement to get a measurement structure similar to that of
non-confidential guests, and as another line of defense.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
46 hours agoshell-completion: add tdx to systemd-vmspawn --coco values
Paul Meyer [Thu, 2 Jul 2026 09:19:29 +0000 (11:19 +0200)] 
shell-completion: add tdx to systemd-vmspawn --coco values

Missed in a78afc16168 ("vmspawn: add Intel TDX confidential VM
support")

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
47 hours agoterminal-util: tweaks for show_menu() (#42822)
Luca Boccassi [Thu, 2 Jul 2026 09:02:53 +0000 (10:02 +0100)] 
terminal-util: tweaks for show_menu() (#42822)

47 hours agofirstboot: add new systemd.firstboot=headless mode
Michael Vogt [Tue, 30 Jun 2026 16:08:47 +0000 (18:08 +0200)] 
firstboot: add new systemd.firstboot=headless mode

This adds a new systemd.firstboot=headless mode. It differs from the
existing systemd.firstboot=no mode in that it still performs the
non-interactive auto-configuration that requires no user input (such
as selecting the only installed locale, or applying settings provided
via credentials), and only skips the prompts that would otherwise
block waiting for user input. In contrast, =no disables that
auto-configuration along with the prompts.

The option is also honoured by homectls firstboot logic and
systemd-cryptenroll, where headless behaves the same as no
(because the is no auto-configuration).

2 days agotest: add test case for show_menu() 42822/head
Lennart Poettering [Tue, 30 Jun 2026 16:56:49 +0000 (18:56 +0200)] 
test: add test case for show_menu()

2 days agoterminal-util: drop assert() on 'x'
Lennart Poettering [Thu, 25 Jun 2026 09:11:07 +0000 (11:11 +0200)] 
terminal-util: drop assert() on 'x'

We happily take a NULL strv as argument, equivalent to an empty one,
like most of our strv handling funcs.

2 days agoterminal-util: make sure we never go below 10 characters line width
Lennart Poettering [Thu, 25 Jun 2026 09:10:54 +0000 (11:10 +0200)] 
terminal-util: make sure we never go below 10 characters line width

2 days agoterminal-util: use LESS_BY() where appropriate
Lennart Poettering [Thu, 25 Jun 2026 09:07:15 +0000 (11:07 +0200)] 
terminal-util: use LESS_BY() where appropriate

2 days agoterminal-util: calculate array index only once
Lennart Poettering [Thu, 25 Jun 2026 09:06:22 +0000 (11:06 +0200)] 
terminal-util: calculate array index only once

2 days agocore: assorted hardening fixes flagged by kres (#42840)
Luca Boccassi [Wed, 1 Jul 2026 23:57:06 +0000 (00:57 +0100)] 
core: assorted hardening fixes flagged by kres (#42840)

2 days agobpf-restrict-fs: use a 32-bit magic key on big-endian too 42840/head
Luca Boccassi [Wed, 1 Jul 2026 16:03:06 +0000 (17:03 +0100)] 
bpf-restrict-fs: use a 32-bit magic key on big-endian too

The inner map is created with a uint32_t key, but the update passed
&magic[i] where magic is a (possibly 64-bit) statfs_f_type_t. On
little-endian the low 32 bits happen to be read; on big-endian 64-bit
(s390x, ppc64 BE) the zero high word is read instead, so every
filesystem collides on key 0 (the allow/deny selector) and
RestrictFileSystems= is silently broken. Pass a truncated copy.

Follow-up for 184b4f78cfbded54a6e06bbe1152256c204a7a73

2 days agocore/scope: don't assert when start is retried during cgroup chown
Luca Boccassi [Wed, 1 Jul 2026 16:01:27 +0000 (17:01 +0100)] 
core/scope: don't assert when start is retried during cgroup chown

While a delegated scope waits for the async cgroup chown helper it sits
in SCOPE_START_CHOWN (UNIT_ACTIVATING). unit_start() forwards to
->start() while activating, so scope_start() could be re-entered in
that state and trip assert(s->state == SCOPE_DEAD), aborting PID 1.
Treat SCOPE_START_CHOWN as already-starting instead.

Follow-up for 03860190fefce8bbea3a6f0e77919b882ade517c

2 days agocore: donate the fdset to do_reexecute() to avoid a double free
Luca Boccassi [Wed, 1 Jul 2026 15:59:43 +0000 (16:59 +0100)] 
core: donate the fdset to do_reexecute() to avoid a double free

do_reexecute() freed the FDSet on the switch-root/soft-reboot fallback
but the caller's copy stayed live, so main() freed it again if every
fallback exec then failed. Donate the fdset instead: pass it with
TAKE_PTR() and take ownership via a _cleanup_ local, freeing it exactly
once on every exit path.

Follow-up for 3c7878f94b02f65676889fa58a937ff4d4de4a4d

2 days agorun: refuse --no-block when combined with --scope
Shihao Ren [Tue, 30 Jun 2026 12:30:50 +0000 (20:30 +0800)] 
run: refuse --no-block when combined with --scope

In the systemd-run --scope mode, --no-block has no actual effect and will
be silently ignored. Therefore, this combination is explicitly rejected to
reduce confusion for users when using it.

Fixes: #42806
2 days agocrypto-util, ssl-util: set log level to debug in dlopen_many_sym_or_warn() (#42811)
Lennart Poettering [Wed, 1 Jul 2026 20:15:51 +0000 (22:15 +0200)] 
crypto-util, ssl-util: set log level to debug in dlopen_many_sym_or_warn() (#42811)

Otherwise in systems with OpenSSL 3 the journal contains multiple error
entries because the preferred library libcrypto.so.4 is not present.

