Nick Rosbrook [Mon, 23 Feb 2026 20:25:27 +0000 (15:25 -0500)]
seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default
These syscalls are part of a newer kernel API to replace interaction
with /proc/self/attr, with the goal of allowing LSM stacking. These are
being used now by e.g. libapparmor, so should be more easily available
to services using seccomp filtering.
Daan De Meyer [Fri, 20 Feb 2026 13:16:48 +0000 (14:16 +0100)]
nspawn: Add support for delegated UID ranges
We expose this via --private-users-delegate= which takes the number of
ranges to delegate. On top of delegating the ranges, we also mount in
the nsresourced socket and the mountfsd socket so that nested containers
can use nsresourced to allocate from the delegated ranges and mountfsd to
mount images.
Finally, we also create /run/systemd/dissect-root with systemd-tmpfiles to
make sure it is always available as unpriv users won't be able to create it
themselves.
Luca Boccassi [Fri, 20 Feb 2026 19:28:34 +0000 (19:28 +0000)]
test: avoid hanging forever waiting for udev if not a booted system
test_sd_device_enumerator_filter_subsystem hangs forever in OBS builds,
as it waits for the udev queue to be drained. But this is not a booted
system, with systemd and udev, so nothing will do that.
Skip the test in that case.
Daan De Meyer [Thu, 29 Jan 2026 15:45:59 +0000 (16:45 +0100)]
nsresourced: Optionally map foreign UID range
Whenever delegating UID ranges to a user namespace, it can also be
useful to map the foreign UID range, so that the container running in
the user namespace with delegated UID ranges can download container
images and unpack them to the foreign UID range.
Let's add an option mapForeign to make this possible. Note that this option
gives unprivileged users full access to the any foreign UID range owned directory
that they can access. Hence it is recommended (and already was recommended) to
store foreign UID range owned directories in a 0700 directory owned by the
owner of the tree to avoid access and modifications by other users.
This is already the case for the main users of the foreign UID range,
namely /var/lib/machines, /var/lib/portables and /home/<user> which all
use 0700 as their mode.
Users will also be able to create foreign UID range owned inodes in any
directories their own user can write to (on most systems this means /tmp,
/var/tmp and /home/<user>).
Daan De Meyer [Sat, 24 Jan 2026 00:03:35 +0000 (01:03 +0100)]
nsresourced: Add support for self mappings with delegations
mkosi does all of its environment setup in an unprivileged user
namespace with an identity mapping. When it invokes nspawn and nspawn
tries to get a transient userns from nsresourced, this fails as no
transient ranges are mapped into mkosi's unprivileged userns (as doing
so would require privileges).
To fix this problem, let's allow allocating unprivileged self user
namespaces in nsresourced, similar to what the kernel allows, except that
we also support delegations for these. This means that mkosi can get its
unprivileged userns as before from nsresourced, but it can also request a
delegated 64K range inside that userns as well, which nsresourced can then
allocate to nspawn later when it asks for one.
Similar to the kernel, we disallow setgroups for self mappings. However,
instead of doing this via /proc/self/setgroups, which applies to the current
user namespace and all its child user namespaces, we use the BPF LSM to deny
setgroups instead, so that it can still be allowed for child user namespaces.
We need this because as soon as a container launches in a child user namespace
using one of the delegated mappings, it has to be able to do setgroups() to be
able to function properly.
To allow mapping the root user, we need to add the CAP_SETFCAP capability to
nsresourced.
Daan De Meyer [Fri, 23 Jan 2026 11:31:47 +0000 (12:31 +0100)]
nsresourced: Add support for delegated ranges
We want to support the scenario where we bind mount the nsresourced
varlink socket into a container to allow nested containers where the
outer container runs in its own transient range from nsresourced but
can still allocate transient ranges for its own nested containers.
To support this use case let's add support for delegation. Delegated
ranges are allocated when allocating the primary range and are propagated
1:1 to the user namespace. We track delegated ranges in ".delegate" files
in the userns registry so that they can't be used for other range allocations.
