From fc53809803cd2bc2434e312b19a18fa36776da12 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 12 Jun 2024 05:50:40 +0200 Subject: Adding upstream version 256. Signed-off-by: Daniel Baumann --- units/capsule.slice | 13 ++++ units/capsule@.service.in | 33 +++++++++ units/dev-hugepages.mount | 2 +- units/dev-mqueue.mount | 2 +- units/emergency.service.in | 2 +- units/exit.target | 2 + units/halt.target | 2 + units/initrd-parse-etc.service.in | 4 +- units/kexec.target | 2 + units/meson.build | 81 +++++++++++++++++++++- units/proc-sys-fs-binfmt_misc.automount | 2 +- units/proc-sys-fs-binfmt_misc.mount | 2 +- units/quotaon-root.service.in | 24 +++++++ units/quotaon.service.in | 24 ------- units/quotaon@.service.in | 26 +++++++ units/rescue.service.in | 2 +- units/ssh-access.target | 12 ++++ units/sys-fs-fuse-connections.mount | 2 +- units/sys-kernel-config.mount | 2 +- units/sys-kernel-debug.mount | 2 +- units/sys-kernel-tracing.mount | 2 +- units/syslog.socket | 4 +- units/systemd-battery-check.service.in | 1 + units/systemd-binfmt.service.in | 2 +- units/systemd-boot-check-no-failures.service.in | 2 - units/systemd-bootctl.socket | 21 ++++++ units/systemd-bootctl@.service | 20 ++++++ units/systemd-coredump.socket | 1 + units/systemd-creds.socket | 21 ++++++ units/systemd-creds@.service | 19 +++++ units/systemd-hibernate-clear.service.in | 24 +++++++ units/systemd-homed-firstboot.service | 28 ++++++++ units/systemd-homed.service.in | 3 +- units/systemd-hostnamed.service.in | 3 +- units/systemd-hostnamed.socket | 19 +++++ units/systemd-importd.service.in | 1 + units/systemd-journal-flush.service | 5 +- units/systemd-journald-sync@.service | 24 +++++++ units/systemd-journald.service.in | 10 ++- units/systemd-journald.socket | 2 +- units/systemd-journald@.service.in | 5 -- units/systemd-journald@.socket | 5 +- units/systemd-localed.service.in | 1 + units/systemd-logind.service.in | 2 +- units/systemd-machine-id-commit.service | 4 +- units/systemd-mountfsd.service.in | 46 ++++++++++++ units/systemd-mountfsd.socket | 22 ++++++ units/systemd-network-generator.service.in | 3 + units/systemd-networkd-persistent-storage.service | 27 ++++++++ units/systemd-networkd.service.in | 3 +- units/systemd-nsresourced.service.in | 47 +++++++++++++ units/systemd-nsresourced.socket | 23 ++++++ units/systemd-pcrextend.socket | 4 +- units/systemd-pcrextend@.service.in | 3 +- units/systemd-pcrfs-root.service.in | 4 +- units/systemd-pcrfs@.service.in | 4 +- units/systemd-pcrlock-file-system.service.in | 3 +- units/systemd-pcrlock-firmware-code.service.in | 4 +- units/systemd-pcrlock-firmware-config.service.in | 4 +- units/systemd-pcrlock-machine-id.service.in | 3 +- units/systemd-pcrlock-make-policy.service.in | 3 +- ...systemd-pcrlock-secureboot-authority.service.in | 3 +- units/systemd-pcrlock-secureboot-policy.service.in | 3 +- units/systemd-pcrlock.socket | 25 +++++++ units/systemd-pcrlock@.service.in | 21 ++++++ units/systemd-pcrmachine.service.in | 3 +- units/systemd-pcrphase-initrd.service.in | 3 +- units/systemd-pcrphase-sysinit.service.in | 4 +- units/systemd-pcrphase.service.in | 4 +- units/systemd-quotacheck-root.service.in | 25 +++++++ units/systemd-quotacheck.service.in | 25 ------- units/systemd-quotacheck@.service.in | 27 ++++++++ units/systemd-remount-fs.service.in | 2 +- units/systemd-repart.service | 37 ++++++++++ units/systemd-repart.service.in | 37 ---------- units/systemd-resolved.service.in | 6 +- units/systemd-rfkill.service.in | 2 +- units/systemd-sysext.socket | 3 +- units/systemd-sysext@.service | 2 +- units/systemd-sysupdate.timer | 2 +- units/systemd-timedated.service.in | 1 + units/systemd-tpm2-setup-early.service.in | 2 +- units/systemd-tpm2-setup.service.in | 4 +- units/systemd-udev-load-credentials.service | 29 ++++++++ units/systemd-udevd.service.in | 1 + units/systemd-vmspawn@.service.in | 34 +++++++++ units/tmp.mount | 2 +- units/tpm2.target | 16 +++++ units/user-runtime-dir@.service.in | 1 - units/user/capsule@.target | 15 ++++ units/user/meson.build | 1 + units/user@.service.in | 2 +- 92 files changed, 857 insertions(+), 158 deletions(-) create mode 100644 units/capsule.slice create mode 100644 units/capsule@.service.in create mode 100644 units/quotaon-root.service.in delete mode 100644 units/quotaon.service.in create mode 100644 units/quotaon@.service.in create mode 100644 units/ssh-access.target create mode 100644 units/systemd-bootctl.socket create mode 100644 units/systemd-bootctl@.service create mode 100644 units/systemd-creds.socket create mode 100644 units/systemd-creds@.service create mode 100644 units/systemd-hibernate-clear.service.in create mode 100644 units/systemd-homed-firstboot.service create mode 100644 units/systemd-hostnamed.socket create mode 100644 units/systemd-journald-sync@.service create mode 100644 units/systemd-mountfsd.service.in create mode 100644 units/systemd-mountfsd.socket create mode 100644 units/systemd-networkd-persistent-storage.service create mode 100644 units/systemd-nsresourced.service.in create mode 100644 units/systemd-nsresourced.socket create mode 100644 units/systemd-pcrlock.socket create mode 100644 units/systemd-pcrlock@.service.in create mode 100644 units/systemd-quotacheck-root.service.in delete mode 100644 units/systemd-quotacheck.service.in create mode 100644 units/systemd-quotacheck@.service.in create mode 100644 