diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-16 18:08:41 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-09-16 18:08:41 +0000 |
commit | e31cc1efd724903b9cfeca5c070978113586ed28 (patch) | |
tree | 59e1fe0085540c2dd20a2ffa171f0bb8c732f7d4 | |
parent | Adding upstream version 256. (diff) | |
download | systemd-upstream/256.1.tar.xz systemd-upstream/256.1.zip |
Adding upstream version 256.1.upstream/256.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
47 files changed, 298 insertions, 187 deletions
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml index 425d737..3a8dabd 100644 --- a/.github/workflows/mkosi.yml +++ b/.github/workflows/mkosi.yml @@ -92,7 +92,7 @@ jobs: steps: - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 - - uses: systemd/mkosi@0081ea66faf56a35353d6aeadfe42f9679c7d1cf + - uses: systemd/mkosi@6972f9efba5c8472d990be3783b7e7dbf76e109e # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space # immediately, we remove the files in the background. However, we first move them to a different location @@ -117,6 +117,8 @@ jobs: - name: Configure run: | + # XXX: drop after the HyperV bug that breaks secure boot KVM guests is solved + sed -i "s/'firmware'\s*:\s*'auto'/'firmware' : 'uefi'/g" test/*/meson.build tee mkosi.local.conf <<EOF [Distribution] Distribution=${{ matrix.distro }} @@ -81,6 +81,11 @@ CHANGES WITH 256: * systemd.crash_reboot and related settings are deprecated in favor of systemd.crash_action=. + * Stable releases for version v256 and newer will now be pushed in the + main repository. The systemd-stable repository will be used for existing + stable branches (v255-stable and lower), and when they reach EOL it will + be archived. + General Changes and New Features: * Various programs will now attempt to load the main configuration file @@ -190,7 +195,7 @@ CHANGES WITH 256: additional per-user service managers, whose users are transient and are only defined as long as the service manager is running. (This is implemented via DynamicUser=1), allowing a user manager to be used to - manager a group of processes without needing to create an actual user + manage a group of processes without needing to create an actual user account. These service managers run with home directories of /var/lib/capsules/<capsule-name> and can contain regular services and other units. A capsule is started via a simple "systemctl start diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in index 3c9a686..2831152 100644 --- a/catalog/systemd.catalog.in +++ b/catalog/systemd.catalog.in @@ -780,3 +780,16 @@ Documentation: https://systemd.io/PORTABLE_SERVICES/ A Portable Service @PORTABLE_ROOT@ (with extensions: @PORTABLE_EXTENSION@) has been detached from the system and is no longer available for use. The list of attached Portable Services can be queried with 'portablectl list'. + +-- ad7089f928ac4f7ea00c07457d47ba8a +Subject: Authorization failure while attempting to enroll SRK into TPM +Defined-By: systemd +Support: %SUPPORT_URL% +Documentation: man:systemd-tpm2-setup.service(8) + +An authorization failure occured while attempting to enroll a Storage Root Key (SRK) on the Trusted Platform +Module (TPM). Most likely this means that a PIN/Password (authValue) has been set on the Owner hierarchy of +the TPM. + +Automatic SRK enrollment on TPMs in such scenarios is not supported. In order to unset the PIN/password +protection on the owner hierarchy issue a command like the following: 'tpm2_changeauth -c o -p <OLDPW> ""'. diff --git a/docs/CNAME b/docs/CNAME new file mode 100644 index 0000000..cdcf4d9 --- /dev/null +++ b/docs/CNAME @@ -0,0 +1 @@ +systemd.io
\ No newline at end of file diff --git a/docs/CODING_STYLE.md b/docs/CODING_STYLE.md index 8f687e6..309436a 100644 --- a/docs/CODING_STYLE.md +++ b/docs/CODING_STYLE.md @@ -164,30 +164,64 @@ SPDX-License-Identifier: LGPL-2.1-or-later thread. Use `is_main_thread()` to detect whether the calling thread is the main thread. -- Do not write functions that clobber call-by-reference variables on - failure. Use temporary variables for these cases and change the passed in - variables only on success. The rule is: never clobber return parameters on - failure, always initialize return parameters on success. - -- Typically, function parameters fit into three categories: input parameters, - mutable objects, and call-by-reference return parameters. Input parameters - should always carry suitable "const" declarators if they are pointers, to - indicate they are input-only and not changed by the function. Return - parameters are best prefixed with "ret_", to clarify they are return - parameters. (Conversely, please do not prefix parameters that aren't - output-only with "ret_", in particular not mutable parameters that are both - input as well as output). Example: +- Typically, function parameters fit into four categories: input parameters, + mutable objects, call-by-reference return parameters that are initialized on + success, and call-by-reference return parameters that are initialized on + failure. Input parameters should always carry suitable `const` declarators if + they are pointers, to indicate they are input-only and not changed by the + function. The name of return parameters that are initialized on success + should be prefixed with `ret_`, to clarify they are return parameters. The + name of return parameters that are initialized on failure should be prefixed + with `reterr_`. (Examples of such parameters: