The purpose of the userns-restrict BPF-LSM program is to prevent the
transient ranges leaking to disk, so let's allow operations outside the
transient UID ranges, even if the mount is not allowlisted.
This is preparation for the next commits where we'll add support for mapping
the current user and the foreign UID range into the user namespaces provisioned
by nsresourced. Operations creating files/directories as these UIDs/GIDs should
not need the corresponding mount to be allowlisted with nsresourced.
Yu Watanabe [Tue, 24 Feb 2026 16:35:38 +0000 (01:35 +0900)]
man: coredump: KeepFree/MaxUse clarification of default values (#40796)
On sd-coredump for both `MaxUse` and `KeepFree` defaults has a caveat,
it may set it differently if not explicit configured.
On `MaxUse` it'll cap to 4GiB as seem
[here](https://github.com/systemd/systemd/blob/d39b10371964d048a3c5d7dbf84552ecdba66bbe/src/coredump/coredump-vacuum.c#L82).
Similar for `KeepFree`
[here](https://github.com/systemd/systemd/blob/d39b10371964d048a3c5d7dbf84552ecdba66bbe/src/coredump/coredump-vacuum.c#L98)
sd-netlink: pin reply slot while we execute callback
The callback might drop the last ref to the slot object, and we still
want to access it. Hence do what we usually do in these cases: keep an
extra reference while processing the callback.
network: enable LLDP for links that use only link-local addressing
Links with link-local-only communication are typically peer-to-peer
links between two laptops or similar. In such cases it makes sense to be
able to see which device one is specifically connected to, hence let's
just enable LLDP for it. This doesn't leak any data really, given that
this is inherently local, and typically only used between isolated
systems that are under the same user's possession.
Background: I recently connected multiple laptops via thunderbolt networking
and was kinda annoyed not being able to see what system I was actually
talking to.
(Also, the file touched here is an example only anyway, so even if this
would leak too much info, it's not in effect by default)
Kai Lüke [Tue, 24 Feb 2026 11:10:48 +0000 (20:10 +0900)]
journalctl: order systemd-journalctl.socket after systemd-sysusers
The socket failed on boot due to a ordering problem caused by
systemd-sysusers running later and thus the socket group was still
missing. The socket unit can only start when systemd-sysusers created
the group.
Order the socket after systemd-sysusers.service to have the group
available.
Could ask to Bastien Nocera who originally commited the joysticks hwdb
integration
https://gitlab.freedesktop.org/libinput/libinput/-/merge_requests/1429#note_3338386
and stated that was for use in iio-sensor but later anything was done.
As the variable was never used replace it with the new variable actually
in the process to be use in libinput. Even more at least some of the
idea that was planed for ID_INPUT_JOYSTICK_INTEGRATION could be done in
libinput.
Actually ID_INPUT_JOYSTICK_INTEGRATION was never used anywhere, replace
it with ID_INTEGRATION.
I'm pretty sure we should not create more of these multiplexer
interfaces, which in this specific also leads to a fair bit of
confusion: start/stop/reload-or-restart --marked all enqueue
all job types.
Instead, a dedicated verb will be introduced in later commits.
Luca Boccassi [Tue, 24 Feb 2026 11:53:47 +0000 (11:53 +0000)]
resolved: Add ifindex=0 support for BrowseServices to browse all mDNS interfaces (#40133)
With v259, resolved can be used to replace Avahi for mDNS service
discovery and announcement. One key difference in the API is that Avahi
by default browses on all available interfaces by passing a special
`AVAHI_IF_UNSPEC` (-1) interface index value. With this change, passing
ifindex value `0` can be used to achieve the same , so this will work:
```
# Browse on all available interfaces
varlinkctl call --more unix:/run/systemd/resolve/io.systemd.Resolve \
io.systemd.Resolve.BrowseServices \
'{"domain":"local","type":"_display._tcp","ifindex":0,"flags":0}'
```
Not having to iterate through all interfaces on the client side then
also makes it more straight forward to build a resolve-avahi-compat
library for painlessly replacing Avahi with systemd-resolved.
A PoC compat lib requiring this change is available at
https://github.com/LorbusChris/resolve-avahi-compat
Adrian Vovk [Tue, 24 Feb 2026 01:02:03 +0000 (20:02 -0500)]
NEWS: Add note about logind's Can* return values
We've changed them to return additional values, which may be a breaking
change for desktop environments. In practice, it doesn't seem to be a
major issue. However, let's make sure to document the changes in the
NEWS anyway!