units/systemd-repart.service delete mode 100644 units/systemd-repart.service.in create mode 100644 units/systemd-udev-load-credentials.service create mode 100644 units/systemd-vmspawn@.service.in create mode 100644 units/tpm2.target create mode 100644 units/user/capsule@.target (limited to 'units') diff --git a/units/capsule.slice b/units/capsule.slice new file mode 100644 index 0000000..cb8995a --- /dev/null +++ b/units/capsule.slice @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Capsule Slice +Documentation=man:systemd.special(7) +Before=slices.target diff --git a/units/capsule@.service.in b/units/capsule@.service.in new file mode 100644 index 0000000..f2bb9e3 --- /dev/null +++ b/units/capsule@.service.in @@ -0,0 +1,33 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Capsule Service Manager for %i +Documentation=man:capsule@.service(5) +After=dbus.service systemd-oomd.service + +[Service] +User=c-%i +DynamicUser=yes +Type=notify-reload +ExecStart={{LIBEXECDIR}}/systemd --user --unit=capsule@%i.target +Environment=HOME=/var/lib/capsules/%i +Environment=XDG_RUNTIME_DIR=/run/capsules/%i +StateDirectory=capsules/%i +RuntimeDirectory=capsules/%i +LogExtraFields=CAPSULE=%i +Slice=capsule.slice +KillMode=mixed +Delegate=pids memory cpu +DelegateSubgroup=init.scope +TasksMax=infinity +TimeoutStopSec={{ DEFAULT_USER_TIMEOUT_SEC*4//3 }}s +KeyringMode=inherit +OOMScoreAdjust=100 +MemoryPressureWatch=skip diff --git a/units/dev-hugepages.mount b/units/dev-hugepages.mount index 88cd89d..f836282 100644 --- a/units/dev-hugepages.mount +++ b/units/dev-hugepages.mount @@ -10,7 +10,7 @@ [Unit] Description=Huge Pages File System Documentation=https://docs.kernel.org/admin-guide/mm/hugetlbpage.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no Before=sysinit.target ConditionPathExists=/sys/kernel/mm/hugepages diff --git a/units/dev-mqueue.mount b/units/dev-mqueue.mount index 02683a9..1fd9cc2 100644 --- a/units/dev-mqueue.mount +++ b/units/dev-mqueue.mount @@ -10,7 +10,7 @@ [Unit] Description=POSIX Message Queue File System Documentation=man:mq_overview(7) -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no Before=sysinit.target ConditionPathExists=/proc/sys/fs/mqueue diff --git a/units/emergency.service.in b/units/emergency.service.in index 8f70cbe..25aa8ec 100644 --- a/units/emergency.service.in +++ b/units/emergency.service.in @@ -19,7 +19,7 @@ Before=rescue.service [Service] Environment=HOME=/root WorkingDirectory=-/root -ExecStartPre=-{{BINDIR}}/plymouth --wait quit +ExecStartPre=-plymouth --wait quit ExecStart=-{{LIBEXECDIR}}/systemd-sulogin-shell emergency Type=idle StandardInput=tty-force diff --git a/units/exit.target b/units/exit.target index f8a22e5..046dc03 100644 --- a/units/exit.target +++ b/units/exit.target @@ -14,6 +14,8 @@ DefaultDependencies=no Requires=systemd-exit.service After=systemd-exit.service AllowIsolate=yes +JobTimeoutSec=30min +JobTimeoutAction=exit-force [Install] Alias=ctrl-alt-del.target diff --git a/units/halt.target b/units/halt.target index bfa5f23..c19865f 100644 --- a/units/halt.target +++ b/units/halt.target @@ -14,6 +14,8 @@ DefaultDependencies=no Requires=systemd-halt.service After=systemd-halt.service AllowIsolate=yes +JobTimeoutSec=30min +JobTimeoutAction=halt-force [Install] Alias=ctrl-alt-del.target diff --git a/units/initrd-parse-etc.service.in b/units/initrd-parse-etc.service.in index 3dadab1..1eef2bd 100644 --- a/units/initrd-parse-etc.service.in +++ b/units/initrd-parse-etc.service.in @@ -23,9 +23,7 @@ OnFailureJobMode=replace-irreversibly [Service] Type=oneshot -# FIXME: once dracut is patched to install the symlink, change to: -# ExecStart={{LIBEXECDIR}}/systemd-sysroot-fstab-check -ExecStart=@{{SYSTEM_GENERATOR_DIR}}/systemd-fstab-generator systemd-sysroot-fstab-check +ExecStart={{LIBEXECDIR}}/systemd-sysroot-fstab-check # We want to enqueue initrd-cleanup.service/start after we finished the part # above. It can't be part of the initial transaction, because non-oneshot units diff --git a/units/kexec.target b/units/kexec.target index 5d8f8cd..dee7d20 100644 --- a/units/kexec.target +++ b/units/kexec.target @@ -14,6 +14,8 @@ DefaultDependencies=no Requires=systemd-kexec.service After=systemd-kexec.service AllowIsolate=yes +JobTimeoutSec=30min +JobTimeoutAction=kexec-force [Install] Alias=ctrl-alt-del.target diff --git a/units/meson.build b/units/meson.build index e7bfb7f..b231341 100644 --- a/units/meson.build +++ b/units/meson.build @@ -7,6 +7,8 @@ units = [ { 'file' : 'blockdev@.target' }, { 'file' : 'bluetooth.target' }, { 'file' : 'boot-complete.target' }, + { 'file' : 'capsule@.service.in' }, + { 'file' : 'capsule.slice' }, { 'file' : 'console-getty.service.in' }, { 'file' : 'container-getty@.service.in' }, { @@ -161,7 +163,11 @@ units = [ 'conditions' : ['ENABLE_BINFMT'], }, { - 'file' : 'quotaon.service.in', + 'file' : 'quotaon@.service.in', + 'conditions' : ['ENABLE_QUOTACHECK'], + }, + { + 'file' : 'quotaon-root.service.in', 'conditions' : ['ENABLE_QUOTACHECK'], }, { @@ -199,6 +205,7 @@ units = [ { 'file' : 'sockets.target' }, { 'file' : 'soft-reboot.target' }, { 'file' : 'sound.target' }, + { 'file' : 'ssh-access.target' }, { 'file' : 'suspend-then-hibernate.target', 'conditions' : ['ENABLE_HIBERNATE'], @@ -267,6 +274,15 @@ units = [ 'file' : 'systemd-boot-update.service', 'conditions' : ['ENABLE_BOOTLOADER'], }, + { + 