Follow-up for ccdd42351f79cbb9c2e034a96280a1ded40a2f95

2 days agovmspawn: add Intel TDX confidential VM support (#42835)
Lennart Poettering [Wed, 1 Jul 2026 20:14:09 +0000 (22:14 +0200)] 
vmspawn: add Intel TDX confidential VM support  (#42835)

2 days agomkfs-util: fixes for mtools invocation (#42839)
Lennart Poettering [Wed, 1 Jul 2026 20:10:49 +0000 (22:10 +0200)] 
mkfs-util: fixes for mtools invocation (#42839)

2 days agotree-wide: trivial sysconf() invocations tweaks (#42837)
Luca Boccassi [Wed, 1 Jul 2026 18:42:52 +0000 (19:42 +0100)] 
tree-wide: trivial sysconf() invocations tweaks (#42837)

2 days agoshared/install: give the borrowed name back before bailing on error
Luca Boccassi [Wed, 1 Jul 2026 15:55:28 +0000 (16:55 +0100)] 
shared/install: give the borrowed name back before bailing on error

In the unmask path, when install_changes_add() fails the borrowed
*name was not handed back via TAKE_PTR() before returning, so
install_info_clear() freed the caller's strv entry, leaving a dangling
pointer that is double-freed at the caller's strv_free().

Follow-up for f31f10a6207efc9ae9e0b1f73975b5b610914017

2 days agoquotacheck: don't apply an invalid quotacheck.mode= value
Luca Boccassi [Wed, 1 Jul 2026 15:52:59 +0000 (16:52 +0100)] 
quotacheck: don't apply an invalid quotacheck.mode= value

quota_check_mode_from_string() returns -EINVAL on a bad value, storing
it in the global arg_mode. Only change arg_mode on success.

Follow-up for d73691c64e05650d838aaeb7da94fd8bdfb60907
Follow-up for dba4fe9a60e8876addcd6a597c9e1d5f529309ca

2 days agocore: avoid using uninitialized buffer on bad systemd.random_seed=
Luca Boccassi [Wed, 1 Jul 2026 15:45:34 +0000 (16:45 +0100)] 
core: avoid using uninitialized buffer on bad systemd.random_seed=

unbase64mem() leaves p/sz uninitialized on failure, and the
deserialization doesn't bail out in that case, unlike other cases.

Follow-up for d247f232a8fd68f91769274f196566a6e9e75d15

2 days agotpm2-setup: Create and persist an endorsement key
Chris Coulson [Tue, 2 Jun 2026 13:48:55 +0000 (14:48 +0100)] 
tpm2-setup: Create and persist an endorsement key

This updates systemd-tpm2-setup to create and persist an endorsement
key if there isn't one already. For each supported EK template profile,
it will read the EK certificate from its NV index if there is one.
When there is an EK certificate present, a primary key is created using
the corresponding template. If the resulting EKpub matches the public
key in the certificate, the created EK is persisted and the process is
complete.

The low-range templates and the high-range RSA 2048/3072 and ECC NIST
P256/P384 storage templates are supported, as detailed in section
5.3 of the "TCG EK Credential Profile For TPM Family 2.0" spec v2.7.
High-range templates are preferred because these permit EK usage without
requiring knowledge of the authorization value for the endorsement
hierarchy, meaning that, like with the SRK, it is possible to restrict
the usage of the endorsement hierarchy whilst still permitting use of
the persistent EK.

The EK is always persisted at handle 0x81010001. This handle is
reserved in Table 2 of the "TCG TPM v2.0 Provisioning Guidance" spec
v1.0r1.0, although this is only a recommendation. This
handle is within the block of handles reserved for endorsement
primary keys in the "Registry of Reserved TPM 2.0 Handles and
Localities" spec v1.2r1.00. Section 2.3.2 of this specification also
makes a suggestion that there should be a relationship between the EK
certificate NV index and a corresponding persistent EK handle by
using handles at the same offsets within their respective ranges.
However, this contradicts the provisioning guidance spec which reserves
0x81010001 when there isn't a certificate at 0x01c00001. For simplicity,
I've chosen to use a single handle for the EK regardless of which profile
it is created with.

The "TCG EK Credential Profile For TPM Family 2.0" spec also provides a
way for endorsement keys to be certified with non-standard templates by
storing the template in a NV index. This is also supported.

The EK creation is not executed with tpm2-setup --early, as there's no
need for it to be created so early, unlike with the SRK. I also haven't
stored EKpub in /var/lib/systemd like with the SRKpub, as I'm not sure
there will be a use case for this yet.

A follow-up PR may be needed to add some internal helpers to make use
of the persisted EK, as use of low-range EKs requires a policy session.
High-range EKs can be used with a HMAC session because they have the
userWithAuth attribute set and we are creating them with an empty
authorization value.

https://trustedcomputinggroup.org/resource/http-trustedcomputinggroup-org-wp-content-uploads-tcg-ek-credential-profile/
https://trustedcomputinggroup.org/resource/tcg-tpm-v2-0-provisioning-guidance/
https://trustedcomputinggroup.org/resource/registry/

2 days agocore: add absolute-path properties to varlink StartTransient
Michael Vogt [Thu, 21 May 2026 14:57:15 +0000 (16:57 +0200)] 
core: add absolute-path properties to varlink StartTransient

Similar to PR#42360 this commit adds missing properties for
absolute path handling in io.systemd.Unit.StartTransient for
the `Exec` context and a macro helper to share the common code.

The properties added are:
IPCNamespacePath, NetworkNamespacePath, RootDirectory, RootHashPath,
RootHashSignaturePath, RootImage, RootVerity, UserNamespacePath,
RootMStack.

Note that RootHashPath, RootHashSignaturePath need custom apply
functions because the varlink name "RootHashPath" differs from the
name that needs to be written into the unit file ("RootHash=")
and the iovec must be cleared.