Adrian Vovk [Tue, 20 Jan 2026 00:26:30 +0000 (19:26 -0500)]
login1: Emit NCurrentInhibitors changed events
Currently, there's no way for a desktop environment to detect when a
systemd inhibitor has been added or removed. This means that a desktop
environment that wishes to show current inhibitors to the user will be
either forced to poll systemd or just use stale data.
Now, the desktop can listen for changed events on NCurrentInhibitors and
call GetInhibitors() in response to that.
Adrian Vovk [Mon, 19 Jan 2026 23:15:53 +0000 (18:15 -0500)]
login1: Add "inhibited" state to Can* methods
Desktops cannot currently tell the difference between a power action
being set to challenge permanently (i.e. because the sysadmin wanted to
restrict the given user) and a power action being set to challenge
because it's temporarily inhibited.
Thus, a desktop might take an action that is valid in the first case but
not the second case. For instance: GNOME hides all of its automatic
suspend settings from the UI whenever a sleep inhibitor is active.
This now returns a new state: "inhibited". It communicates to the
desktop that the action is available normally, but at the moment the
desktop isn't allowed to perform the action due to an inhibitor.
* 89a825b80e Install new files for upstream build
* 38b1a75eaa systemd.postinst: update journal catalog after reexecing managers
* 9420ffa0dd Install new files for upstream build
* cb5fdf4df0 Install sd-report from new path
* 2501efe312 homed: drop dependency satisfied since bookworm/noble
* 424262b674 d/control: add TODO
* 9aaa01c99d d/libsystemd-shared.preinst: refuse to upgrade without unified cgroupv2 hierarchy
* 7d0ac8a4b8 Install new files for upstream build
* 7e55d41841 Do not install legacy.conf in upstream builds
* 190387958e d/e/checkout-upstream: try to install build deps with sudo in case it fails
* 2a4aa9f426 Disable installing runlevel targets for upstream build
* e02600f2d9 Install new files for upstream build
* 0f1a56cf10 Update changelog for 259.1-1 release
* e463300b1a d/e/checkout-upstream: try to install build deps again after switching to CI branch
* b3f72821e5 Install ask-password polkit policy file
* 8219d561ae Restrict the tpm2-generator manpage to arches where it is built
* 30a0f27283 systemd.postinst: reexec system manager before user instances
* 1fc9ea2790 systemd.postinst: reexec before restarting any service
* d9991aeb22 d/control: use libarchive13t64 | libarchive13 for bookworm/jammy
* b750346711 d/control: make systemd-container Depends: libarchive13t64
sysupdated: Split Update() into Acquire() and Install() D-Bus methods (#40628)
These mirror the `sysupdate acquire` and `sysupdate install` verbs,
which are themselves a split of `sysupdate update` into downloading and
installing stages.
I have dropped the existing `Update()` method in the final commit, as
per the suggestion on
https://gitlab.gnome.org/GNOME/gnome-software/-/merge_requests/2004#note_2145880.
If the D-Bus API for `sysupdated` is considered stable now, though, I
can drop that commit.
Philip Withnall [Mon, 19 Jan 2026 18:33:27 +0000 (18:33 +0000)]
sysupdated: Drop the Update() D-Bus method
Now that it’s been replaced by `Acquire()` and `Install()`, there’s no
need to expose it as a separate method. Wrappers around `sysupdated` can
still expose an ‘update’ convenience verb by calling those two methods.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814
Philip Withnall [Mon, 19 Jan 2026 18:12:39 +0000 (18:12 +0000)]
test: Expand sysupdate test to test updatectl update
This further expands the sysupdate test to run the suite a fourth time,
testing that `updatectl update` behaves the same as `sysupdate update`
and `sysupdate acquire; sysupdate update --offline`.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Philip Withnall [Mon, 19 Jan 2026 17:16:54 +0000 (17:16 +0000)]
sysupdated: Add Acquire() and Install() D-Bus methods
These mirror the `sysupdate acquire` and `sysupdate update --offline`
verbs, which are themselves a split of `sysupdate update` into
downloading and installing stages.
The existing `sysupdated` `Update()` method is kept for now, for
convenience. It might be dropped in future.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
Helps: https://github.com/systemd/systemd/issues/34814
DaanDeMeyer [Sat, 27 Dec 2025 20:07:13 +0000 (21:07 +0100)]
repart: Use new mkfs.xfs support for populating from directories
xfsprogs 6.17.0 added support for populating xfs filesystems from
directories. As this supports extended attributes unlike our current
hack with protofiles. Let's make use of the new feature in mkfs-util.c
As there's no clean way to do feature detection on the mkfs.xfs binary,
we drop support for the old hack with protofiles that we had before.
Luca Boccassi [Sat, 27 Dec 2025 11:02:30 +0000 (11:02 +0000)]
manager: add 'needs-stop/needs-start' markers
Useful for packaging scripts, when units are removed.