We make one exception for delegated ranges though, if we get a request from
a user namespace that is a child of the user namespace that owns the delegated
ranges, we allow allocating from the delegated range. The parent userns already
has full ownership over the child userns, so it doesn't matter that the parent
userns and the child userns share the same range. This allows making use of
delegated ranges without having to run another copy of nsresourced inside the
parent userns to hand out from the delegated range.
To support recursive delegations, we keep track of the previous owners of the
delegated range and restore ownership to the last previous owner when the current
owner is freed.
The purpose of the userns-restrict BPF-LSM program is to prevent the
transient ranges leaking to disk, so let's allow operations outside the
transient UID ranges, even if the mount is not allowlisted.
This is preparation for the next commits where we'll add support for mapping
the current user and the foreign UID range into the user namespaces provisioned
by nsresourced. Operations creating files/directories as these UIDs/GIDs should
not need the corresponding mount to be allowlisted with nsresourced.
Yu Watanabe [Tue, 24 Feb 2026 16:35:38 +0000 (01:35 +0900)]
man: coredump: KeepFree/MaxUse clarification of default values (#40796)
On sd-coredump for both `MaxUse` and `KeepFree` defaults has a caveat,
it may set it differently if not explicit configured.
On `MaxUse` it'll cap to 4GiB as seem
[here](https://github.com/systemd/systemd/blob/d39b10371964d048a3c5d7dbf84552ecdba66bbe/src/coredump/coredump-vacuum.c#L82).
Similar for `KeepFree`
[here](https://github.com/systemd/systemd/blob/d39b10371964d048a3c5d7dbf84552ecdba66bbe/src/coredump/coredump-vacuum.c#L98)
sd-netlink: pin reply slot while we execute callback
The callback might drop the last ref to the slot object, and we still
want to access it. Hence do what we usually do in these cases: keep an
extra reference while processing the callback.
network: enable LLDP for links that use only link-local addressing
Links with link-local-only communication are typically peer-to-peer
links between two laptops or similar. In such cases it makes sense to be
able to see which device one is specifically connected to, hence let's
just enable LLDP for it. This doesn't leak any data really, given that
this is inherently local, and typically only used between isolated
systems that are under the same user's possession.
Background: I recently connected multiple laptops via thunderbolt networking
and was kinda annoyed not being able to see what system I was actually
talking to.
(Also, the file touched here is an example only anyway, so even if this
would leak too much info, it's not in effect by default)
Kai Lüke [Tue, 24 Feb 2026 11:10:48 +0000 (20:10 +0900)]
journalctl: order systemd-journalctl.socket after systemd-sysusers
The socket failed on boot due to a ordering problem caused by
systemd-sysusers running later and thus the socket group was still
missing. The socket unit can only start when systemd-sysusers created
the group.
Order the socket after systemd-sysusers.service to have the group
available.
Could ask to Bastien Nocera who originally commited the joysticks hwdb
integration
https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1429#note_3338386
and stated that was for use in iio-sensor but later anything was done.
As the variable was never used replace it with the new variable actually
in the process to be use in libinput. Even more at least some of the
idea that was planed for ID_INPUT_JOYSTICK_INTEGRATION could be done in
libinput.
Actually ID_INPUT_JOYSTICK_INTEGRATION was never used anywhere, replace
it with ID_INTEGRATION.
I'm pretty sure we should not create more of these multiplexer
interfaces, which in this specific also leads to a fair bit of
confusion: start/stop/reload-or-restart --marked all enqueue
all job types.
Instead, a dedicated verb will be introduced in later commits.
