Luca Boccassi [Fri, 27 Feb 2026 17:27:30 +0000 (17:27 +0000)]
Translations update from Fedora Weblate (#40876)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Vitaly Kuznetsov [Fri, 27 Feb 2026 13:20:20 +0000 (14:20 +0100)]
cryptsetup-tokens: Print tpm2-primary-alg: only when it is known
When 'tpm2-primary-alg' is missing in LUKS JSON token, the output of
'cryptsetup luksDump' is always:
tpm2-primary-alg: ecc
because tpm2_parse_luks2_json() returns the default (TPM2_ALG_ECC). This can be
misleading and wrong. Make tpm2_parse_luks2_json() return the reality and move
the default to tpm2_unseal().
Vitaly Kuznetsov [Fri, 27 Feb 2026 12:46:07 +0000 (13:46 +0100)]
cryptenroll: Save primary algorithm type to the LUKS token
'tpm2-primary-alg' field is currently unset in LUKS JSON token both for the
case when SRK was used for enrolling (--tpm2-device-key=) and for the case when
SRK was obtained/generated (--tpm2-device=). While this information is not
really needed for unsealing (the sealed object itself has key type in it), it
may be convenient to see key type in e.g. 'cryptsetup luksDump' in the
situations where key type matters. Since 'tpm2-primary-alg' is already defined,
just set it properly in all cases.
Add the missing 'mstack' value to the ImageType enum in the
io.systemd.sysext Varlink IDL — image_type_table in discover-image.c
already defines IMAGE_MSTACK = "mstack" but it was absent from the IDL.
Export vl_type_ImageType so the test can reference it, and add
TEST_IDL_ENUM(ImageType, ...) to the enums_idl test to catch
similar regressions in the future.
noxiouz [Fri, 27 Feb 2026 00:02:12 +0000 (00:02 +0000)]
import: fix AlreadyInProgress Varlink error missing remote field
The handler sends the remote URL as a parameter via sd_varlink_errorbo()
but the IDL declared the error with no fields, making the payload
undiscoverable via introspection.
Luca Boccassi [Thu, 26 Feb 2026 14:47:39 +0000 (14:47 +0000)]
Translations update from Fedora Weblate (#40842)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
core/socket: fix reversed symlink direction in error message
After the update to 260-rc1 in Fedora Rawhide, we get a lot of messages like
this:
systemd[1]: systemd-resolved-monitor.socket:
Failed to create symlink /run/systemd/resolve/io.systemd.Resolve.Monitor →
/run/varlink/registry/io.systemd.Resolve.Monitor, ignoring: Permission denied
The actual issue will need to be fixed too, but let's fix the message first.
While at it, let's rename the variables to be meaningful.
Luca Boccassi [Wed, 25 Feb 2026 23:12:28 +0000 (23:12 +0000)]
mkosi: explicitly add mount package to build image
Some dependency changed in testing and it's not pulled in anymore:
‣ Running build script /home/runner/work/systemd/systemd/mkosi/mkosi.images/build/mkosi.conf.d/debian-ubuntu/mkosi.build.chroot…
/work/build-script: line 35: mount: command not found
‣ /work/build-script failed with non-zero exit code 127
‣ (Maybe a program was not found or the script interpreter (e.g. bash) is not installed?)
FAILED: [code=127] mkosi
Luca Boccassi [Tue, 24 Feb 2026 21:09:26 +0000 (21:09 +0000)]
Install hwids in /usr/lib/systemd/boot/hwids/<EFI_ARCH>/
These are meant to ship with ukify, in the same package,
so install them when ukify is enabled. Given they are
hardware-specific, use a per-arch subdirectory to make it
easier to enable them by default in ukify.
Tobias Heider [Mon, 2 Feb 2026 11:08:46 +0000 (12:08 +0100)]
boot: import Snapdragon device hwid json files
Add hwids json files for Snapdragon devices that use of this
feature since they don't ship with devie trees embedded in firmware.
The json files were originally generated for Ubuntu stubble and
are kown to work since they ship in all Ubuntu arm64 ISOs by default.
Some of the devices might not be supported in mainline Linux yet
and use preliminary compatible strings.