2 days agotree-wide: fix return type of sysconf() 42837/head
Lennart Poettering [Wed, 1 Jul 2026 09:06:22 +0000 (11:06 +0200)] 
tree-wide: fix return type of sysconf()

2 days agotime-util: use sysconf_clock_ticks_cached() at all places we query _SC_CLK_TCK
Lennart Poettering [Wed, 1 Jul 2026 09:05:27 +0000 (11:05 +0200)] 
time-util: use sysconf_clock_ticks_cached() at all places we query _SC_CLK_TCK

2 days agomemory-util: don't use 'r' for non-int returns
Lennart Poettering [Wed, 1 Jul 2026 09:04:11 +0000 (11:04 +0200)] 
memory-util: don't use 'r' for non-int returns

2 days agoenv-util: use our own sc_arg_max() helper at more places
Lennart Poettering [Wed, 1 Jul 2026 09:03:19 +0000 (11:03 +0200)] 
env-util: use our own sc_arg_max() helper at more places

2 days agomkfs-util: deal with mmd name clashes gracefully 42839/head
Lennart Poettering [Wed, 1 Jul 2026 14:04:43 +0000 (16:04 +0200)] 
mkfs-util: deal with mmd name clashes gracefully

In various cases we'll touch the same directories multiple times with
mtools: for example the /loader/ dir itself. Unfortunately mtools' mmd
does not implement a graceful "-p" switch like mkdir, but will do some
interactive name clash thing instead. We can turn this off via "-Ds
-DS", so let's do that. But that's not enough since the tool will still
fail with a non-explanatory exit status of 1. This hence ignores that
failure and proceeds anyway, under the assumption that failures to
create a directory will sooner or later be detected anyway once the
directory is to be populated and turns out not be existing because the
creation failed.

This makes some integration test/mkosi invocations work
non-interactively again.

Follow-up for f191ca982ce9eac85207807a65489909308f7d8f

2 days agomkfs-util: let's debug log about all fork off cmdlines
Lennart Poettering [Wed, 1 Jul 2026 14:04:18 +0000 (16:04 +0200)] 
mkfs-util: let's debug log about all fork off cmdlines

2 days agocore: trust SMBIOS credentials under Intel TDX 42835/head
Paul Meyer [Tue, 30 Jun 2026 11:30:08 +0000 (13:30 +0200)] 
core: trust SMBIOS credentials under Intel TDX

SMBIOS OEM strings are host-controlled and normally distrusted by PID1
in confidential VMs. Under TDX, however, the SMBIOS table (including
Type 11) is measured into RTMR0 by the firmware (TDVF), so a remote
verifier can detect host tampering with credentials delivered this
way. Accept them there, while keeping fw_cfg distrusted as those
items are not measured even on TDX.

This lets systemd-vmspawn deliver credentials to TDX guests via the
normal SMBIOS path, unlike SNP which requires the initrd cpio channel.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2 days agopcrlock: add vl methods for fw and sb
Luca Boccassi [Tue, 30 Jun 2026 23:47:22 +0000 (00:47 +0100)] 
pcrlock: add vl methods for fw and sb

Add varlink method wrappers for locking/unlocking firmware code and config,
and secure boot policy and authority.

2 days agoAdd more shutdown timestamps and preserve via LUO (#42671)
Luca Boccassi [Wed, 1 Jul 2026 13:12:21 +0000 (14:12 +0100)] 
Add more shutdown timestamps and preserve via LUO (#42671)

Add more shutdown timestamps, export them via D-Bus/Varlink, use them in
`systemd-analyze time`, and preserve them across kexec via LUO. This is
useful to measure reboot performance with added measurement points and
more granular intervals.

2 days agotsm-report: error on empty report
Paul Meyer [Mon, 29 Jun 2026 10:59:45 +0000 (12:59 +0200)] 
tsm-report: error on empty report

Previously we would return a valid signature containing the empty
outblob, which is undesirable. In other cases where we cannot query a
report because the guest doesn't support it we currently return an
empty response so the signature aggregator in systemd-report silently
skips it. In this case, we have everything we need to actually get a
report on the guest side, but the host isn't providing us with the
quote, so we fail.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2 days agovmspawn: allow TDX guest to connect to host QGS
Paul Meyer [Mon, 29 Jun 2026 10:21:02 +0000 (12:21 +0200)] 
vmspawn: allow TDX guest to connect to host QGS

To query a TD quote, the TDX guest must connect to the Quote Generation
Service (QGS), a SGX enclave running on the host. We check if the
service is exposed via a well-known unix socket, then pass that socket
or a fallback well-known vsock address to QEMU.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2 days agovmspawn: add Intel TDX confidential VM support
Paul Meyer [Fri, 26 Jun 2026 09:57:29 +0000 (11:57 +0200)] 
vmspawn: add Intel TDX confidential VM support

Wire up --coco=tdx alongside the existing SEV-SNP path. TDX requires KVM
on x86_64, a raw TDVF firmware loaded via -bios (no pflash/NVRAM split),
kernel-irqchip=split, and the "host" CPU model since QEMU rejects named
models. Sets up the tdx-guest object and confidential-guest-support=tdx0.