When multiple markers are assigned without +/-, the last one wins.
When using +/-, the job merging logic is followed to the extent possible.
Daan De Meyer [Sat, 21 Feb 2026 21:10:56 +0000 (22:10 +0100)]
mountfsd: Try to polkit auth when the verity key is not available
If we include a verity signature but the corresponding key is not in
the kernel keyring or userspace, try to get polkit auth similar to how
we do the same if the image doesn't pass the policy.
Luca Boccassi [Mon, 23 Feb 2026 10:54:21 +0000 (10:54 +0000)]
Translations update from Fedora Weblate (#40789)
Translations update from [Fedora
Weblate](https://translate.fedoraproject.org) for
[systemd/main](https://translate.fedoraproject.org/projects/systemd/main/).
Mike Yuan [Mon, 23 Feb 2026 07:54:12 +0000 (08:54 +0100)]
journalctl-vl-server: return proper error if unit pattern has no match
Note that SD_VARLINK_ERROR_INVALID_PARAMETERS requires
the invalid param name to be specified, hence we would
otherwise have reported an invalid INVALID_PARAMETERS
error ;)
Mike Yuan [Mon, 23 Feb 2026 06:48:43 +0000 (07:48 +0100)]
logs-show: clean up journal_entry_to_json() a bit
* Make sure ret is initialized on success return
* Drop unneeded 'object' variable
* No need to ref/unref json objects when constructing
intermediary array
Mike Yuan [Mon, 23 Feb 2026 08:30:17 +0000 (09:30 +0100)]
units/user/systemd-journalctl.socket: drop MaxConnectionsPerSource=
For AF_UNIX sockets connection sources are accounted for
based on UID, hence in user scope this effectively
limits total number of connections, which is not really
desirable.
This follows the existing practice for
systemd-journal-{upload,gatewayd}.service,
as I think allocating a full-blown user
specifically for this purpose is an overkill.
And with DynamicUser=yes we can also take
advantage of implied sandboxing.
man/systemd.mstack: use <varname> instead of <variable>
Otherwise, `<variable>location</variable>` is rendered:
```
[2365/2925] Generating man/systemd.mstack.7 with a custom command
Element variable in namespace '' encountered in para, but no template matches.
```
resolved: Add ifindex=0 support for BrowseServices to browse all mDNS interfaces
Avahi provides AVAHI_IF_UNSPEC (-1) to browse mDNS services on all
interfaces simultaneously. Currently, systemd-resolved's BrowseServices
varlink API requires a specific interface index and lacks the ability to browse on
all available interfaces.
This change adds support for ifindex = 0 to mean \"browse on all mDNS-enabled
interfaces\" to match the Avahi API.
When ifindex = 0 is specified the browser will now iterate all mDNS scopes
instead of a single interface.
This enables applications to discover services on any network interface
without needing to know the specific interface index in advance.
Assisted-by: Claude Opus 4.6 (Eclipse Theia IDE AI)
resolved: Track per-service item ifindex in DnssdDiscoveredService
The interface where each service was discovered needs to be remembered
so it can be correctly reported when the service is later removed.
Previously, service removal would use sb->ifindex, losing the actual
interface information from the original discovery.
This change:
- Adds an ifindex field to DnssdDiscoveredService struct
- Stores the discovered interface index when adding new services,
preferring the per-item ifindex from DnsAnswerItem over the service
browser's ifindex
- Uses the stored ifindex when reporting service removal events
This ensures that service removal notifications include the correct
interface index where the service was originally discovered, matching
the behavior of the corresponding service addition notifications.
Assisted-by: Claude Opus 4.6 (Eclipse Theia IDE AI)
Yu Watanabe [Sun, 22 Feb 2026 20:38:03 +0000 (05:38 +0900)]
sd-device: do not try to remove previous tag indexes
The removed code in device_tag_index() in fact does nothing,
as sd_device.all_tags is never cleared. Moreover, not only the code
is meaningless, but it is theoretically/logically wrong, as the symlinks
in /run/udev/tags/ should be 'sticky', hence we should even not try to
remove them.
However, when TAG= (rather than TAG+=) is specified, then the tags
assigned in the previous events were also cleared.
This fixes the issue and now symlinks in /run/udev/tags/ are really
'sticky'.
Fortunately, TAG= is mostly unused. So, the issue should not affect
and the fix should not change anything on almost all systems.
journalctl: add new varlink GetEntries endpoint (#40650)
journalctl: add new varlink read service to get entries
We already have some varlink support for the journal to perform
some actions like `Rotate`. It would be nice to be able to query
the journal via varlink too so this commit adds a new varlinkctl
based journal service that exposes a single GetEntries() call
to retrieve journal entries. Basic filtering is supported and
we can expand the API as needed.