* 23a1c1fed9 Install /usr/lib/systemd/boot/hwids/ in ukify package
* 985170fdc6 Version 259.1
* 2e10d7da1e Revert getty changes a bit harder
* 96c683c3de Revert all remaing changes to getty@.service
* 24a305a398 Revert to previous handling of getty@.service
* 6a500eb814 Create getty@tty1.service again and move autovt@.service alias to /usr/lib
* 88bd4ab206 Properly enable systemd-tmpfiles-clear.service in scriptlets
* d9f3f02206 Raise the number of placeholder sections in kernel and addon stubs
* e301db0151 Stop enabling getty@tty1.service
* a1c33507a2 Fix unit names in systemd-udev scriptlet
* b7b3e024d6 Enable getty@.service through presets
* ec5e1b1ed7 Move tpm2 and getty support to -udev subpackage
* 9c9976a7f8 Rebuilt for https://fedoraproject.org/wiki/Fedora_44_Mass_Rebuild
* f353d244fd Add 2 patches for automatic aarch64 DTB selection change
* 399885597c Revert "Disable sysinit-path for upstream builds"
Luca Boccassi [Wed, 25 Feb 2026 11:16:28 +0000 (11:16 +0000)]
mkosi: add groupadd/groupmod to ASAN wrappers list
TEST-74-AUX-UTILS.sh[3789]: + groupadd haldo
TEST-74-AUX-UTILS.sh[3875]: ==3875==ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD.
Mike Yuan [Tue, 24 Feb 2026 18:40:14 +0000 (19:40 +0100)]
core/namespace: clean up append_private_tmp() a bit
With the previous changes the modes for /tmp/ and /var/tmp/
may come in arbitrary directions, i.e. we may downgrade one
and upgrade another. Hence let's refactor the setup logic
a bit so they're truly independent.
core: simplify requirements in unit_get_private_var_tmp() to just After=
As in the previous commit, checking for both requirements and ordering seems
unnecessary. In practical cases, the mount will be pulled in by the rest
of the transaction, so ordering is the part that matters. (The setup is
racy without the ordering.) If we drop the second check, the admin can
just use After=tmp.mount to achieve the desired behaviour, without needing
to explicitly pull in the unit. This is easier to configure and more robust.
core: upgrade /tmp when PrivateTmp=yes/DefaultDeps=no to disconnected
In https://github.com/systemd/systemd/issues/28515, multiple people report that
services that have PrivateTmp=yes and DefaultDependencies=no fail to create the
temporary directories under /tmp, when /tmp is e.g. a bind mount or some other
kind of mount that takes more time.
Before PrivateTmp=disconnected was added, we didn't have a nice solution:
DefaultDependencies=no is used to start services very early, so we wouldn't
want to add a dependency on /tmp automatically. With PrivateTmp=disconnected we
have a fairly nice solution. Let's "upgrade" to this mode automatically.
Strictly speaking, it is a small compat break, but in practice it's unlikely to
matter for early-boot services whether their /tmp is private or disconnected.
The dependency on /tmp that is checked is After. I think this is enough,
since any tmp.mount would be pulled in by local-fs.target and the rest of
the transaction anyway, so we don't need to check more than After.
The asserts are relaxed, because now the two settings can now diverge
in either way.
Mike Yuan [Tue, 24 Feb 2026 22:11:55 +0000 (23:11 +0100)]
core/execute: stop looking at ExecSharedRuntime to determine PrivateTmp= state
The only reason why ExecSharedRuntime.(var_)tmp_dir might
be suppressed is when (/var)/tmp/ is listed in InaccessiblePaths=,
in which case mount namespace is needed anyways. Moreover,
the current logic imposes a chicken-and-egg problem:
at various places in pid1 we'd need to check whether
the unit runs in a mountns, but the ExecSharedRuntime
may not be allocated for it just yet.
Mike Yuan [Wed, 25 Feb 2026 08:23:50 +0000 (09:23 +0100)]
core/namespace: two fixes for namespace_cleanup_tmpdir()
* Make sure we're not passing NULL to rmdir()
* Remove the inner "tmp" subdir as well, so that callers
can handle this transparently (e.g. exec_shared_runtime_make()
is not aware of the nested rmdir() requirements)
Nick Rosbrook [Mon, 23 Feb 2026 20:25:27 +0000 (15:25 -0500)]
seccomp-util: add lsm_get_self_attr and lsm_list_modules to @default
These syscalls are part of a newer kernel API to replace interaction
with /proc/self/attr, with the goal of allowing LSM stacking. These are
being used now by e.g. libapparmor, so should be more easily available
to services using seccomp filtering.