TDX measurement is different from QEMU's kernel-hashes injection: TDX
provides runtime measurements via RTMRs, so the initial measurement only
covers the firmware, which then measures the rest of the boot chain into
those RTMRs (done by OVMF today). Therefore a restriction to direct
kernel boot isn't required either.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
2 days agobuild(deps): bump the actions group with 6 updates
dependabot[bot] [Wed, 1 Jul 2026 09:35:55 +0000 (09:35 +0000)] 
build(deps): bump the actions group with 6 updates

Bumps the actions group with 6 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `7.0.0` |
| [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` |
| [github/codeql-action/upload-sarif](https://github.com/github/codeql-action) | `4.36.0` | `4.36.2` |
| [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `6.1.2` | `6.2.0` |
| [super-linter/super-linter/slim](https://github.com/super-linter/super-linter) | `8.6.0` | `8.7.0` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `3.0.0` | `3.0.1` |

Updates `actions/checkout` from 6.0.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/de0fac2e4500dabe0009e67214ff5f5447ce83dd...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0)

Updates `actions/setup-python` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](https://github.com/actions/setup-python/compare/a309ff8b426b58ec0e2a45f0f869d46889d02405...ece7cb06caefa5fff74198d8649806c4678c61a1)

Updates `github/codeql-action/upload-sarif` from 4.36.0 to 4.36.2
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/7211b7c8077ea37d8641b6271f6a365a22a5fbfa...8aad20d150bbac5944a9f9d289da16a4b0d87c1e)

Updates `aws-actions/configure-aws-credentials` from 6.1.2 to 6.2.0
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/acca2b1b2070338fb9fd1ca27ecee81d687e58e5...e7f100cf4c008499ea8adda475de1042d6975c7b)

Updates `super-linter/super-linter/slim` from 8.6.0 to 8.7.0
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/super-linter/super-linter/compare/9e863354e3ff62e0727d37183162c4a88873df41...4ce20838b8ab83717e78138c5b3a1407148e0918)

Updates `softprops/action-gh-release` from 3.0.0 to 3.0.1
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](https://github.com/softprops/action-gh-release/compare/b4309332981a82ec1c5618f44dd2e27cc8bfbfda...718ea10b132b3b2eba29c1007bb80653f286566b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: github/codeql-action/upload-sarif
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: 6.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: super-linter/super-linter/slim
  dependency-version: 8.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: softprops/action-gh-release
  dependency-version: 3.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
2 days agocore: deserialize soft-reboot shutdown timestamps into previous-* fields 42671/head
Luca Boccassi [Fri, 26 Jun 2026 12:57:27 +0000 (13:57 +0100)] 
core: deserialize soft-reboot shutdown timestamps into previous-* fields

Until now the SHUTDOWN_START/FINISH timestamps were carried across a
soft-reboot in the same fields, so afterwards they described the
previous boot rather than the current one, mixing current- and
previous-boot data in the same set. Mirror what is now done on kexec
and move them into the PREVIOUS_SHUTDOWN_* fields on deserialization.

Also reset local timestamps for events that rerun (eg: generators,
units loading, etc) on soft-reboot and switch-root.

2 days agoAssorted hardening issues flagged by kres (#42802)
Luca Boccassi [Wed, 1 Jul 2026 09:39:04 +0000 (10:39 +0100)] 
Assorted hardening issues flagged by kres (#42802)

3 days agoman: update description for sd_device_enumerator_add_match_subsystem
Davis-Rippon [Wed, 1 Jul 2026 04:55:39 +0000 (14:55 +1000)] 
man: update description for sd_device_enumerator_add_match_subsystem

Signed-off-by: Davis-Rippon <drip0002@student.monash.edu>
3 days agotest: reduce number of disks in TEST-64-UDEV-STORAGE-simultaneous_events on Debian...
Nick Rosbrook [Fri, 26 Jun 2026 14:00:21 +0000 (10:00 -0400)] 
test: reduce number of disks in TEST-64-UDEV-STORAGE-simultaneous_events on Debian/Ubuntu

This test never finishes in Ubuntu autopkgtest with the current values,
and is currently skipped all together on Debian. When running on either,
reduce the number of disks to make the test more reliable.

3 days agoFix: exec invoke errno and resolvectl leak (#42812)
Luca Boccassi [Tue, 30 Jun 2026 13:03:08 +0000 (14:03 +0100)] 
Fix: exec invoke errno and resolvectl leak (#42812)

3 days agosd-journal: rate-limit tail timestamp refresh during iteration
dongshengyuan [Wed, 24 Jun 2026 05:01:32 +0000 (13:01 +0800)] 
sd-journal: rate-limit tail timestamp refresh during iteration

journal_file_read_tail_timestamp() is called unconditionally in
next_beyond_location() for every file on every iteration step,
resulting in O(N x files) volatile mmap reads. For large queries
like 'journalctl -n 1000000' this makes the command unusably slow
(~5 minutes on systems with many journal files).

Rather than suppressing the call entirely (which would make the
inotify path fully load-bearing for cross-boot ordering), rate-limit
it to at most once per second per file. This reduces the overhead
from O(N x files) to O(T x files) where T is the iteration time in
seconds, while still providing periodic refresh as a fallback for
any missed inotify events and keeping cross-boot ordering
reasonably fresh.

Embed a RateLimit struct in JournalFile for this purpose.

Measured improvement on a real system: 5:24 -> 2:39 (-51%) for
'journalctl -n 1000000'.

Fixes: #42521
Regression introduced in: #26355 (34af74946e)

Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com>
3 days agoman: fix wrong KillUserProcesses= default in systemd-run(1)
Shihao Ren [Tue, 30 Jun 2026 06:18:14 +0000 (14:18 +0800)] 
man: fix wrong KillUserProcesses= default in systemd-run(1)

systemd-run(1) hard-coded "the default" wording for KillUserProcesses=, but the
actual compile-time default is determined by the -Ddefault-kill-user-processes=
meson build option, which distributions set differently at packaging time.

Consistent with logind.conf(5).