'file' : 'systemd-bootctl@.service', + 'conditions' : ['ENABLE_BOOTLOADER'], + }, + { + 'file' : 'systemd-bootctl.socket', + 'conditions' : ['ENABLE_BOOTLOADER'], + 'symlinks' : ['sockets.target.wants/'], + }, { 'file' : 'systemd-confext.service', 'conditions' : ['ENABLE_SYSEXT'], @@ -280,6 +296,11 @@ units = [ 'file' : 'systemd-coredump@.service.in', 'conditions' : ['ENABLE_COREDUMP'], }, + { + 'file' : 'systemd-creds.socket', + 'symlinks' : ['sockets.target.wants/'], + }, + { 'file' : 'systemd-creds@.service' }, { 'file' : 'systemd-exit.service' }, { 'file' : 'systemd-firstboot.service', @@ -291,6 +312,11 @@ units = [ { 'file' : 'systemd-growfs-root.service.in' }, { 'file' : 'systemd-growfs@.service.in' }, { 'file' : 'systemd-halt.service' }, + { + 'file' : 'systemd-hibernate-clear.service.in', + 'conditions' : ['ENABLE_HIBERNATE', 'ENABLE_EFI'], + 'symlinks' : ['sysinit.target.wants/'], + }, { 'file' : 'systemd-hibernate-resume.service.in', 'conditions' : ['ENABLE_HIBERNATE'], @@ -303,6 +329,10 @@ units = [ 'file' : 'systemd-homed-activate.service', 'conditions' : ['ENABLE_HOMED'], }, + { + 'file' : 'systemd-homed-firstboot.service', + 'conditions' : ['ENABLE_HOMED'], + }, { 'file' : 'systemd-homed.service.in', 'conditions' : ['ENABLE_HOMED'], @@ -312,6 +342,11 @@ units = [ 'conditions' : ['ENABLE_HOSTNAMED'], 'symlinks' : ['dbus-org.freedesktop.hostname1.service'], }, + { + 'file' : 'systemd-hostnamed.socket', + 'conditions' : ['ENABLE_HOSTNAMED'], + 'symlinks' : ['sockets.target.wants/'], + }, { 'file' : 'systemd-hwdb-update.service.in', 'conditions' : ['ENABLE_HWDB'], @@ -368,6 +403,7 @@ units = [ 'file' : 'systemd-journald-dev-log.socket', 'symlinks' : ['sockets.target.wants/'], }, + { 'file' : 'systemd-journald-sync@.service' }, { 'file' : 'systemd-journald-varlink@.socket' }, { 'file' : 'systemd-journald.service.in', @@ -405,6 +441,10 @@ units = [ 'symlinks' : ['sysinit.target.wants/'], }, { 'file' : 'systemd-network-generator.service.in' }, + { + 'file' : 'systemd-networkd-persistent-storage.service', + 'conditions' : ['ENABLE_NETWORKD'], + }, { 'file' : 'systemd-networkd-wait-online.service.in', 'conditions' : ['ENABLE_NETWORKD'], @@ -422,6 +462,10 @@ units = [ 'conditions' : ['ENABLE_NETWORKD'], }, { 'file' : 'systemd-nspawn@.service.in' }, + { + 'file' : 'systemd-vmspawn@.service.in', + 'conditions' : ['ENABLE_VMSPAWN'], + }, { 'file' : 'systemd-oomd.service.in', 'conditions' : ['ENABLE_OOMD'], @@ -505,6 +549,15 @@ units = [ 'file' : 'systemd-pcrlock-firmware-config.service.in', 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], }, + { + 'file' : 'systemd-pcrlock@.service.in', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + }, + { + 'file' : 'systemd-pcrlock.socket', + 'conditions' : ['ENABLE_BOOTLOADER', 'HAVE_OPENSSL', 'HAVE_TPM2'], + 'symlinks' : ['sockets.target.wants/'], + }, { 'file' : 'systemd-portabled.service.in', 'conditions' : ['ENABLE_PORTABLED'], @@ -516,7 +569,11 @@ units = [ 'conditions' : ['ENABLE_PSTORE'], }, { - 'file' : 'systemd-quotacheck.service.in', + 'file' : 'systemd-quotacheck@.service.in', + 'conditions' : ['ENABLE_QUOTACHECK'], + }, + { + 'file' : 'systemd-quotacheck-root.service.in', 'conditions' : ['ENABLE_QUOTACHECK'], }, { @@ -527,7 +584,7 @@ units = [ { 'file' : 'systemd-reboot.service' }, { 'file' : 'systemd-remount-fs.service.in' }, { - 'file' : 'systemd-repart.service.in', + 'file' : 'systemd-repart.service', 'conditions' : ['ENABLE_REPART'], 'symlinks' : ['sysinit.target.wants/', 'initrd-root-fs.target.wants/'], }, @@ -632,6 +689,7 @@ units = [ 'conditions' : ['ENABLE_TMPFILES'], 'symlinks' : ['sysinit.target.wants/'], }, + { 'file' : 'systemd-udev-load-credentials.service' }, { 'file' : 'systemd-udev-settle.service' }, { 'file' : 'systemd-udev-trigger.service', @@ -676,6 +734,22 @@ units = [ 'file' : 'systemd-userdbd.socket', 'conditions' : ['ENABLE_USERDB'], }, + { + 'file' : 'systemd-mountfsd.service.in', + 'conditions' : ['ENABLE_MOUNTFSD'], + }, + { + 'file' : 'systemd-mountfsd.socket', + 'conditions' : ['ENABLE_MOUNTFSD'], + }, + { + 'file' : 'systemd-nsresourced.service.in', + 'conditions' : ['ENABLE_NSRESOURCED'], + }, + { + 'file' : 'systemd-nsresourced.socket', + 'conditions' : ['ENABLE_NSRESOURCED'], + }, { 'file' : 'systemd-vconsole-setup.service.in', 'conditions' : ['ENABLE_VCONSOLE'], @@ -691,6 +765,7 @@ units = [ 'file' : 'tmp.mount', 'symlinks' : ['local-fs.target.wants/'], }, + { 'file' : 'tpm2.target' }, { 'file' : 'umount.target' }, { 'file' : 'usb-gadget.target' }, { 'file' : 'user-runtime-dir@.service.in' }, diff --git a/units/proc-sys-fs-binfmt_misc.automount b/units/proc-sys-fs-binfmt_misc.automount index 5d21201..7ec21e7 100644 --- a/units/proc-sys-fs-binfmt_misc.automount +++ b/units/proc-sys-fs-binfmt_misc.automount @@ -10,7 +10,7 @@ [Unit] Description=Arbitrary Executable File Formats File System Automount Point Documentation=https://docs.kernel.org/admin-guide/binfmt-misc.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS ConditionPathExists=/proc/sys/fs/binfmt_misc/ ConditionPathIsReadWrite=/proc/sys/ diff --git a/units/proc-sys-fs-binfmt_misc.mount b/units/proc-sys-fs-binfmt_misc.mount index 88a7748..9518708 100644 --- a/units/proc-sys-fs-binfmt_misc.mount +++ b/units/proc-sys-fs-binfmt_misc.mount @@ -10,7 +10,7 @@ [Unit] Description=Arbitrary Executable File Formats File System Documentation=https://docs.kernel.org/admin-guide/binfmt-misc.