those which carry additional + error information, such as the row/column of parse errors or so). – + Conversely, please do not prefix parameters that aren't output-only with + `ret_` or `reterr_`, in particular not mutable parameters that are both input + as well as output. + + Example: ```c static int foobar_frobnicate( Foobar* object, /* the associated mutable object */ const char *input, /* immutable input parameter */ - char **ret_frobnicated) { /* return parameter */ + char **ret_frobnicated, /* return parameter on success */ + unsigned *reterr_line, /* return parameter on failure */ + unsigned *reterr_column) { /* ditto */ … return 0; } ``` +- Do not write functions that clobber call-by-reference success return + parameters on failure (i.e. `ret_xyz`, see above), or that clobber + call-by-reference failure return parameters on success + (i.e. `reterr_xyz`). Use temporary variables for these cases and change the + passed in variables only in the right condition. The rule is: never clobber + success return parameters on failure, always initialize success return + parameters on success (and the reverse for failure return parameters, of + course). + +- Please put `reterr_` return parameters in the function parameter list last, + and `ret_` return parameters immediately before that. + + Good: + + ```c + static int do_something( + const char *input, + const char *ret_on_success, + const char *reterr_on_failure); + ``` + + Not good: + + ```c + static int do_something( + const char *reterr_on_failure, + const char *ret_on_success, + const char *input); + ``` + - The order in which header files are included doesn't matter too much. systemd-internal headers must not rely on an include order, so it is safe to include them in any order possible. However, to not clutter global diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml index 008bff6..2a494b9 100644 --- a/man/systemd-tmpfiles.xml +++ b/man/systemd-tmpfiles.xml @@ -55,9 +55,11 @@ <refsect1> <title>Description</title> - <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up volatile and temporary files - and directories, using the configuration file format and location specified in - <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. It must + <para><command>systemd-tmpfiles</command> creates, deletes, and cleans up files and directories, using + the configuration file format and location specified in + <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + Historically, it was designed to manage volatile and temporary files, as the name suggests, but it provides + generic file management functionality and can be used to manage any kind of files. It must be invoked with one or more commands <option>--create</option>, <option>--remove</option>, and <option>--clean</option>, to select the respective subset of operations.</para> @@ -149,8 +151,26 @@ <varlistentry> <term><option>--purge</option></term> - <listitem><para>If this option is passed, all files and directories created by a - <filename>tmpfiles.d/</filename> entry will be deleted.</para> + + <listitem><para>If this option is passed, all files and directories marked for + <emphasis>creation</emphasis> by the <filename>tmpfiles.d/</filename> files specified on the command + line will be <emphasis>deleted</emphasis>. Specifically, this acts on all files and directories + marked with <varname>f</varname>, <varname>F</varname>, <varname>d</varname>, <varname>D</varname>, + <varname>v</varname>, <varname>q</varname>, <varname>Q</varname>, <varname>p</varname>, + <varname>L</varname>, <varname>c</varname>, <varname>b</varname>, <varname>C</varname>, + <varname>w</varname>, <varname>e</varname>. If this switch is used at least one + <filename>tmpfiles.d/</filename> file (or <filename>-</filename> for standard input) must be + specified on the command line or the invocation will be refused, for safety reasons (as otherwise + much of the installed system files might be removed).</para> + + <para>The primary usecase for this option is to automatically remove files and directories that + originally have been created on behalf of an installed packaged at package removal time.</para> + + <para>It is recommended to first run this command in combination with <option>--dry-run</option> + (see below) to verify which files and directories will be deleted.</para> + + <para><emphasis>Warning!</emphasis> This is is usually not the command you want! In most cases + <option>--remove</option> is what you are looking for.</para> <xi:include href="version-info.xml" xpointer="v256"/></listitem> </varlistentry> diff --git a/man/systemd.xml b/man/systemd.xml index 66db5bb..f4aa7e0 100644 --- a/man/systemd.xml +++ b/man/systemd.xml @@ -62,10 +62,29 @@ <filename>user.conf.d</filename> directories. See <citerefentry><refentrytitle>systemd-system.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information.</para> + + <para><command>systemd</command> contains native implementations of various tasks that need to be + executed as part of the boot process. For example, it sets the hostname or configures the loopback + network device. It also sets up and mounts various API file systems, such as <filename>/sys/</filename>, + <filename>/proc/</filename>, and <filename>/dev/</filename>.