Fixes: #42805
Signed-off-by: Shihao Ren <renshihao.rsh@gmail.com>
3 days agoptyfwd: avoid touching forwarder after exit drain 42802/head
Luca Boccassi [Mon, 29 Jun 2026 17:07:01 +0000 (18:07 +0100)] 
ptyfwd: avoid touching forwarder after exit drain

on_exit_event() can synchronously drain buffered data through
shovel_force(). If that completes the drain, pty_forward_done() runs
the hangup handler and may free the forwarder, so do not call
pty_forward_done() again afterwards.

[   25.052879] TEST-74-AUX-UTILS.sh[909]: ==909==ERROR: AddressSanitizer: heap-use-after-free on address 0x7ccc8a5e0b41 at pc 0x7efc8cde106e bp 0x7ffd668629b0 sp 0x7ffd668629a8
[   25.053136] TEST-74-AUX-UTILS.sh[909]: READ of size 1 at 0x7ccc8a5e0b41 thread T0
[   25.092784] TEST-74-AUX-UTILS.sh[909]:     #0 0x7efc8cde106d in pty_forward_done ../src/src/shared/ptyfwd.c:187
[   25.093920] TEST-74-AUX-UTILS.sh[909]:     #1 0x7efc8cdedba1 in on_exit_event ../src/src/shared/ptyfwd.c:904
[   25.094148] TEST-74-AUX-UTILS.sh[909]:     #2 0x7efc8d375eff in source_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4301
[   25.095074] TEST-74-AUX-UTILS.sh[909]:     #3 0x7efc8d378032 in dispatch_exit ../src/src/libsystemd/sd-event/sd-event.c:4431
[   25.095295] TEST-74-AUX-UTILS.sh[909]:     #4 0x7efc8d37e932 in sd_event_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4896
[   25.095467] TEST-74-AUX-UTILS.sh[909]:     #5 0x7efc8d37fc8c in sd_event_run ../src/src/libsystemd/sd-event/sd-event.c:4971
[   25.095647] TEST-74-AUX-UTILS.sh[909]:     #6 0x7efc8d3800ad in sd_event_loop ../src/src/libsystemd/sd-event/sd-event.c:4992
[   25.097174] TEST-74-AUX-UTILS.sh[909]:     #7 0x56049b541aba in start_transient_service ../src/src/run/run.c:2479
[   25.097403] TEST-74-AUX-UTILS.sh[909]:     #8 0x56049b552a65 in run ../src/src/run/run.c:3288
[   25.097569] TEST-74-AUX-UTILS.sh[909]:     #9 0x56049b552cb0 in main ../src/src/run/run.c:3291
[   25.097780] TEST-74-AUX-UTILS.sh[909]:     #10 0x7efc8b882300 in __libc_start_call_main (/lib64/libc.so.6+0x7d300) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[   25.097952] TEST-74-AUX-UTILS.sh[909]:     #11 0x7efc8b882417 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x7d417) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[   25.098139] TEST-74-AUX-UTILS.sh[909]:     #12 0x56049b51cf54 in _start (/usr/bin/systemd-run+0x19f54) (BuildId: 0daacdb9f20151f3517312ee99e489a9b8f4989c)
[   25.098316] TEST-74-AUX-UTILS.sh[909]: 0x7ccc8a5e0b41 is located 193 bytes inside of 2384-byte region [0x7ccc8a5e0a80,0x7ccc8a5e13d0)
[   25.099202] TEST-74-AUX-UTILS.sh[909]: freed by thread T0 here:
[   25.099410] TEST-74-AUX-UTILS.sh[909]:     #0 0x7efc8e76420f in free.part.0 (/lib64/libasan.so.8+0x16420f) (BuildId: 173395e60f171589489dde2b7a156d0ae380734b)
[   25.099557] TEST-74-AUX-UTILS.sh[909]:     #1 0x7efc8cdf14d1 in pty_forward_free ../src/src/shared/ptyfwd.c:1122
[   25.099691] TEST-74-AUX-UTILS.sh[909]:     #2 0x56049b535328 in pty_forward_handler ../src/src/run/run.c:1952
[   25.100063] TEST-74-AUX-UTILS.sh[909]:     #3 0x7efc8cde138c in pty_forward_done ../src/src/shared/ptyfwd.c:196
[   25.100197] TEST-74-AUX-UTILS.sh[909]:     #4 0x7efc8cdec757 in shovel ../src/src/shared/ptyfwd.c:813
[   25.101144] TEST-74-AUX-UTILS.sh[909]:     #5 0x7efc8cdecc1f in shovel_force ../src/src/shared/ptyfwd.c:828
[   25.102273] TEST-74-AUX-UTILS.sh[909]:     #6 0x7efc8cdedb82 in on_exit_event ../src/src/shared/ptyfwd.c:899
[   25.103564] TEST-74-AUX-UTILS.sh[909]:     #7 0x7efc8d375eff in source_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4301
[   25.103712] TEST-74-AUX-UTILS.sh[909]:     #8 0x7efc8d378032 in dispatch_exit ../src/src/libsystemd/sd-event/sd-event.c:4431
[   25.104081] TEST-74-AUX-UTILS.sh[909]:     #9 0x7efc8d37e932 in sd_event_dispatch ../src/src/libsystemd/sd-event/sd-event.c:4896
[   25.104954] TEST-74-AUX-UTILS.sh[909]:     #10 0x7efc8d37fc8c in sd_event_run ../src/src/libsystemd/sd-event/sd-event.c:4971
[   25.105160] TEST-74-AUX-UTILS.sh[909]:     #11 0x7efc8d3800ad in sd_event_loop ../src/src/libsystemd/sd-event/sd-event.c:4992
[   25.105310] TEST-74-AUX-UTILS.sh[909]:     #12 0x56049b541aba in start_transient_service ../src/src/run/run.c:2479
[   25.105454] TEST-74-AUX-UTILS.sh[909]:     #13 0x56049b552a65 in run ../src/src/run/run.c:3288
[   25.105572] TEST-74-AUX-UTILS.sh[909]:     #14 0x56049b552cb0 in main ../src/src/run/run.c:3291
[   25.106136] TEST-74-AUX-UTILS.sh[909]:     #15 0x7efc8b882300 in __libc_start_call_main (/lib64/libc.so.6+0x7d300) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[   25.106263] TEST-74-AUX-UTILS.sh[909]:     #16 0x7efc8b882417 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x7d417) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[   25.106385] TEST-74-AUX-UTILS.sh[909]:     #17 0x56049b51cf54 in _start (/usr/bin/systemd-run+0x19f54) (BuildId: 0daacdb9f20151f3517312ee99e489a9b8f4989c)