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no [Mount] diff --git a/units/quotaon-root.service.in b/units/quotaon-root.service.in new file mode 100644 index 0000000..cd308f4 --- /dev/null +++ b/units/quotaon-root.service.in @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Enable Root File System Quotas +Documentation=man:quotaon(8) + +ConditionPathExists=!/etc/initrd-release + +DefaultDependencies=no +After=systemd-quotacheck-root.service +Before=local-fs.target shutdown.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{QUOTAON}} -ug / diff --git a/units/quotaon.service.in b/units/quotaon.service.in deleted file mode 100644 index 7fa7061..0000000 --- a/units/quotaon.service.in +++ /dev/null @@ -1,24 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later -# -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Enable File System Quotas -Documentation=man:quotaon(8) - -ConditionPathExists={{QUOTAON}} - -DefaultDependencies=no -After=systemd-quotacheck.service -Before=remote-fs.target -Before=shutdown.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart={{QUOTAON}} -aug diff --git a/units/quotaon@.service.in b/units/quotaon@.service.in new file mode 100644 index 0000000..23f365a --- /dev/null +++ b/units/quotaon@.service.in @@ -0,0 +1,26 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Enable File System Quotas +Documentation=man:quotaon(8) + +ConditionPathExists={{QUOTAON}} +ConditionPathExists=!/etc/initrd-release + +DefaultDependencies=no +BindsTo=%i.mount +After=systemd-quotacheck@%i.service %i.mount +Before=shutdown.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{QUOTAON}} -ug %f diff --git a/units/rescue.service.in b/units/rescue.service.in index 5113408..add6047 100644 --- a/units/rescue.service.in +++ b/units/rescue.service.in @@ -18,7 +18,7 @@ Before=shutdown.target [Service] Environment=HOME=/root WorkingDirectory=-/root -ExecStartPre=-{{BINDIR}}/plymouth --wait quit +ExecStartPre=-plymouth --wait quit ExecStart=-{{LIBEXECDIR}}/systemd-sulogin-shell rescue Type=idle StandardInput=tty-force diff --git a/units/ssh-access.target b/units/ssh-access.target new file mode 100644 index 0000000..f9b6a4c --- /dev/null +++ b/units/ssh-access.target @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=SSH Access Available +Documentation=man:systemd.special(7) diff --git a/units/sys-fs-fuse-connections.mount b/units/sys-fs-fuse-connections.mount index 929d8e3..bd3f22a 100644 --- a/units/sys-fs-fuse-connections.mount +++ b/units/sys-fs-fuse-connections.mount @@ -10,7 +10,7 @@ [Unit] Description=FUSE Control File System Documentation=https://docs.kernel.org/filesystems/fuse.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no ConditionPathExists=/sys/fs/fuse/connections ConditionCapability=CAP_SYS_ADMIN diff --git a/units/sys-kernel-config.mount b/units/sys-kernel-config.mount index dca94a8..26ee160 100644 --- a/units/sys-kernel-config.mount +++ b/units/sys-kernel-config.mount @@ -10,7 +10,7 @@ [Unit] Description=Kernel Configuration File System Documentation=https://docs.kernel.org/filesystems/configfs.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no ConditionPathExists=/sys/kernel/config ConditionCapability=CAP_SYS_RAWIO diff --git a/units/sys-kernel-debug.mount b/units/sys-kernel-debug.mount index 6c77ef5..5f0a75b 100644 --- a/units/sys-kernel-debug.mount +++ b/units/sys-kernel-debug.mount @@ -10,7 +10,7 @@ [Unit] Description=Kernel Debug File System Documentation=https://docs.kernel.org/filesystems/debugfs.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no ConditionPathExists=/sys/kernel/debug ConditionCapability=CAP_SYS_RAWIO diff --git a/units/sys-kernel-tracing.mount b/units/sys-kernel-tracing.mount index f3cd47f..ed8f948 100644 --- a/units/sys-kernel-tracing.mount +++ b/units/sys-kernel-tracing.mount @@ -10,7 +10,7 @@ [Unit] Description=Kernel Trace File System Documentation=https://docs.kernel.org/trace/ftrace.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no ConditionVirtualization=!lxc ConditionPathExists=/sys/kernel/tracing diff --git a/units/syslog.socket b/units/syslog.socket index ff76bc5..26b691c 100644 --- a/units/syslog.socket +++ b/units/syslog.socket @@ -10,7 +10,7 @@ [Unit] Description=Syslog Socket Documentation=man:systemd.special(7) -Documentation=https://www.freedesktop.org/wiki/Software/systemd/syslog +Documentation=https://systemd.io/SYSLOG DefaultDependencies=no Before=sockets.target @@ -44,4 +44,4 @@ ReceiveBuffer=8M # [Install] # Alias=syslog.service # -# See https://www.freedesktop.org/wiki/Software/systemd/syslog for details. +# See https://systemd.io/SYSLOG for details. diff --git a/units/systemd-battery-check.service.in b/units/systemd-battery-check.service.in index a5f532d..ee87118 100644 --- a/units/systemd-battery-check.service.in +++ b/units/systemd-battery-check.service.in @@ -12,6 +12,7 @@ Description=Check battery level during early boot Documentation=man:systemd-battery-check.service(8) ConditionVirtualization=no ConditionDirectoryNotEmpty=/sys/class/power_supply/ +ConditionKernelCommandLine=!systemd.battery_check=0 ConditionKernelCommandLine=!systemd.battery-check=0 AssertPathExists=/etc/initrd-release DefaultDependencies=no diff --git a/units/systemd-binfmt.service.in b/units/systemd-binfmt.service.in index 