</para> + + <para>Note that some but not all interfaces provided by systemd are covered by the + <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para> + + <para>The D-Bus API of <command>systemd</command> is described in + <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry> + and + <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + </para> + + <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink + url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or + <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink> + specifications, respectively.</para> </refsect1> <refsect1> - <title>Concepts</title> + <title>Units</title> <para>systemd provides a dependency system between various entities called "units" of 11 different types. Units encapsulate @@ -261,34 +280,10 @@ example, start jobs for any of those inactive units getting queued as well.</para> - <para>systemd contains native implementations of various tasks - that need to be executed as part of the boot process. For example, - it sets the hostname or configures the loopback network device. It - also sets up and mounts various API file systems, such as - <filename>/sys/</filename> or <filename>/proc/</filename>.</para> - - <para>For more information about the concepts and - ideas behind systemd, please refer to the - <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para> - - <para>Note that some but not all interfaces provided by systemd are covered by the - <ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para> - <para>Units may be generated dynamically at boot and system manager reload time, for example based on other configuration files or parameters passed on the kernel command line. For details, see <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> - - <para>The D-Bus API of <command>systemd</command> is described in - <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry> - and - <citerefentry><refentrytitle>org.freedesktop.LogControl1</refentrytitle><manvolnum>5</manvolnum></citerefentry>. - </para> - - <para>Systems which invoke systemd in a container or initrd environment should implement the <ulink - url="https://systemd.io/CONTAINER_INTERFACE">Container Interface</ulink> or - <ulink url="https://systemd.io/INITRD_INTERFACE/">initrd Interface</ulink> - specifications, respectively.</para> </refsect1> <refsect1> @@ -1558,6 +1553,10 @@ <member><citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> </simplelist></para> + + <para>For more information about the concepts and + ideas behind systemd, please refer to the + <ulink url="https://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para> </refsect1> </refentry> diff --git a/meson.build b/meson.build index ea4e12a..e421519 100644 --- a/meson.build +++ b/meson.build @@ -1262,6 +1262,7 @@ foreach ident : ['crypt_set_metadata_size', 'crypt_token_max', 'crypt_reencrypt_init_by_passphrase', 'crypt_reencrypt', + 'crypt_reencrypt_run', 'crypt_set_data_offset', 'crypt_set_keyring_to_link', 'crypt_resume_by_volume_key'] diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf index ae014fa..ecac780 100644 --- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf @@ -20,8 +20,6 @@ VolatilePackages= libsystemd-dev libudev-dev systemd - systemd-boot - systemd-boot-efi systemd-container systemd-coredump systemd-dev @@ -74,7 +72,6 @@ Packages= python3-pexpect python3-psutil quota - sbsigntool softhsm2 squashfs-tools stress diff --git a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf new file mode 100644 index 0000000..781670a --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.conf.d/efi.conf @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# sbsigntool exists only on UEFI architectures + +[Match] +Architecture=|x86 +Architecture=|x86-64 +Architecture=|arm +Architecture=|arm64 +Architecture=|riscv32 +Architecture=|riscv64 + +[Content] +Packages= + sbsigntool + systemd-boot + systemd-boot-efi diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf index 25957b1..86f9736 100644 --- a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf @@ -3,9 +3,6 @@ [Match] Distribution=ubuntu -[Distribution] -PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources - [Content] Packages= linux-image-generic diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf new file mode 100644 index 0000000..582f038 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/non-x86.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# The ports Ubuntu archive is for non i386/amd64 repositories + +[Match] +Architecture=!x86-64 +Architecture=!x86 +Release=noble + +[Distribution] +PackageManagerTrees=noble-backports-ports.sources:/etc/apt/sources.list.d/noble-backports-ports.sources diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf new file mode 100644 index 0000000..7347be9 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/mkosi.conf.d/x86.conf @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# The main Ubuntu archive is only for i386/amd64 repositories + +[Match] +Architecture=|x86-64 +Architecture=|x86 +Release=noble + +[Distribution] +PackageManagerTrees=noble-backports.sources:/etc/apt/sources.list.d/noble-backports.sources diff --git a/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources new file mode 100644 index 0000000..5b96dc5 --- /dev/null +++ b/mkosi.images/system/mkosi.conf.d/10-ubuntu/noble-backports-ports.sources @@ -0,0 +1,6 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +Types: deb +URIs: http://ports.ubuntu.com +Suites: noble-backports +Components: main universe +Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg diff --git a/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf new file mode 100644 index 0000000..657ac72 --- /dev/null +++ b/mkosi.images/system/mkosi.extra/usr/lib/sysctl.d/99-apparmor-unpriv-userns.conf @@ -0,0 +1,4 @@ +# Ubuntu since Noble disables unprivileged user namespaces by default, re-enable them as they are needed +# for integration tests +kernel.apparmor_restrict_unprivileged_unconfined = 0 +kernel.apparmor_restrict_unprivileged_userns = 0 diff --git a/rules.d/99-systemd.rules.in b/rules.d/99-systemd.rules.in index ad0c7e2..8ba6f17 100644 --- a/rules.d/99-systemd.rules.in +++ b/rules.d/99-systemd.rules.in @@ -10,6 +10,8 @@ ACTION=="remove", GOTO="systemd_end" SUBSYSTEM=="tty", KERNEL=="tty[a-zA-Z]*|hvc*|xvc*|hvsi*|ttysclp*|sclp_line*|3270/tty[0-9]*", TAG+="systemd" +# Exclude 8250 serial ports with a zero IO port, as they are not usable until "setserial /dev/ttySxxx port …" is invoked. +SUBSYSTEM=="tty", KERNEL=="ttyS*", DRIVERS=="serial8250", ATTR{port}=="0x0", ENV{SYSTEMD_READY}="0" KERNEL=="vport*", TAG+="systemd" SUBSYSTEM=="ptp", TAG+="systemd" diff --git a/shell-completion/bash/udevadm b/shell-completion/bash/udevadm index 05f921c..3842d72 100644 --- a/shell-completion/bash/udevadm +++ b/shell-completion/bash/udevadm @@ -32,10 +32,7 @@ __get_all_sysdevs() { } __get_all_device_nodes() { - local i - for i in /dev/* /dev/*/* /dev/*/*/*; do - echo $i - done + find /dev -xtype b -o -xtype c } __get_all_device_units() { diff --git a/src/analyze/analyze-pcrs.c b/src/analyze/analyze-pcrs.c index 43e415f..1c3da3f 100644 --- a/src/analyze/analyze-pcrs.c +++ b/src/analyze/analyze-pcrs.c @@ -11,7 +11,7 @@ static int get_pcr_alg(const char **ret) { assert(ret); - FOREACH_STRING(alg, "sha256", "sha1") { + FOREACH_STRING(alg, "sha256", "sha384", "sha1") { _cleanup_free_ char *p = NULL; if (asprintf(&p, "/sys/class/tpm/tpm0/pcr-%s/0", alg) < 0) diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c index 0617acc..6d43955 100644 --- a/src/basic/strbuf.c +++ b/src/basic/strbuf.c @@ -107,7 +107,6 @@ static void bubbleinsert(struct strbuf_node *node, /* add string, return the index/offset into the buffer */ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { uint8_t c; - char *buf_new; struct strbuf_child_entry *child; struct strbuf_node *node; ssize_t off; @@ -147,10 +146,8 @@ ssize_t strbuf_add_string(struct strbuf *str, const char *s, size_t len) { } /* add new string */ - buf_new = realloc(str->buf, str->len + len+1); - if (!buf_new) + if (!GREEDY_REALLOC(str->buf, str->len + len + 1)) return -ENOMEM; - str->buf = buf_new; off = str->len; memcpy(str->buf + off, s, len); str->len += len; diff --git a/src/core/service.c b/src/core/service.c index 8ec27c4..6e81460 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -1351,7 +1351,7 @@ static int service_coldplug(Unit *u) { service_start_watchdog(s); if (UNIT_ISSET(s->accept_socket)) { - Socket* socket = SOCKET(UNIT_DEREF(s->accept_socket)); + Socket *socket = SOCKET(UNIT_DEREF(s->accept_socket)); if (socket->max_connections_per_source > 0) { SocketPeer *peer; @@ -3220,8 +3220,8 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, } else if (streq(key, "accept-socket")) { Unit *socket; - if (u->type != UNIT_SOCKET) { - log_unit_debug(u, "Failed to deserialize accept-socket: unit is not a socket"); + if (unit_name_to_type(value) != UNIT_SOCKET) { + log_unit_debug(u, "Deserialized accept-socket is not a socket unit, ignoring: %s", value); return 0; } @@ -3230,7 +3230,7 @@ static int service_deserialize_item(Unit *u, const char *key, const char *value, log_unit_debug_errno(u, r, "Failed to load accept-socket unit '%s': %m", value); else { unit_ref_set(&s->accept_socket, u, socket); - SOCKET(socket)->n_connections++; + ASSERT_PTR(SOCKET(socket))->n_connections++; } } else if (streq(key, "socket-fd")) { diff --git a/src/fundamental/macro-fundamental.h b/src/fundamental/macro-fundamental.h index 5ccbda5..8aca5f7 100644 --- a/src/fundamental/macro-fundamental.h +++ b/src/fundamental/macro-fundamental.h @@ -517,6 +517,10 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { } \ } +/* Restriction/bug (see above) was fixed in GCC 15 and clang 19.*/ +#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19) +#define DECLARE_FLEX_ARRAY(type, name) type name[]; +#else /* Declare a flexible array usable in a union. * This is essentially a work-around for a pointless constraint in C99 * and might go away in some future version of the standard. @@ -528,6 +532,7 @@ static inline uint64_t ALIGN_OFFSET_U64(uint64_t l, uint64_t ali) { dummy_t __empty__ ## name; \ type name[]; \ } +#endif /* Declares an ELF read-only string section that does not occupy memory at runtime. */ #define DECLARE_NOALLOC_SECTION(name, text) \ diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c index 82d0880..fe1216f 100644 --- a/src/hostname/hostnamed.c +++ b/src/hostname/hostnamed.c @@ -1682,6 +1682,13 @@ static int connect_varlink(Context *c) { return 0; } +static bool context_check_idle(void *userdata) { + Context *c = ASSERT_PTR(userdata); + + return varlink_server_current_connections(c->varlink_server) == 0 && + hashmap_isempty(c->polkit_registry); +} + static int run(int argc, char *argv[]) { _cleanup_(context_destroy) Context context = { .hostname_source = _HOSTNAME_INVALID, /* appropriate value will be set later */ @@ -1731,8 +1738,8 @@ static int run(int argc, char *argv[]) { context.bus, "org.freedesktop.hostname1", DEFAULT_EXIT_USEC, - /* check_idle= */ NULL, - /* userdata= */ NULL); + context_check_idle, + &context); if (r < 0) return log_error_errno(r, "Failed to run event loop: %m"); diff --git a/src/libsystemd-network/sd-dhcp-server.c b/src/libsystemd-network/sd-dhcp-server.c index c3b0f82..4967f06 100644 --- a/src/libsystemd-network/sd-dhcp-server.c +++ b/src/libsystemd-network/sd-dhcp-server.c @@ -1252,7 +1252,7 @@ static int server_receive_message(sd_event_source *s, int fd, /* Preallocate the additional size for DHCP Relay Agent Information Option if needed */ buflen += relay_agent_information_length(server->agent_circuit_id, server->agent_remote_id) + 2; - message = malloc(buflen); + message = malloc0(buflen); if (!message) return -ENOMEM; diff --git a/src/partition/repart.c b/src/partition/repart.c index 6f67d46..8f64520 100644 --- a/src/partition/repart.c +++ b/src/partition/repart.c @@ -187,6 +187,7 @@ STATIC_DESTRUCTOR_REGISTER(arg_tpm2_hash_pcr_values, freep); STATIC_DESTRUCTOR_REGISTER(arg_tpm2_public_key, freep); STATIC_DESTRUCTOR_REGISTER(arg_tpm2_pcrlock, freep); STATIC_DESTRUCTOR_REGISTER(arg_filter_partitions, freep); +STATIC_DESTRUCTOR_REGISTER(arg_defer_partitions, freep); STATIC_DESTRUCTOR_REGISTER(arg_image_policy, image_policy_freep); STATIC_DESTRUCTOR_REGISTER(arg_copy_from, strv_freep); STATIC_DESTRUCTOR_REGISTER(arg_copy_source, freep); @@ -3913,7 +3914,7 @@ static int partition_target_sync(Context *context, Partition *p, PartitionTarget } static int partition_encrypt(Context *context, Partition *p, PartitionTarget *target, bool offline) { -#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && HAVE_CRYPT_REENCRYPT +#if HAVE_LIBCRYPTSETUP && HAVE_CRYPT_SET_DATA_OFFSET && HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE && (HAVE_CRYPT_REENCRYPT_RUN || HAVE_CRYPT_REENCRYPT) const char *node = partition_target_path(target); struct crypt_params_luks2 luks_params = { .label = strempty(ASSERT_PTR(p)->new_label), @@ -4220,7 +4221,11 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta if (r < 0) return log_error_errno(r, "Failed to load reencryption context: %m"); +#if HAVE_CRYPT_REENCRYPT_RUN + r = sym_crypt_reencrypt_run(cd, NULL, NULL); +#else r = sym_crypt_reencrypt(cd, NULL); +#endif if (r < 0) return log_error_errno(r, "Failed to encrypt %s: %m", node); } else { @@ -4232,7 +4237,7 @@ static int partition_encrypt(Context *context, Partition *p, PartitionTarget *ta dm_name, NULL, VOLUME_KEY_SIZE, - arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0); + (arg_discard ? CRYPT_ACTIVATE_ALLOW_DISCARDS : 0) | CRYPT_ACTIVATE_PRIVATE); if (r < 0) return log_error_errno(r, "Failed to activate LUKS superblock: %m"); diff --git a/src/resolve/resolved-dns-server.c b/src/resolve/resolved-dns-server.c index 340f11f..b37f541 100644 --- a/src/resolve/resolved-dns-server.c +++ b/src/resolve/resolved-dns-server.c @@ -706,9 +706,6 @@ bool dns_server_dnssec_supported(DnsServer *server) { if (dns_server_get_dnssec_mode(server) == DNSSEC_YES) /* If strict DNSSEC mode is enabled, always assume DNSSEC mode is supported. */ return true; - if (!DNS_SERVER_FEATURE_LEVEL_IS_DNSSEC(server->possible_feature_level)) - return false; - if (server->packet_bad_opt) return false; diff --git a/src/shared/cryptsetup-util.c b/src/shared/cryptsetup-util.c index 288e6e8..d0dd434 100644 --- a/src/shared/cryptsetup-util.c +++ b/src/shared/cryptsetup-util.c @@ -54,10 +54,10 @@ DLSYM_FUNCTION(crypt_volume_key_get); #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE DLSYM_FUNCTION(crypt_reencrypt_init_by_passphrase); #endif -#if HAVE_CRYPT_REENCRYPT -DISABLE_WARNING_DEPRECATED_DECLARATIONS; +#if HAVE_CRYPT_REENCRYPT_RUN +DLSYM_FUNCTION(crypt_reencrypt_run); +#elif HAVE_CRYPT_REENCRYPT DLSYM_FUNCTION(crypt_reencrypt); -REENABLE_WARNING; #endif DLSYM_FUNCTION(crypt_metadata_locking); #if HAVE_CRYPT_SET_DATA_OFFSET @@ -246,11 +246,8 @@ int dlopen_cryptsetup(void) { /* libcryptsetup added crypt_reencrypt() in 2.2.0, and marked it obsolete in 2.4.0, replacing it with * crypt_reencrypt_run(), which takes one extra argument but is otherwise identical. The old call is - * still available though, and given we want to support 2.2.0 for a while longer, we'll stick to the - * old symbol. However, the old symbols now has a GCC deprecation decorator, hence let's turn off - * warnings about this for now. */ - - DISABLE_WARNING_DEPRECATED_DECLARATIONS; + * still available though, and given we want to support 2.2.0 for a while longer, we'll use the old + * symbol if the new one is not available. */ ELF_NOTE_DLOPEN("cryptsetup", "Support for disk encryption, integrity, and authentication", @@ -304,7 +301,9 @@ int dlopen_cryptsetup(void) { #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE DLSYM_ARG(crypt_reencrypt_init_by_passphrase), #endif -#if HAVE_CRYPT_REENCRYPT +#if HAVE_CRYPT_REENCRYPT_RUN + DLSYM_ARG(crypt_reencrypt_run), +#elif HAVE_CRYPT_REENCRYPT DLSYM_ARG(crypt_reencrypt), #endif DLSYM_ARG(crypt_metadata_locking), @@ -316,8 +315,6 @@ int dlopen_cryptsetup(void) { if (r <= 0) return r; - REENABLE_WARNING; - /* Redirect the default logging calls of libcryptsetup to our own logging infra. (Note that * libcryptsetup also maintains per-"struct crypt_device" log functions, which we'll also set * whenever allocating a "struct crypt_device" context. Why set both? To be defensive: maybe some diff --git a/src/shared/cryptsetup-util.h b/src/shared/cryptsetup-util.h index f00ac36..d255e59 100644 --- a/src/shared/cryptsetup-util.h +++ b/src/shared/cryptsetup-util.h @@ -70,10 +70,10 @@ DLSYM_PROTOTYPE(crypt_volume_key_get); #if HAVE_CRYPT_REENCRYPT_INIT_BY_PASSPHRASE DLSYM_PROTOTYPE(crypt_reencrypt_init_by_passphrase); #endif -#if HAVE_CRYPT_REENCRYPT -DISABLE_WARNING_DEPRECATED_DECLARATIONS; +#if HAVE_CRYPT_REENCRYPT_RUN +DLSYM_PROTOTYPE(crypt_reencrypt_run); +#elif HAVE_CRYPT_REENCRYPT DLSYM_PROTOTYPE(crypt_reencrypt); -REENABLE_WARNING; #endif DLSYM_PROTOTYPE(crypt_metadata_locking); #if HAVE_CRYPT_SET_DATA_OFFSET diff --git a/src/shared/install.c b/src/shared/install.c index dd2bd5c..c94b456 100644 --- a/src/shared/install.c +++ b/src/shared/install.c @@ -2282,7 +2282,9 @@ static int install_context_mark_for_removal( else { log_debug_errno(r, "Unit %s not found, removing name.", i->name); r = install_changes_add(changes, n_changes, r, i->path ?: i->name, NULL); - if (r < 0) + /* In case there's no unit, we still want to remove any leftover symlink, even if + * the unit might have been removed already, hence treating ENOENT as non-fatal. */ + if (r != -ENOENT) return r; } } else if (r < 0) { @@ -2874,9 +2876,13 @@ static int do_unit_file_disable( r = install_info_add(&ctx, *name, NULL, lp->root_dir, /* auxiliary= */ false, &info); if (r >= 0) r = install_info_traverse(&ctx, lp, info, SEARCH_LOAD|SEARCH_FOLLOW_CONFIG_SYMLINKS, NULL); - - if (r < 0) - return install_changes_add(changes, n_changes, r, *name, NULL); + if (r < 0) { + r = install_changes_add(changes, n_changes, r, *name, NULL); + /* In case there's no unit, we still want to remove any leftover symlink, even if + * the unit might have been removed already, hence treating ENOENT as non-fatal. */ + if (r != -ENOENT) + return r; + } /* If we enable multiple units, some with install info and others without, * the "empty [Install] section" warning is not shown. Let's make the behavior diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c index c71c868..153a411 100644 --- a/src/shared/logs-show.c +++ b/src/shared/logs-show.c @@ -450,6 +450,9 @@ static void parse_display_realtime( assert(j); assert(ret); + // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime. + source_monotonic = NULL; + /* First, try _SOURCE_REALTIME_TIMESTAMP. */ if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) { *ret = t; @@ -488,6 +491,9 @@ static void parse_display_timestamp( assert(ret_display_ts); assert(ret_boot_id); + // FIXME: _SOURCE_MONOTONIC_TIMESTAMP is in CLOCK_BOOTTIME, hence we cannot use it for adjusting realtime. + source_monotonic = NULL; + if (source_realtime && safe_atou64(source_realtime, &t) >= 0 && VALID_REALTIME(t)) source_ts.realtime = t; diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 87ce53c..9603f18 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -2119,6 +2119,8 @@ int tpm2_create_primary( /* creationData= */ NULL, /* creationHash= */ NULL, /* creationTicket= */ NULL); + if (rc == TPM2_RC_BAD_AUTH) + return log_debug_errno(SYNTHETIC_ERRNO(EDEADLK), "Authorization failure while attempting to enroll SRK into TPM."); if (rc != TSS2_RC_SUCCESS) return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Failed to generate primary key in TPM: %s", diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h index e3f6806..16e9986 100644 --- a/src/systemd/sd-messages.h +++ b/src/systemd/sd-messages.h @@ -272,6 +272,9 @@ _SD_BEGIN_DECLARATIONS; #define SD_MESSAGE_PORTABLE_DETACHED SD_ID128_MAKE(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) #define SD_MESSAGE_PORTABLE_DETACHED_STR SD_ID128_MAKE_STR(76,c5,c7,54,d6,28,49,0d,8e,cb,a4,c9,d0,42,11,2b) +#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION SD_ID128_MAKE(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) +#define SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR SD_ID128_MAKE_STR(ad,70,89,f9,28,ac,4f,7e,a0,0c,07,45,7d,47,ba,8a) + _SD_END_DECLARATIONS; #endif diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index 807925f..8cc8c1c 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -3024,10 +3024,16 @@ static int remove_recursive( return r; if (remove_instance) { - log_debug("Removing directory \"%s\".", instance); - r = RET_NERRNO(rmdir(instance)); - if (r < 0 && !IN_SET(r, -ENOENT, -ENOTEMPTY)) - return log_error_errno(r, "Failed to remove %s: %m", instance); + log_action("Would remove", "Removing", "%s directory \"%s\".", instance); + if (!arg_dry_run) { + r = RET_NERRNO(rmdir(instance)); + if (r < 0) { + bool fatal = !IN_SET(r, -ENOENT, -ENOTEMPTY); + log_full_errno(fatal ? LOG_ERR : LOG_DEBUG, r, "Failed to remove %s: %m", instance); + if (fatal) + return r; + } + } } return 0; } @@ -4142,7 +4148,9 @@ static int help(void) { "\n%3$sCommands:%4$s\n" " --create Create files and directories\n" " --clean Clean up files and directories\n" - " --remove Remove files and directories\n" + " --remove Remove files and directories marked for removal\n" + " --purge Delete files and directories marked for creation in\n" + " specified configuration files (careful!)