[   25.106792] TEST-74-AUX-UTILS.sh[909]: previously allocated by thread T0 here:
[   25.106957] TEST-74-AUX-UTILS.sh[909]:     #0 0x7efc8e76515f in malloc (/lib64/libasan.so.8+0x16515f) (BuildId: 173395e60f171589489dde2b7a156d0ae380734b)
[   25.108013] TEST-74-AUX-UTILS.sh[909]:     #1 0x7efc8cddebed in malloc_multiply ../src/src/basic/alloc-util.h:92
[   25.108188] TEST-74-AUX-UTILS.sh[909]:     #2 0x7efc8cdee47b in pty_forward_new ../src/src/shared/ptyfwd.c:955
[   25.108324] TEST-74-AUX-UTILS.sh[909]:     #3 0x56049b538700 in run_context_setup_ptyfwd ../src/src/run/run.c:2130
[   25.108472] TEST-74-AUX-UTILS.sh[909]:     #4 0x56049b5419f9 in start_transient_service ../src/src/run/run.c:2465
[   25.109152] TEST-74-AUX-UTILS.sh[909]:     #5 0x56049b552a65 in run ../src/src/run/run.c:3288
[   25.109311] TEST-74-AUX-UTILS.sh[909]:     #6 0x56049b552cb0 in main ../src/src/run/run.c:3291
[   25.109450] TEST-74-AUX-UTILS.sh[909]:     #7 0x7efc8b882300 in __libc_start_call_main (/lib64/libc.so.6+0x7d300) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[   25.109847] TEST-74-AUX-UTILS.sh[909]:     #8 0x7efc8b882417 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x7d417) (BuildId: 830c94f480c13d9b01dc65a1035310882136094a)
[   25.110760] TEST-74-AUX-UTILS.sh[909]:     #9 0x56049b51cf54 in _start (/usr/bin/systemd-run+0x19f54) (BuildId: 0daacdb9f20151f3517312ee99e489a9b8f4989c)
[   25.110911] TEST-74-AUX-UTILS.sh[909]: SUMMARY: AddressSanitizer: heap-use-after-free ../src/src/shared/ptyfwd.c:187 in pty_forward_done
[   25.111054] TEST-74-AUX-UTILS.sh[909]: Shadow bytes around the buggy address:
[   25.111213] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[   25.111378] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[   25.111520] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[   25.112210] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[   25.112399] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[   25.112767] TEST-74-AUX-UTILS.sh[909]: =>0x7ccc8a5e0b00: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
[   25.112901] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[   25.113789] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[   25.113906] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[   25.114046] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[   25.114159] TEST-74-AUX-UTILS.sh[909]:   0x7ccc8a5e0d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[   25.114278] TEST-74-AUX-UTILS.sh[909]: Shadow byte legend (one shadow byte represents 8 application bytes):
[   25.114400] TEST-74-AUX-UTILS.sh[909]:   Addressable:           00
[   25.115099] TEST-74-AUX-UTILS.sh[909]:   Partially addressable: 01 02 03 04 05 06 07
[   25.115246] TEST-74-AUX-UTILS.sh[909]:   Heap left redzone:       fa
[   25.115365] TEST-74-AUX-UTILS.sh[909]:   Freed heap region:       fd
[   25.115483] TEST-74-AUX-UTILS.sh[909]:   Stack left redzone:      f1
[   25.115618] TEST-74-AUX-UTILS.sh[909]:   Stack mid redzone:       f2
[   25.115882] TEST-74-AUX-UTILS.sh[909]:   Stack right redzone:     f3
[   25.116735] TEST-74-AUX-UTILS.sh[909]:   Stack after return:      f5
[   25.116857] TEST-74-AUX-UTILS.sh[909]:   Stack use after scope:   f8
[   25.116974] TEST-74-AUX-UTILS.sh[909]:   Global redzone:          f9
[   25.117108] TEST-74-AUX-UTILS.sh[909]:   Global init order:       f6
[   25.117257] TEST-74-AUX-UTILS.sh[909]:   Poisoned by user:        f7
[   25.118128] TEST-74-AUX-UTILS.sh[909]:   Container overflow:      fc
[   25.118288] TEST-74-AUX-UTILS.sh[909]:   Array cookie:            ac
[   25.118433] TEST-74-AUX-UTILS.sh[909]:   Intra object redzone:    bb
[   25.118546] TEST-74-AUX-UTILS.sh[909]:   ASan internal:           fe
[   25.118684] TEST-74-AUX-UTILS.sh[909]:   Left alloca redzone:     ca
[   25.118792] TEST-74-AUX-UTILS.sh[909]:   Right alloca redzone:    cb
[   25.119282] TEST-74-AUX-UTILS.sh[909]: Command: systemd-run --quiet --pty -- bash -c echo PTY_FORWARD_READY; exec sleep 60
[   25.119395] TEST-74-AUX-UTILS.sh[909]: ==909==ABORTING

Follow-up for d3218c4c80c99583d3e7a31ff2f509ffb097568e

3 days agoboot/random-seed: create \loader\ dir if missing when seeding
dongshengyuan [Tue, 30 Jun 2026 01:47:22 +0000 (09:47 +0800)] 
boot/random-seed: create \loader\ dir if missing when seeding

When the random seed file doesn't exist but we have good entropy
(seeded_by_efi=true), we attempt to create it. This requires a handle
to the \loader\ directory, which may not exist on systems using
UKI+EFISTUB without systemd-boot installed.