Luca Boccassi [Tue, 24 Feb 2026 11:53:47 +0000 (11:53 +0000)]
resolved: Add ifindex=0 support for BrowseServices to browse all mDNS interfaces (#40133)
With v259, resolved can be used to replace Avahi for mDNS service
discovery and announcement. One key difference in the API is that Avahi
by default browses on all available interfaces by passing a special
`AVAHI_IF_UNSPEC` (-1) interface index value. With this change, passing
ifindex value `0` can be used to achieve the same , so this will work:
```
# Browse on all available interfaces
varlinkctl call --more unix:/run/systemd/resolve/io.systemd.Resolve \
io.systemd.Resolve.BrowseServices \
'{"domain":"local","type":"_display._tcp","ifindex":0,"flags":0}'
```
Not having to iterate through all interfaces on the client side then
also makes it more straight forward to build a resolve-avahi-compat
library for painlessly replacing Avahi with systemd-resolved.
A PoC compat lib requiring this change is available at
https://github.com/LorbusChris/resolve-avahi-compat
Adrian Vovk [Tue, 24 Feb 2026 01:02:03 +0000 (20:02 -0500)]
NEWS: Add note about logind's Can* return values
We've changed them to return additional values, which may be a breaking
change for desktop environments. In practice, it doesn't seem to be a
major issue. However, let's make sure to document the changes in the
NEWS anyway!
Adrian Vovk [Tue, 20 Jan 2026 00:26:30 +0000 (19:26 -0500)]
login1: Emit NCurrentInhibitors changed events
Currently, there's no way for a desktop environment to detect when a
systemd inhibitor has been added or removed. This means that a desktop
environment that wishes to show current inhibitors to the user will be
either forced to poll systemd or just use stale data.
Now, the desktop can listen for changed events on NCurrentInhibitors and
call GetInhibitors() in response to that.
Adrian Vovk [Mon, 19 Jan 2026 23:15:53 +0000 (18:15 -0500)]
login1: Add "inhibited" state to Can* methods
Desktops cannot currently tell the difference between a power action
being set to challenge permanently (i.e. because the sysadmin wanted to
restrict the given user) and a power action being set to challenge
because it's temporarily inhibited.
Thus, a desktop might take an action that is valid in the first case but
not the second case. For instance: GNOME hides all of its automatic
suspend settings from the UI whenever a sleep inhibitor is active.
This now returns a new state: "inhibited". It communicates to the
desktop that the action is available normally, but at the moment the
desktop isn't allowed to perform the action due to an inhibitor.
* 89a825b80e Install new files for upstream build
* 38b1a75eaa systemd.postinst: update journal catalog after reexecing managers
* 9420ffa0dd Install new files for upstream build
* cb5fdf4df0 Install sd-report from new path
* 2501efe312 homed: drop dependency satisfied since bookworm/noble
* 424262b674 d/control: add TODO
* 9aaa01c99d d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy
* 7d0ac8a4b8 Install new files for upstream build
* 7e55d41841 Do not install legacy.conf in upstream builds
* 190387958e d/e/checkout-upstream: try to install build deps with sudo in case it fails
* 2a4aa9f426 Disable installing runlevel targets for upstream build
* e02600f2d9 Install new files for upstream build
* 0f1a56cf10 Update changelog for 259.1-1 release
* e463300b1a d/e/checkout-upstream: try to install build deps again after switching to CI branch
* b3f72821e5 Install ask-password polkit policy file
* 8219d561ae Restrict the tpm2-generator manpage to arches where it is built
* 30a0f27283 systemd.postinst: reexec system manager before user instances
* 1fc9ea2790 systemd.postinst: reexec before restarting any service
* d9991aeb22 d/control: use libarchive13t64 | libarchive13 for bookworm/jammy
* b750346711 d/control: make systemd-container Depends: libarchive13t64
sysupdated: Split Update() into Acquire() and Install() D-Bus methods (#40628)
These mirror the `sysupdate acquire` and `sysupdate install` verbs,
which are themselves a split of `sysupdate update` into downloading and
installing stages.
I have dropped the existing `Update()` method in the final commit, as
per the suggestion on
https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/2004#note_2145880.
If the D-Bus API for `sysupdated` is considered stable now, though, I
can drop that commit.