\n" " -h --help Show this help\n" " --version Show package version\n" "\n%3$sOptions:%4$s\n" @@ -4151,7 +4159,6 @@ static int help(void) { " --tldr Show non-comment parts of configuration\n" " --boot Execute actions only safe at boot\n" " --graceful Quietly ignore unknown users or groups\n" - " --purge Delete all files owned by the configuration files\n" " --prefix=PATH Only apply rules with the specified prefix\n" " --exclude-prefix=PATH Ignore rules with the specified prefix\n" " -E Ignore rules prefixed with /dev, /proc, /run, /sys\n" @@ -4338,6 +4345,10 @@ static int parse_argv(int argc, char *argv[]) { return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "You need to specify at least one of --clean, --create, --remove, or --purge."); + if (FLAGS_SET(arg_operation, OPERATION_PURGE) && optind >= argc) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Refusing --purge without specification of a configuration file."); + if (arg_replace && arg_cat_flags != CAT_CONFIG_OFF) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --replace= is not supported with --cat-config/--tldr."); diff --git a/src/tpm2-setup/tpm2-setup.c b/src/tpm2-setup/tpm2-setup.c index 35628fc..b95c5e7 100644 --- a/src/tpm2-setup/tpm2-setup.c +++ b/src/tpm2-setup/tpm2-setup.c @@ -3,6 +3,8 @@ #include <getopt.h> #include <unistd.h> +#include "sd-messages.h" + #include "build.h" #include "fd-util.h" #include "fileio.h" @@ -223,6 +225,8 @@ static int load_public_key_tpm2(struct public_key_data *ret) { /* ret_name= */ NULL, /* ret_qname= */ NULL, NULL); + if (r == -EDEADLK) + return r; if (r < 0) return log_error_errno(r, "Failed to get or create SRK: %m"); if (r > 0) @@ -289,6 +293,13 @@ static int run(int argc, char *argv[]) { } r = load_public_key_tpm2(&tpm2_key); + if (r == -EDEADLK) { + log_struct_errno(LOG_INFO, r, + LOG_MESSAGE("Insufficient permissions to access TPM, not generating SRK."), + "MESSAGE_ID=" SD_MESSAGE_SRK_ENROLLMENT_NEEDS_AUTHORIZATION_STR); + return 76; /* Special return value which means "Insufficient permissions to access TPM, + * cannot generate SRK". This isn't really an error when called at boot. */; + } if (r < 0) return r; @@ -383,4 +394,4 @@ static int run(int argc, char *argv[]) { return 0; } -DEFINE_MAIN_FUNCTION(run); +DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run); diff --git a/test/TEST-02-UNITTESTS/test.sh b/test/TEST-02-UNITTESTS/test.sh index f165c99..2cf9c31 100755 --- a/test/TEST-02-UNITTESTS/test.sh +++ b/test/TEST-02-UNITTESTS/test.sh @@ -37,12 +37,4 @@ test_append_files() { fi } -check_result_nspawn() { - check_result_nspawn_unittests "${1}" -} - -check_result_qemu() { - check_result_qemu_unittests -} - do_test "$@" diff --git a/test/TEST-06-SELINUX/meson.build b/test/TEST-06-SELINUX/meson.build index 7a850be..9261a49 100644 --- a/test/TEST-06-SELINUX/meson.build +++ b/test/TEST-06-SELINUX/meson.build @@ -5,7 +5,8 @@ integration_tests += [ 'name' : fs.name(meson.current_source_dir()), 'cmdline' : integration_test_template['cmdline'] + ['selinux=1', 'lsm=selinux'], # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. - 'firmware' : 'uefi', + # Use 'auto' to automatically fallback on non-uefi architectures. + 'firmware' : 'auto', 'vm' : true, }, ] diff --git a/test/TEST-09-REBOOT/meson.build b/test/TEST-09-REBOOT/meson.build index c4b41bc..b755618 100644 --- a/test/TEST-09-REBOOT/meson.build +++ b/test/TEST-09-REBOOT/meson.build @@ -4,7 +4,5 @@ integration_tests += [ integration_test_template + { 'name' : fs.name(meson.current_source_dir()), 'storage' : 'persistent', - # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. - 'firmware' : 'uefi', }, ] diff --git a/test/TEST-18-FAILUREACTION/meson.build b/test/TEST-18-FAILUREACTION/meson.build index 5edfbca..8dec5f3 100644 --- a/test/TEST-18-FAILUREACTION/meson.build +++ b/test/TEST-18-FAILUREACTION/meson.build @@ -3,7 +3,5 @@ integration_tests += [ integration_test_template + { 'name' : fs.name(meson.current_source_dir()), - # FIXME; Figure out why reboot sometimes hangs with 'linux' firmware. - 'firmware' : 'uefi', }, ] diff --git a/test/integration-test-wrapper.py b/test/integration-test-wrapper.py index 5b098a3..b6a16aa 100755 --- a/test/integration-test-wrapper.py +++ b/test/integration-test-wrapper.py @@ -2,10 +2,6 @@ # SPDX-License-Identifier: LGPL-2.1-or-later '''Test wrapper command for driving integration tests. - -Note: This is deliberately rough and only intended to drive existing tests -with the expectation that as part of formally defining the API it will be tidy. - ''' import argparse @@ -61,6 +57,10 @@ def main(): print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr) exit(77) + if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))): + print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr) + exit(77) + name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "") dropin = textwrap.dedent( @@ -128,6 +128,7 @@ def main(): *args.mkosi_args, '--append', '--qemu-firmware', args.firmware, + '--qemu-kvm', "auto" if not bool(int(os.getenv("TEST_NO_KVM", "0"))) else "no", '--kernel-command-line-extra', ' '.join([ 'systemd.hostname=H', diff --git a/test/test-functions b/test/test-functions index be6eb1d..8b497b2 100644 --- a/test/test-functions +++ b/test/test-functions @@ -1860,74 +1860,6 @@ check_result_qemu() { return $ret } -check_result_nspawn_unittests() { - local workspace="${1:?}" - local ret=1 - - [[ -e "$workspace/testok" ]] && ret=0 - - if [[ -s "$workspace/failed" ]]; then - ret=$((ret + 1)) - echo "=== Failed test log ===" - cat "$workspace/failed" - else - if [[ -s "$workspace/skipped" ]]; then - echo "=== Skipped test log ==" - cat "$workspace/skipped" - # We might have only skipped tests - that should not fail the job - ret=0 - fi - if [[ -s "$workspace/testok" ]]; then - echo "=== Passed tests ===" - cat "$workspace/testok" - fi - fi - - get_bool "${TIMED_OUT:=}" && ret=1 - check_coverage_reports "$workspace" || ret=5 - - save_journal "$workspace/var/log/journal" $ret - echo "${JOURNAL_LIST:-"No journals were saved"}" - - _umount_dir "${initdir:?