Obtain the directory handle by first trying a read-only open; if that
returns EFI_NOT_FOUND, create the directory. We deliberately avoid
requesting write access on an already-present directory because some
firmware implementations return EFI_INVALID_PARAMETER for a
WRITE|CREATE open on an existing directory — this would be logged at
LOG_ERR and abort seed creation on systems where \loader\ exists but
random-seed does not (the normal systemd-boot layout).

Once a handle to \loader\ is obtained, open the seed file relative to
that handle rather than using the full path from root.

Introduced-by: c0e7046c17 ("boot: log about RO I/O errors at debug level.")
Fixes: #42801
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com>
3 days agoupdate TODO
Lennart Poettering [Tue, 23 Jun 2026 10:04:07 +0000 (12:04 +0200)] 
update TODO

3 days agoenv-util: ensure NUL termination of the replace_env_argv() output array
Luca Boccassi [Mon, 29 Jun 2026 14:05:51 +0000 (15:05 +0100)] 
env-util: ensure NUL termination of the replace_env_argv() output array

The output array is allocated with new() and left uninitialized, but a
bare unset "$VAR" token expands to nothing and writes no terminator.
When such a token leads or is the only word, the returned strv is left
without a trailing NULL.

Follow-up for f331434d13488425ccd8485327085d15f8f92aea

3 days agofido2: reject zero-length HMAC secret
Luca Boccassi [Mon, 29 Jun 2026 13:01:08 +0000 (14:01 +0100)] 
fido2: reject zero-length HMAC secret

The CTAP2 HMAC-SECRET output should never be zero length, so enforce
that at both retrieval sites.

Follow-up for 1c0c4a43c6118aa4057222789e4b777b61e4bb27

3 days agossl-util: set log level to debug in dlopen_many_sym_or_warn() 42811/head
Antonio Alvarez Feijoo [Tue, 30 Jun 2026 09:29:10 +0000 (11:29 +0200)] 
ssl-util: set log level to debug in dlopen_many_sym_or_warn()

Otherwise in systems with OpenSSL 3 the journal contains multiple error entries
because the preferred library libssl.so.4 is not present.

Follow-up for 6caa50183e44b6ef760be4bdbcc98d684c309c5d

3 days agoresolvectl: fix JSON reply cleanup in varlink_dump_dns_configuration 42812/head
dongshengyuan [Tue, 30 Jun 2026 09:13:10 +0000 (17:13 +0800)] 
resolvectl: fix JSON reply cleanup in varlink_dump_dns_configuration

varlink_call_and_log() does not hand out a new reference for the reply
object, so the caller should not unref it. The _cleanup_(sd_json_variant_unrefp)
on reply was therefore wrong from the start.

The original TAKE_PTR(reply) was working around this incorrect cleanup
by preventing it from firing, but that left reply's refcount one too
high after sd_json_variant_ref(v) incremented the parent's count.

Fix by dropping _cleanup_(sd_json_variant_unrefp) from the reply
variable declaration entirely, as suggested by Lennart Poettering.

Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com>
3 days agocore: rename LUO 'kexecsCount' state field to 'KExecsCount'
Luca Boccassi [Fri, 26 Jun 2026 12:57:06 +0000 (13:57 +0100)] 
core: rename LUO 'kexecsCount' state field to 'KExecsCount'

Match the casing of the corresponding KExecsCount D-Bus/Varlink property.

Follow-up for f9e6419f3426ce1b9d281e833f924e91b84b1127

3 days agoanalyze: use shutdown timestamps in time verb
Luca Boccassi [Fri, 19 Jun 2026 23:36:53 +0000 (00:36 +0100)] 
analyze: use shutdown timestamps in time verb

 [root@fedora ~]# systemd-analyze
 Startup finished in 486ms (stopping) + 48ms (exit) + 116ms (systemd-shutdown) + 774ms (kernel) + 1.939s (initrd) + 3.878s (userspace) = 7.243s
 graphical.target reached after 3.876s in userspace.

3 days agocore: preserve shutdown timestamps via LUO
Luca Boccassi [Fri, 19 Jun 2026 22:49:44 +0000 (23:49 +0100)] 
core: preserve shutdown timestamps via LUO

3 days agocore: publish shutdown timestamps via varlink
Luca Boccassi [Fri, 19 Jun 2026 22:55:39 +0000 (23:55 +0100)] 
core: publish shutdown timestamps via varlink

3 days agocore: publish shutdown timestamps via D-Bus
Luca Boccassi [Fri, 19 Jun 2026 22:49:23 +0000 (23:49 +0100)] 
core: publish shutdown timestamps via D-Bus

3 days agocore/shutdown: add more shutdown timestamps
Luca Boccassi [Fri, 19 Jun 2026 22:48:21 +0000 (23:48 +0100)] 
core/shutdown: add more shutdown timestamps

We already record when shutdown.target is initiated (ShutdownStart).
This adds a few more measuring points during shutdown: when
shutdown.target completes (i.e., all units stopped), when the shutdown
binary starts executing, and immediately before it hands off to the
kernel.

Obviously these are immediately lost upon reboot. But they will later
be wired in LUO so they get preserved on kexec, and can be inspected,
which is very useful for performance measurements.