6861c76..318bf8e 100644 --- a/units/systemd-binfmt.service.in +++ b/units/systemd-binfmt.service.in @@ -11,7 +11,7 @@ Description=Set Up Additional Binary Formats Documentation=man:systemd-binfmt.service(8) man:binfmt.d(5) Documentation=https://docs.kernel.org/admin-guide/binfmt-misc.html -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no Conflicts=shutdown.target After=proc-sys-fs-binfmt_misc.automount diff --git a/units/systemd-boot-check-no-failures.service.in b/units/systemd-boot-check-no-failures.service.in index eaadd0e..2e17cb9 100644 --- a/units/systemd-boot-check-no-failures.service.in +++ b/units/systemd-boot-check-no-failures.service.in @@ -12,8 +12,6 @@ Description=Check if Any System Units Failed Documentation=man:systemd-boot-check-no-failures.service(8) After=default.target graphical.target multi-user.target Before=boot-complete.target -Conflicts=shutdown.target -Before=shutdown.target [Service] Type=oneshot diff --git a/units/systemd-bootctl.socket b/units/systemd-bootctl.socket new file mode 100644 index 0000000..59151ba --- /dev/null +++ b/units/systemd-bootctl.socket @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Boot Entries Service Socket +Documentation=man:bootctl(1) +DefaultDependencies=no +After=local-fs.target +Before=sockets.target + +[Socket] +ListenStream=/run/systemd/io.systemd.BootControl +FileDescriptorName=varlink +SocketMode=0600 +Accept=yes diff --git a/units/systemd-bootctl@.service b/units/systemd-bootctl@.service new file mode 100644 index 0000000..5de6156 --- /dev/null +++ b/units/systemd-bootctl@.service @@ -0,0 +1,20 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Boot Entries Service +Documentation=man:bootctl(1) +DefaultDependencies=no +Conflicts=shutdown.target +After=local-fs.target +Before=shutdown.target + +[Service] +Environment=LISTEN_FDNAMES=varlink +ExecStart=bootctl diff --git a/units/systemd-coredump.socket b/units/systemd-coredump.socket index a2d457f..c78eacd 100644 --- a/units/systemd-coredump.socket +++ b/units/systemd-coredump.socket @@ -19,3 +19,4 @@ ListenSequentialPacket=/run/systemd/coredump SocketMode=0600 Accept=yes MaxConnections=16 +MaxConnectionsPerSource=8 diff --git a/units/systemd-creds.socket b/units/systemd-creds.socket new file mode 100644 index 0000000..bf13c11 --- /dev/null +++ b/units/systemd-creds.socket @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Credential Encryption/Decryption +Documentation=man:systemd-creds(1) +DefaultDependencies=no +Before=sockets.target + +[Socket] +ListenStream=/run/systemd/io.systemd.Credentials +FileDescriptorName=varlink +SocketMode=0666 +Accept=yes +MaxConnectionsPerSource=16 diff --git a/units/systemd-creds@.service b/units/systemd-creds@.service new file mode 100644 index 0000000..d565836 --- /dev/null +++ b/units/systemd-creds@.service @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Credential Encryption/Decryption +Documentation=man:systemd-creds(1) +DefaultDependencies=no +Conflicts=shutdown.target initrd-switch-root.target +Before=shutdown.target initrd-switch-root.target + +[Service] +Environment=LISTEN_FDNAMES=varlink +ExecStart=-systemd-creds diff --git a/units/systemd-hibernate-clear.service.in b/units/systemd-hibernate-clear.service.in new file mode 100644 index 0000000..2e8587e --- /dev/null +++ b/units/systemd-hibernate-clear.service.in @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Clear Stale Hibernate Storage Info +Documentation=man:systemd-hibernate-clear.service(8) + +ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67 +ConditionPathExists=!/etc/initrd-release + +DefaultDependencies=no +Before=sysinit.target shutdown.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-hibernate-resume --clear diff --git a/units/systemd-homed-firstboot.service b/units/systemd-homed-firstboot.service new file mode 100644 index 0000000..3615940 --- /dev/null +++ b/units/systemd-homed-firstboot.service @@ -0,0 +1,28 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=First Boot Home Area Wizard +Documentation=man:homectl(1) +ConditionFirstBoot=yes +After=home.mount systemd-homed.service +Before=systemd-user-sessions.service first-boot-complete.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=homectl firstboot --prompt-new-user +StandardOutput=tty +StandardInput=tty +StandardError=tty +ImportCredential=home.* + +[Install] +WantedBy=systemd-homed.service +Also=systemd-homed.service diff --git a/units/systemd-homed.service.in b/units/systemd-homed.service.in index e629048..b54e5d3 100644 --- a/units/systemd-homed.service.in +++ b/units/systemd-homed.service.in @@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_ALG AF_INET AF_INET6 RestrictNamespaces=mnt user RestrictRealtime=yes StateDirectory=systemd/home +CacheDirectory=systemd/home SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service @mount quotactl @@ -39,4 +40,4 @@ TimeoutStopSec=3min [Install] WantedBy=multi-user.target Alias=dbus-org.freedesktop.home1.service -Also=systemd-homed-activate.service systemd-userdbd.service +Also=systemd-homed-activate.service diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 31b45e0..ab00c24 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -15,6 +15,7 @@ Documentation=man:machine-info(5) Documentation=man:org.freedesktop.hostname1(5) [Service] +Type=notify BusName=org.freedesktop.hostname1 CapabilityBoundingSet=CAP_SYS_ADMIN