Philip Withnall [Mon, 19 Jan 2026 18:33:27 +0000 (18:33 +0000)]
sysupdated: Drop the Update() D-Bus method
Now that it’s been replaced by `Acquire()` and `Install()`, there’s no
need to expose it as a separate method. Wrappers around `sysupdated` can
still expose an ‘update’ convenience verb by calling those two methods.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814
Philip Withnall [Mon, 19 Jan 2026 18:12:39 +0000 (18:12 +0000)]
test: Expand sysupdate test to test updatectl update
This further expands the sysupdate test to run the suite a fourth time,
testing that `updatectl update` behaves the same as `sysupdate update`
and `sysupdate acquire; sysupdate update --offline`.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Philip Withnall [Mon, 19 Jan 2026 17:16:54 +0000 (17:16 +0000)]
sysupdated: Add Acquire() and Install() D-Bus methods
These mirror the `sysupdate acquire` and `sysupdate update --offline`
verbs, which are themselves a split of `sysupdate update` into
downloading and installing stages.
The existing `sysupdated` `Update()` method is kept for now, for
convenience. It might be dropped in future.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814
DaanDeMeyer [Sat, 27 Dec 2025 20:07:13 +0000 (21:07 +0100)]
repart: Use new mkfs.xfs support for populating from directories
xfsprogs 6.17.0 added support for populating xfs filesystems from
directories. As this supports extended attributes unlike our current
hack with protofiles. Let's make use of the new feature in mkfs-util.c
As there's no clean way to do feature detection on the mkfs.xfs binary,
we drop support for the old hack with protofiles that we had before.
Luca Boccassi [Sat, 27 Dec 2025 11:02:30 +0000 (11:02 +0000)]
manager: add 'needs-stop/needs-start' markers
Useful for packaging scripts, when units are removed.
When multiple markers are assigned without +/-, the last one wins.
When using +/-, the job merging logic is followed to the extent possible.
Daan De Meyer [Sat, 21 Feb 2026 21:10:56 +0000 (22:10 +0100)]
mountfsd: Try to polkit auth when the verity key is not available
If we include a verity signature but the corresponding key is not in
the kernel keyring or userspace, try to get polkit auth similar to how
we do the same if the image doesn't pass the policy.
Luca Boccassi [Mon, 23 Feb 2026 10:54:21 +0000 (10:54 +0000)]
Translations update from Fedora Weblate (#40789)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Mike Yuan [Mon, 23 Feb 2026 07:54:12 +0000 (08:54 +0100)]
journalctl-vl-server: return proper error if unit pattern has no match
Note that SD_VARLINK_ERROR_INVALID_PARAMETERS requires
the invalid param name to be specified, hence we would
otherwise have reported an invalid INVALID_PARAMETERS
error ;)
Mike Yuan [Mon, 23 Feb 2026 06:48:43 +0000 (07:48 +0100)]
logs-show: clean up journal_entry_to_json() a bit
* Make sure ret is initialized on success return
* Drop unneeded 'object' variable
* No need to ref/unref json objects when constructing
intermediary array
Mike Yuan [Mon, 23 Feb 2026 08:30:17 +0000 (09:30 +0100)]
units/user/systemd-journalctl.socket: drop MaxConnectionsPerSource=
For AF_UNIX sockets connection sources are accounted for
based on UID, hence in user scope this effectively
limits total number of connections, which is not really
desirable.
This follows the existing practice for
systemd-journal-{upload,gatewayd}.service,
as I think allocating a full-blown user
specifically for this purpose is an overkill.
And with DynamicUser=yes we can also take
advantage of implied sandboxing.
man/systemd.mstack: use <varname> instead of <variable>
Otherwise, `<variable>location</variable>` is rendered:
```
[2365/2925] Generating man/systemd.mstack.7 with a custom command
Element variable in namespace '' encountered in para, but no template matches.