}" - - return $ret -} - -check_result_qemu_unittests() { - local ret=1 - - mount_initdir - [[ -e "${initdir:?}/testok" ]] && ret=0 - - if [[ -s "$initdir/failed" ]]; then - ret=$((ret + 1)) - echo "=== Failed test log ===" - cat "$initdir/failed" - else - if [[ -s "$initdir/skipped" ]]; then - echo "=== Skipped test log ==" - cat "$initdir/skipped" - # We might have only skipped tests - that should not fail the job - ret=0 - fi - if [[ -s "$initdir/testok" ]]; then - echo "=== Passed tests ===" - cat "$initdir/testok" - fi - fi - - get_bool "${TIMED_OUT:=}" && ret=1 - check_coverage_reports "$initdir" || ret=5 - - save_journal "$initdir/var/log/journal" $ret - echo "${JOURNAL_LIST:-"No journals were saved"}" - - _umount_dir "$initdir" - - return $ret -} - create_rc_local() { dinfo "Create rc.local" mkdir -p "${initdir:?}/etc/rc.d" diff --git a/test/test-network/systemd-networkd-tests.py b/test/test-network/systemd-networkd-tests.py index 92cb07f..0355c7a 100755 --- a/test/test-network/systemd-networkd-tests.py +++ b/test/test-network/systemd-networkd-tests.py @@ -5824,6 +5824,8 @@ class NetworkdRATests(unittest.TestCase, Utilities): self.assertIn('pref high', output) self.assertNotIn('pref low', output) + # radvd supports captive portal since v2.20. + # https://github.com/radvd-project/radvd/commit/791179a7f730decbddb2290ef0e34aa85d71b1bc @unittest.skipUnless(radvd_check_config('captive-portal.conf'), "Installed radvd doesn't support captive portals") def test_captive_portal(self): copy_network_unit('25-veth-client.netdev', diff --git a/test/units/TEST-02-UNITTESTS.sh b/test/units/TEST-02-UNITTESTS.sh index 6392425..4448643 100755 --- a/test/units/TEST-02-UNITTESTS.sh +++ b/test/units/TEST-02-UNITTESTS.sh @@ -95,6 +95,20 @@ export -f run_test find /usr/lib/systemd/tests/unit-tests/ -maxdepth 1 -type f -name "${TESTS_GLOB}" -print0 | xargs -0 -I {} --max-procs="$MAX_QUEUE_SIZE" bash -ec "run_test {}" +# Write all pending messages, so they don't get mixed with the summaries below +journalctl --sync + +# No need for full test logs in this case +if [[ -s /skipped-tests ]]; then + : "=== SKIPPED TESTS ===" + cat /skipped-tests +fi + +if [[ -s /failed ]]; then + : "=== FAILED TESTS ===" + cat /failed +fi + # Test logs are sometimes lost, as the system shuts down immediately after journalctl --sync diff --git a/test/units/TEST-26-SYSTEMCTL.sh b/test/units/TEST-26-SYSTEMCTL.sh index ae7a5d6..1471f3f 100755 --- a/test/units/TEST-26-SYSTEMCTL.sh +++ b/test/units/TEST-26-SYSTEMCTL.sh @@ -343,6 +343,12 @@ systemctl cat "$UNIT_NAME" systemctl help "$UNIT_NAME" systemctl service-watchdogs systemctl service-watchdogs "$(systemctl service-watchdogs)" +# Ensure that the enablement symlinks can still be removed after the user is gone, to avoid having leftovers +systemctl enable "$UNIT_NAME" +systemctl stop "$UNIT_NAME" +rm -f "/usr/lib/systemd/system/$UNIT_NAME" +systemctl daemon-reload +systemctl disable "$UNIT_NAME" # show/set-environment # Make sure PATH is set diff --git a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh index 165af47..f8a2a62 100755 --- a/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh +++ b/test/units/TEST-43-PRIVATEUSER-UNPRIV.sh @@ -6,13 +6,13 @@ set -o pipefail # shellcheck source=test/units/util.sh . "$(dirname "$0")"/util.sh -install_extension_images - if [[ "$(sysctl -ne kernel.apparmor_restrict_unprivileged_userns)" -eq 1 ]]; then echo "Cannot create unprivileged user namespaces" >/skipped exit 77 fi +install_extension_images + systemd-analyze log-level debug runas testuser systemd-run --wait --user --unit=test-private-users \ diff --git a/units/systemd-tmpfiles-setup.service b/units/systemd-tmpfiles-setup.service index 6cae328..b92beb7 100644 --- a/units/systemd-tmpfiles-setup.service +++ b/units/systemd-tmpfiles-setup.service @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=Create Volatile Files and Directories +Description=Create System Files and Directories Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) DefaultDependencies=no diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in index 9982c84..7fdb99b 100644 --- a/units/systemd-tpm2-setup-early.service.in +++ b/units/systemd-tpm2-setup-early.service.in @@ -21,3 +21,6 @@ ConditionPathExists=!/run/systemd/tpm2-srk-public-key.pem Type=oneshot RemainAfterExit=yes ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --early=yes --graceful + +# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. +SuccessExitStatus=76 diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in index 0af7292..ac29a76 100644 --- a/units/systemd-tpm2-setup.service.in +++ b/units/systemd-tpm2-setup.service.in @@ -22,3 +22,6 @@ ConditionPathExists=!/etc/initrd-release Type=oneshot RemainAfterExit=yes ExecStart={{LIBEXECDIR}}/systemd-tpm2-setup --graceful + +# The tool returns 76 if the TPM cannot be accessed due to an authorization failure and we can't generate an SRK. +SuccessExitStatus=76 diff --git a/units/user/systemd-tmpfiles-setup.service b/units/user/systemd-tmpfiles-setup.service index 156689e..54e453c 100644 --- a/units/user/systemd-tmpfiles-setup.service +++ b/units/user/systemd-tmpfiles-setup.service @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=Create User's Volatile Files and Directories +Description=Create User Files and Directories Documentation=man:tmpfiles.d(5) man:systemd-tmpfiles(8) DefaultDependencies=no Conflicts=shutdown.target |