This is a separate `io.systemd.JournalControl` [1] service from the
existing `io.systemd.Journald` to decouple read and write (thanks
to Lennart for suggesting this).
This also extracts some shared helper so that we do not duplicate
code when generating the json or when adding the filters.
[1] The name mirrors the bootctl->io.systemd.BootControl naming.
Luca Boccassi [Sat, 21 Feb 2026 11:27:37 +0000 (11:27 +0000)]
core: validate ref_uid before checking in AttachProcesses method
ref_uid is initialized to invalid, and is only set in some
circumstances. The AttachProcesses will attempt to check it,
and assert that it is valid. Check beforehand.
Michael Vogt [Tue, 10 Feb 2026 15:27:58 +0000 (16:27 +0100)]
journalctl: add new varlink read service to get entries
We already have some varlink support for the journal to perform
some actions like `Rotate`. It would be nice to be able to query
the journal via varlink too so this commit adds a new varlinkctl
based journal service that exposes a single GetEntries() call
to retrieve journal entries. Basic filtering is supported and
we can expand the API as needed.
This is a separate `io.systemd.JournalControl` [1] service from the
existing `io.systemd.Journald` to decouple read and write (thanks
to Lennart for suggesting this).
This also extracts some shared helper so that we do not duplicate
code when generating the json or when adding the filters.
[1] The name mirrors the bootctl->io.systemd.BootControl naming.
Mike Yuan [Thu, 12 Feb 2026 01:58:35 +0000 (02:58 +0100)]
vmspawn: clean up OVMF secure boot support check a bit
find_ovmf_config() would do filtering based on arg_secure_boot
already, hence the mismatch can only occur if we're using
user-specified firmware. So be explicit about this in log.
Mike Yuan [Wed, 11 Feb 2026 22:15:24 +0000 (23:15 +0100)]
parse-argument: make parse_tristate_argument() do something useful
I expressed the issue I have with parse_tristate_argument()
in #37751: it doesn't add any value to direct use of parse_tristate();
on the contrary, it doesn't support means to reset the arg to "auto"/-1 state.
The mere reason it existed is that we need a int type ret param.
Since the previous attempt to address this mess failed, let's
try to make the function more useful by making it accept "auto".
I figure this is useful on its own.
As requested in
https://github.com/systemd/systemd/pull/40652#discussion_r2831833996,
the function name is suffixed with _with_auto() to establish
that "auto" is handled internally.
Michael Vogt [Fri, 20 Feb 2026 10:20:02 +0000 (11:20 +0100)]
machine: switch CleanPool to SD_VARLINK_REQUIRES_MORE
The CleanPool requires --more to be set and checks that in
`vl_method_clean_pool`. By switching to SD_VARLINK_REQUIRES_MORE
this will automatically be handled and is more clear to
the varlink users.
Based on the comment from Lennart in
https://github.com/systemd/systemd/pull/40650#discussion_r2832378002
and the work done by Mike in 09388a6b9e4 (thanks!).
Julian Sparber [Thu, 12 Feb 2026 16:32:32 +0000 (17:32 +0100)]
repart-varlink: Consider only managed parititions for size errors
Report DiskTooSmall only if partitions managed by repart don't fit the
disk. Because if the disk is already full with forigin partitions we
would always report DiskTooSmall instead of InsufficentFreeSpace.
Julian Sparber [Thu, 12 Feb 2026 16:28:43 +0000 (17:28 +0100)]
repart-varlink: Calculate the size of foreign partitions
To decide whether the disk is to small or has insufficient free space we
need to know how much of the disk is filled with foreign partitions.
The calculated size is used in a future commit.
Julian Sparber [Wed, 19 Nov 2025 17:30:04 +0000 (18:30 +0100)]
repart: Sum partitions size to get current disk size instead of using total size
When working on disks the disk may have a total size bigger then the
actual allocated size, therefore sum up the current partitions to
calculate the current disk size instead of asuming that the entire disk
is currently allocated.
Let's also rename the "metric_prefix" to "name", because it's actually
the servce name, and by giving it this generic name we can use it
reasonably in log messages.
Let's stay close to Varlink's naming rules and insist that metrics
prefixes must be valid varlink interface names, and suffixes are valid
varlink field names.
The former rule is clear: because a metric <x>.<y> can only be provided
by a varlink service <x>, it is obvious we should validate them the
same way. Validating the suffix via varlink field rules is not that
obvious, but I think it makes sense to stay close to Varlink naming
rules if we already started out at one place.
projects / thirdparty / systemd.git / log