ExecStart={{LIBEXECDIR}}/systemd-hostnamed @@ -22,7 +23,7 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes -PrivateDevices=yes +DeviceAllow=/dev/vsock r PrivateNetwork=yes PrivateTmp=yes ProtectProc=invisible diff --git a/units/systemd-hostnamed.socket b/units/systemd-hostnamed.socket new file mode 100644 index 0000000..2a2cfce --- /dev/null +++ b/units/systemd-hostnamed.socket @@ -0,0 +1,19 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Hostname Service Socket +Documentation=man:systemd-hostnamed.service(8) +Documentation=man:hostname(5) +Documentation=man:machine-info(5) + +[Socket] +ListenStream=/run/systemd/io.systemd.Hostname +FileDescriptorName=varlink +SocketMode=0666 diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index fc24a05..daa9377 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -13,6 +13,7 @@ Documentation=man:systemd-importd.service(8) Documentation=man:org.freedesktop.import1(5) [Service] +Type=notify ExecStart={{LIBEXECDIR}}/systemd-importd BusName=org.freedesktop.import1 KillMode=mixed diff --git a/units/systemd-journal-flush.service b/units/systemd-journal-flush.service index 8c01587..bd098e6 100644 --- a/units/systemd-journal-flush.service +++ b/units/systemd-journal-flush.service @@ -14,12 +14,15 @@ Documentation=man:systemd-journald.service(8) man:journald.conf(5) ConditionPathExists=!/etc/initrd-release DefaultDependencies=no -After=systemd-remount-fs.service +After=systemd-remount-fs.service systemd-quotacheck-root.service Before=systemd-tmpfiles-setup.service Wants=systemd-journald.service After=systemd-journald.service RequiresMountsFor=/var/log/journal +Before=soft-reboot.target systemd-soft-reboot.service +Conflicts=soft-reboot.target + [Service] ExecStart=journalctl --flush ExecStop=journalctl --smart-relinquish-var diff --git a/units/systemd-journald-sync@.service b/units/systemd-journald-sync@.service new file mode 100644 index 0000000..3eafcd0 --- /dev/null +++ b/units/systemd-journald-sync@.service @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Sync Journal for Namespace %i +Documentation=man:systemd-journald.service(8) man:journald.conf(5) + +# At the time when journalctl in ExecStop= is invoked, +# systemd-journald@.service may not be started yet. Hence, both socket +# units must be active when journalctl is invoked. +Requires=systemd-journald@%i.socket systemd-journald-varlink@%i.socket +After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket +StopWhenUnneeded=yes + +[Service] +ExecStop=journalctl --namespace=%i --sync +Type=oneshot +RemainAfterExit=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 37eeabc..4404af9 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -17,7 +17,10 @@ Before=sysinit.target # To avoid journald SIGKILLed during soft-reboot and corrupting journals. # See https://github.com/systemd/systemd/issues/30195 -Before=soft-reboot.target +# Note, typically soft-reboot.target will be never reached, +# and systemd-soft-reboot.service will trigger soft-reboot. +# Hence, this must be stopped before systemd-soft-reboot.service. +Before=soft-reboot.target systemd-soft-reboot.service Conflicts=soft-reboot.target # Mount and swap units need the journal socket units. If they were removed by @@ -29,6 +32,9 @@ IgnoreOnIsolate=yes DeviceAllow=char-* rw ExecStart={{LIBEXECDIR}}/systemd-journald FileDescriptorStoreMax=4224 +# Ensure services using StandardOutput=journal do not break when journald is stopped +FileDescriptorStorePreserve=yes +ImportCredential=journal.* IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes @@ -37,7 +43,7 @@ OOMScoreAdjust=-250 ProtectClock=yes Restart=always RestartSec=0 -RestrictAddressFamilies=AF_UNIX AF_NETLINK +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_VSOCK AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes diff --git a/units/systemd-journald.socket b/units/systemd-journald.socket index 1e2178e..e2ffb96 100644 --- a/units/systemd-journald.socket +++ b/units/systemd-journald.socket @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=Journal Socket +Description=Journal Sockets Documentation=man:systemd-journald.service(8) man:journald.conf(5) DefaultDependencies=no Before=sockets.target diff --git a/units/systemd-journald@.service.in b/units/systemd-journald@.service.in index c3bcb08..b705ce0 100644 --- a/units/systemd-journald@.service.in +++ b/units/systemd-journald@.service.in @@ -13,11 +13,6 @@ Documentation=man:systemd-journald.service(8) man:journald.conf(5) Requires=systemd-journald@%i.socket systemd-journald-varlink@%i.socket After=systemd-journald@%i.socket systemd-journald-varlink@%i.socket -# To avoid journald SIGKILLed during soft-reboot and corrupting journals. -# See https://github.com/systemd/systemd/issues/30195 -Before=soft-reboot.target -Conflicts=soft-reboot.target - [Service] CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE DevicePolicy=closed diff --git a/units/systemd-journald@.socket b/units/systemd-journald@.socket index 60c025f..65813a5 100644 --- a/units/systemd-journald@.socket +++ b/units/systemd-journald@.socket @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=Journal Socket for Namespace %i +Description=Journal Sockets for Namespace %i Documentation=man:systemd-journald.service(8) man:journald.conf(5) StopWhenUnneeded=yes @@ -22,3 +22,6 @@ PassCredentials=yes PassSecurity=yes