```
resolved: Add ifindex=0 support for BrowseServices to browse all mDNS interfaces
Avahi provides AVAHI_IF_UNSPEC (-1) to browse mDNS services on all
interfaces simultaneously. Currently, systemd-resolved's BrowseServices
varlink API requires a specific interface index and lacks the ability to browse on
all available interfaces.
This change adds support for ifindex = 0 to mean \"browse on all mDNS-enabled
interfaces\" to match the Avahi API.
When ifindex = 0 is specified the browser will now iterate all mDNS scopes
instead of a single interface.
This enables applications to discover services on any network interface
without needing to know the specific interface index in advance.
Assisted-by: Claude Opus 4.6 (Eclipse Theia IDE AI)
resolved: Track per-service item ifindex in DnssdDiscoveredService
The interface where each service was discovered needs to be remembered
so it can be correctly reported when the service is later removed.
Previously, service removal would use sb->ifindex, losing the actual
interface information from the original discovery.
This change:
- Adds an ifindex field to DnssdDiscoveredService struct
- Stores the discovered interface index when adding new services,
preferring the per-item ifindex from DnsAnswerItem over the service
browser's ifindex
- Uses the stored ifindex when reporting service removal events
This ensures that service removal notifications include the correct
interface index where the service was originally discovered, matching
the behavior of the corresponding service addition notifications.
Assisted-by: Claude Opus 4.6 (Eclipse Theia IDE AI)
Yu Watanabe [Sun, 22 Feb 2026 20:38:03 +0000 (05:38 +0900)]
sd-device: do not try to remove previous tag indexes
The removed code in device_tag_index() in fact does nothing,
as sd_device.all_tags is never cleared. Moreover, not only the code
is meaningless, but it is theoretically/logically wrong, as the symlinks
in /run/udev/tags/ should be 'sticky', hence we should even not try to
remove them.
However, when TAG= (rather than TAG+=) is specified, then the tags
assigned in the previous events were also cleared.
This fixes the issue and now symlinks in /run/udev/tags/ are really
'sticky'.
Fortunately, TAG= is mostly unused. So, the issue should not affect
and the fix should not change anything on almost all systems.
journalctl: add new varlink GetEntries endpoint (#40650)
journalctl: add new varlink read service to get entries
We already have some varlink support for the journal to perform
some actions like `Rotate`. It would be nice to be able to query
the journal via varlink too so this commit adds a new varlinkctl
based journal service that exposes a single GetEntries() call
to retrieve journal entries. Basic filtering is supported and
we can expand the API as needed.
This is a separate `io.systemd.JournalControl` [1] service from the
existing `io.systemd.Journald` to decouple read and write (thanks
to Lennart for suggesting this).
This also extracts some shared helper so that we do not duplicate
code when generating the json or when adding the filters.
[1] The name mirrors the bootctl->io.systemd.BootControl naming.
Luca Boccassi [Sat, 21 Feb 2026 11:27:37 +0000 (11:27 +0000)]
core: validate ref_uid before checking in AttachProcesses method
ref_uid is initialized to invalid, and is only set in some
circumstances. The AttachProcesses will attempt to check it,
and assert that it is valid. Check beforehand.
Michael Vogt [Tue, 10 Feb 2026 15:27:58 +0000 (16:27 +0100)]
journalctl: add new varlink read service to get entries
We already have some varlink support for the journal to perform
some actions like `Rotate`. It would be nice to be able to query
the journal via varlink too so this commit adds a new varlinkctl
based journal service that exposes a single GetEntries() call
to retrieve journal entries. Basic filtering is supported and
we can expand the API as needed.
This is a separate `io.systemd.JournalControl` [1] service from the
existing `io.systemd.Journald` to decouple read and write (thanks
to Lennart for suggesting this).
This also extracts some shared helper so that we do not duplicate
code when generating the json or when adding the filters.
[1] The name mirrors the bootctl->io.systemd.BootControl naming.
projects / thirdparty / systemd.git / log