Daan De Meyer [Fri, 20 Feb 2026 13:16:48 +0000 (14:16 +0100)]
nspawn: Add support for delegated UID ranges
We expose this via --private-users-delegate= which takes the number of
ranges to delegate. On top of delegating the ranges, we also mount in
the nsresourced socket and the mountfsd socket so that nested containers
can use nsresourced to allocate from the delegated ranges and mountfsd to
mount images.
Finally, we also create /run/systemd/dissect-root with systemd-tmpfiles to
make sure it is always available as unpriv users won't be able to create it
themselves.
Luca Boccassi [Fri, 20 Feb 2026 19:28:34 +0000 (19:28 +0000)]
test: avoid hanging forever waiting for udev if not a booted system
test_sd_device_enumerator_filter_subsystem hangs forever in OBS builds,
as it waits for the udev queue to be drained. But this is not a booted
system, with systemd and udev, so nothing will do that.
Skip the test in that case.
Daan De Meyer [Thu, 29 Jan 2026 15:45:59 +0000 (16:45 +0100)]
nsresourced: Optionally map foreign UID range
Whenever delegating UID ranges to a user namespace, it can also be
useful to map the foreign UID range, so that the container running in
the user namespace with delegated UID ranges can download container
images and unpack them to the foreign UID range.
Let's add an option mapForeign to make this possible. Note that this option
gives unprivileged users full access to the any foreign UID range owned directory
that they can access. Hence it is recommended (and already was recommended) to
store foreign UID range owned directories in a 0700 directory owned by the
owner of the tree to avoid access and modifications by other users.
This is already the case for the main users of the foreign UID range,
namely /var/lib/machines, /var/lib/portables and /home/<user> which all
use 0700 as their mode.
Users will also be able to create foreign UID range owned inodes in any
directories their own user can write to (on most systems this means /tmp,
/var/tmp and /home/<user>).
Daan De Meyer [Sat, 24 Jan 2026 00:03:35 +0000 (01:03 +0100)]
nsresourced: Add support for self mappings with delegations
mkosi does all of its environment setup in an unprivileged user
namespace with an identity mapping. When it invokes nspawn and nspawn
tries to get a transient userns from nsresourced, this fails as no
transient ranges are mapped into mkosi's unprivileged userns (as doing
so would require privileges).
To fix this problem, let's allow allocating unprivileged self user
namespaces in nsresourced, similar to what the kernel allows, except that
we also support delegations for these. This means that mkosi can get its
unprivileged userns as before from nsresourced, but it can also request a
delegated 64K range inside that userns as well, which nsresourced can then
allocate to nspawn later when it asks for one.
Similar to the kernel, we disallow setgroups for self mappings. However,
instead of doing this via /proc/self/setgroups, which applies to the current
user namespace and all its child user namespaces, we use the BPF LSM to deny
setgroups instead, so that it can still be allowed for child user namespaces.
We need this because as soon as a container launches in a child user namespace
using one of the delegated mappings, it has to be able to do setgroups() to be
able to function properly.
To allow mapping the root user, we need to add the CAP_SETFCAP capability to
nsresourced.
Daan De Meyer [Fri, 23 Jan 2026 11:31:47 +0000 (12:31 +0100)]
nsresourced: Add support for delegated ranges
We want to support the scenario where we bind mount the nsresourced
varlink socket into a container to allow nested containers where the
outer container runs in its own transient range from nsresourced but
can still allocate transient ranges for its own nested containers.
To support this use case let's add support for delegation. Delegated
ranges are allocated when allocating the primary range and are propagated
1:1 to the user namespace. We track delegated ranges in ".delegate" files
in the userns registry so that they can't be used for other range allocations.
We make one exception for delegated ranges though, if we get a request from
a user namespace that is a child of the user namespace that owns the delegated
ranges, we allow allocating from the delegated range. The parent userns already
has full ownership over the child userns, so it doesn't matter that the parent
userns and the child userns share the same range. This allows making use of
delegated ranges without having to run another copy of nsresourced inside the
parent userns to hand out from the delegated range.
To support recursive delegations, we keep track of the previous owners of the
delegated range and restore ownership to the last previous owner when the current
owner is freed.
projects / thirdparty / systemd.git / log