3 days agoexec-invoke: fix wrong errno in log_error_errno for setenv failure
dongshengyuan [Tue, 30 Jun 2026 09:11:32 +0000 (17:11 +0800)] 
exec-invoke: fix wrong errno in log_error_errno for setenv failure

When setenv("CREDENTIALS_DIRECTORY") fails, log_error_errno() was
called with the stale return value of exec_context_get_credential_directory()
(which is >= 0 on success) instead of errno.

The %m in the format string correctly expands from libc's errno, so
the human-readable log message was unaffected. However, the structured
journal field ERRNO= received an incorrect value (0 or positive),
making automated log analysis and alerting on this failure unreliable.

Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com>
3 days agojson-util: add json_dispatch_dual_timestamp()
Luca Boccassi [Fri, 26 Jun 2026 16:38:25 +0000 (17:38 +0100)] 
json-util: add json_dispatch_dual_timestamp()

3 days agorun: do not munge user.slice with --slice-inherit
Ronan Pigott [Mon, 29 Jun 2026 19:14:58 +0000 (12:14 -0700)] 
run: do not munge user.slice with --slice-inherit

When using --slice-inherit, setting arg_slice would inadvertently munge
user.slice into the current user slice, usually producing a slice name
like user-1000-user.slice. This is treated as a user-UID slice by
user-.slice.d/10-defaults.conf, resulting in a strange description:
literally "User slice for UID user" (instead of an actual user UID).

Keep arg_slice empty when using --slice-inherit so that we actually
inherit from the relevant slice instead of a munged version.

Fixes: #42601
4 days agocrypto-util: set log level to debug in dlopen_many_sym_or_warn()
Antonio Alvarez Feijoo [Tue, 30 Jun 2026 08:39:16 +0000 (10:39 +0200)] 
crypto-util: set log level to debug in dlopen_many_sym_or_warn()

Otherwise in systems with OpenSSL 3 the journal contains multiple error entries
because the preferred library libcrypto.so.4 is not present.

Follow-up for ccdd42351f79cbb9c2e034a96280a1ded40a2f95

4 days agoluo-util: use new LIVEUPDATE_SESSION_GET_NAME ioctl to get session name if available
Luca Boccassi [Mon, 22 Jun 2026 15:33:23 +0000 (16:33 +0100)] 
luo-util: use new LIVEUPDATE_SESSION_GET_NAME ioctl to get session name if available

Added in kernel 7.2. Fallback can be removed once baseline
moves above. Ubuntu 26.04 uses 7.0.

4 days agoImport linux/liveupdate.h UAPI header from 7.2-rc1
Luca Boccassi [Mon, 22 Jun 2026 15:15:30 +0000 (16:15 +0100)] 
Import linux/liveupdate.h UAPI header from 7.2-rc1

4 days agoportable: leave room for trailing NUL in metadata receive buffer
Syed Mohammed Nayyar [Sun, 28 Jun 2026 11:22:43 +0000 (16:52 +0530)] 
portable: leave room for trailing NUL in metadata receive buffer

receive_portable_metadata() reads each item into a stack buffer of
PATH_MAX + NAME_MAX + 2 bytes, passes the full sizeof() as the recv
iovec length, and then NUL-terminates with iov_buffer[n] = 0. recvmsg()
can return n equal to the buffer size, so the terminator is written one
byte past the end.

Grow the buffer by one byte and cap the iovec at sizeof - 1, so a full
record is still received and the trailing NUL always fits, matching the
coredump-receive.c reader.

4 days agoman: document that $XDG_CONFIG_HOME affects environment.d lookup path
dongshengyuan [Mon, 29 Jun 2026 05:24:51 +0000 (13:24 +0800)] 
man: document that $XDG_CONFIG_HOME affects environment.d lookup path

Align the documentation with the actual behavior: if $XDG_CONFIG_HOME is
set to an absolute path in the user service manager environment, it takes
precedence over the default ~/.config/ when locating environment.d files.
Also note the bootstrapping limitation that variables defined inside
environment.d files are not yet available when the generator runs.

Fixes: #42777
Signed-off-by: dongshengyuan <dongshengyuan@uniontech.com>
4 days agolocale-util: drop libintl dependency
Yu Watanabe [Sun, 28 Jun 2026 12:40:07 +0000 (21:40 +0900)] 
locale-util: drop libintl dependency

Both glibc and musl provides dgettext(). Hence it is not necessary to
use libintl.so provided by gettext.

This partially reverts 590e22643722cf1268bd24f9056c7115ab0c1cf2,
fully reverts commit e6e65dc26157207a6b720fccc49632ac77236384 and
bd19ffd9cb618b15cbd74110aeca2abab745fe9e.

Then, introduce minimal libintl.h for musl build, to avoid using
libintl.h by gettext, which is typically installed on musl-based
build systems.

4 days agotest: make TEST-07-PID1.issue-14566 more robust (#42798)
Luca Boccassi [Mon, 29 Jun 2026 14:16:39 +0000 (15:16 +0100)] 
test: make TEST-07-PID1.issue-14566 more robust (#42798)

e.g.:
https://artifacts.dev.testing-farm.io/f5150e83-eccf-4d84-aa8b-ff25cd7a3cb4/

4 days agoshared/varlink: fix license of varlink-io.systemd.Udev.c
Luca Boccassi [Fri, 26 Jun 2026 20:28:27 +0000 (21:28 +0100)] 
shared/varlink: fix license of varlink-io.systemd.Udev.c

Sources in src/shared need to be licensed LGPL-2.1-or-later, not
GPL-2.0-or-later, which is the license for src/udev. Fix it.

Follow-up for 2f0aa9a80445ef18086260a60fad71920ad9486c