ReceiveBuffer=8M SendBuffer=8M + +[Install] +WantedBy=sockets.target diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 19383ae..4de89aa 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -15,6 +15,7 @@ Documentation=man:vconsole.conf(5) Documentation=man:org.freedesktop.locale1(5) [Service] +Type=notify BusName=org.freedesktop.locale1 CapabilityBoundingSet= ExecStart={{LIBEXECDIR}}/systemd-localed diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 39dc0c2..cc1b6be 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -31,7 +31,7 @@ DeviceAllow=char-input rw DeviceAllow=char-tty rw DeviceAllow=char-vcs rw ExecStart={{LIBEXECDIR}}/systemd-logind -FileDescriptorStoreMax=512 +FileDescriptorStoreMax=768 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes diff --git a/units/systemd-machine-id-commit.service b/units/systemd-machine-id-commit.service index 89e0613..97b9186 100644 --- a/units/systemd-machine-id-commit.service +++ b/units/systemd-machine-id-commit.service @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=Commit a transient machine-id on disk +Description=Save Transient machine-id to Disk Documentation=man:systemd-machine-id-commit.service(8) DefaultDependencies=no Conflicts=shutdown.target @@ -21,4 +21,4 @@ ConditionPathIsMountPoint=/etc/machine-id Type=oneshot RemainAfterExit=yes ExecStart=systemd-machine-id-setup --commit -TimeoutSec=30s +TimeoutSec=90s diff --git a/units/systemd-mountfsd.service.in b/units/systemd-mountfsd.service.in new file mode 100644 index 0000000..20a9b42 --- /dev/null +++ b/units/systemd-mountfsd.service.in @@ -0,0 +1,46 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=DDI File System Mounter +Documentation=man:systemd-mountfsd.service(8) +Requires=systemd-mountfsd.socket +After=systemd-mountfsd.socket +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +DefaultDependencies=no + +[Service] +#CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID +ExecStart={{LIBEXECDIR}}/systemd-mountfsd +IPAddressDeny=any +LimitNOFILE={{HIGH_RLIMIT_NOFILE}} +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +ProtectProc=invisible +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service @mount +Type=notify +NotifyAccess=all +FileDescriptorStoreMax=4096 +{{SERVICE_WATCHDOG}} + +[Install] +Also=systemd-mountfsd.socket diff --git a/units/systemd-mountfsd.socket b/units/systemd-mountfsd.socket new file mode 100644 index 0000000..cd88003 --- /dev/null +++ b/units/systemd-mountfsd.socket @@ -0,0 +1,22 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=DDI File System Mounter Socket +Documentation=man:systemd-mountfsd.service(8) +DefaultDependencies=no +Conflicts=shutdown.target +Before=sockets.target shutdown.target + +[Socket] +ListenStream=/run/systemd/io.systemd.MountFileSystem +SocketMode=0666 + +[Install] +WantedBy=sockets.target diff --git a/units/systemd-network-generator.service.in b/units/systemd-network-generator.service.in index d87e1a4..f7d13d3 100644 --- a/units/systemd-network-generator.service.in +++ b/units/systemd-network-generator.service.in @@ -21,6 +21,9 @@ Before=shutdown.target initrd-switch-root.target Type=oneshot RemainAfterExit=yes ExecStart={{LIBEXECDIR}}/systemd-network-generator +ImportCredential=network.netdev.* +ImportCredential=network.link.* +ImportCredential=network.network.* [Install] WantedBy=sysinit.target diff --git a/units/systemd-networkd-persistent-storage.service b/units/systemd-networkd-persistent-storage.service new file mode 100644 index 0000000..308f66a --- /dev/null +++ b/units/systemd-networkd-persistent-storage.service @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Enable Persistent Storage in systemd-networkd +Documentation=man:networkctl(1) +ConditionCapability=CAP_NET_ADMIN +DefaultDependencies=no +After=systemd-remount-fs.service systemd-networkd.service +BindsTo=systemd-networkd.service +Conflicts=shutdown.target +Before=shutdown.target +ConditionPathExists=!/etc/initrd-release + +[Service] +Type=oneshot +User=systemd-network +ExecStart=networkctl persistent-storage yes +ExecStop=networkctl persistent-storage no +StateDirectory=systemd/network +RemainAfterExit=yes diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 3608458..6141fdb 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -17,7 +17,7 @@ DefaultDependencies=no After=systemd-networkd.socket systemd-udevd.service network-pre.target systemd-sysusers.service systemd-sysctl.service Before=network.target multi-user.target shutdown.target initrd-switch-root.target Conflicts=shutdown.target initrd-switch-root.target -Wants=systemd-networkd.socket network.target +Wants=systemd-networkd.socket network.target systemd-networkd-persistent-storage.service [Service] AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW @@ -26,6 +26,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N DeviceAllow=char-* rw ExecStart=!!{{LIBEXECDIR}}/systemd-networkd FileDescriptorStoreMax=512 +ImportCredential=network.wireguard.* LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes diff --git a/units/systemd-nsresourced.service.in b/units/systemd-nsresourced.service.in new file mode 100644 index 0000000..3c92705 --- /dev/null +++ b/units/systemd-nsresourced.service.in @@ -0,0 +1,47 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Namespace Resource Manager +Documentation=man:systemd-nsresourced.service(8) +Requires=systemd-nsresourced.socket +After=systemd-nsresourced.socket +Conflicts=shutdown.target +Before=sysinit.target shutdown.target +DefaultDependencies=no + +[Service] +CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_SYS_RESOURCE CAP_BPF CAP_PERFMON CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_CHOWN CAP_FOWNER +ExecStart={{LIBEXECDIR}}/systemd-nsresourced +IPAddressDeny=any +LimitNOFILE={{HIGH_RLIMIT_NOFILE}} +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +ProtectProc=invisible +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX AF_NETLINK +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service bpf perf_event_open open_by_handle_at +Type=notify +NotifyAccess=all +FileDescriptorStoreMax=4096 +{{SERVICE_WATCHDOG}} + +[Install] +Also=systemd-nsresourced.socket diff --git a/units/systemd-nsresourced.socket b/units/systemd-nsresourced.socket new file mode 100644 index 0000000..2e3c8e9 --- /dev/null +++ b/units/systemd-nsresourced.socket @@ -0,0 +1,23 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Namespace Resource Manager Socket +Documentation=man:systemd-nsresourced.service(8) +DefaultDependencies=no +Conflicts=shutdown.target +Before=sockets.target shutdown.target + +[Socket] +ListenStream=/run/systemd/io.systemd.NamespaceResource +Symlinks=/run/systemd/userdb/io.systemd.NamespaceResource +SocketMode=0666 + +[Install] +WantedBy=sockets.target diff --git a/units/systemd-pcrextend.socket b/units/systemd-pcrextend.socket index 6d7b8ff..4f74748 100644 --- a/units/systemd-pcrextend.socket +++ b/units/systemd-pcrextend.socket @@ -8,9 +8,10 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Extension (Varlink) +Description=TPM PCR Measurements Documentation=man:systemd-pcrextend(8) DefaultDependencies=no +After=tpm2.target Before=sockets.target ConditionSecurity=measured-uki @@ -19,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.PCRExtend FileDescriptorName=varlink SocketMode=0600 Accept=yes +MaxConnectionsPerSource=16 [Install] WantedBy=sockets.target diff --git a/units/systemd-pcrextend@.service.in b/units/systemd-pcrextend@.service.in index 2305b1c..68b71d4 100644 --- a/units/systemd-pcrextend@.service.in +++ b/units/systemd-pcrextend@.service.in @@ -8,9 +8,10 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Extension (Varlink) +Description=TPM PCR Measurements Documentation=man:systemd-pcrphase.service(8) DefaultDependencies=no +After=tpm2.target Conflicts=shutdown.target initrd-switch-root.target Before=shutdown.target initrd-switch-root.target diff --git a/units/systemd-pcrfs-root.service.in b/units/systemd-pcrfs-root.service.in index 11dc747..5b40a91 100644 --- a/units/systemd-pcrfs-root.service.in +++ b/units/systemd-pcrfs-root.service.in @@ -8,11 +8,11 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Root File System Measurement +Description=TPM PCR Root File System Measurement Documentation=man:systemd-pcrfs-root.service(8) DefaultDependencies=no Conflicts=shutdown.target -After=systemd-pcrmachine.service +After=tpm2.target systemd-pcrmachine.service Before=shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrfs@.service.in b/units/systemd-pcrfs@.service.in index fbaec4b..203d7b9 100644 --- a/units/systemd-pcrfs@.service.in +++ b/units/systemd-pcrfs@.service.in @@ -8,12 +8,12 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR File System Measurement of %f +Description=TPM PCR File System Measurement of %f Documentation=man:systemd-pcrfs@.service(8) DefaultDependencies=no BindsTo=%i.mount Conflicts=shutdown.target -After=%i.mount systemd-pcrfs-root.service +After=%i.mount tpm2.target systemd-pcrfs-root.service Before=shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock-file-system.service.in b/units/systemd-pcrlock-file-system.service.in index d68a42e..807ebc2 100644 --- a/units/systemd-pcrlock-file-system.service.in +++ b/units/systemd-pcrlock-file-system.service.in @@ -8,11 +8,12 @@ # (at your option) any later version. [Unit] -Description=Lock File Systems to TPM2 PCR Policy +Description=Lock File Systems to TPM PCR Policy Documentation=man:systemd-pcrlock(8) DefaultDependencies=no Conflicts=shutdown.target Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +After=systemd-remount-fs.service var.mount ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock-firmware-code.service.in b/units/systemd-pcrlock-firmware-code.service.in index a24f2ba..cae8179 100644 --- a/units/systemd-pcrlock-firmware-code.service.in +++ b/units/systemd-pcrlock-firmware-code.service.in @@ -8,11 +8,11 @@ # (at your option) any later version. [Unit] -Description=Lock Firmware Code to TPM2 PCR Policy +Description=Lock Firmware Code to TPM PCR Policy Documentation=man:systemd-pcrlock(8) DefaultDependencies=no Conflicts=shutdown.target -After=systemd-tpm2-setup.service +After=systemd-tpm2-setup.service systemd-remount-fs.service var.mount Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock-firmware-config.service.in b/units/systemd-pcrlock-firmware-config.service.in index 64e63f8..7484504 100644 --- a/units/systemd-pcrlock-firmware-config.service.in +++ b/units/systemd-pcrlock-firmware-config.service.in @@ -8,11 +8,11 @@ # (at your option) any later version. [Unit] -Description=Lock Firmware Configuration to TPM2 PCR Policy +Description=Lock Firmware Configuration to TPM PCR Policy Documentation=man:systemd-pcrlock(8) DefaultDependencies=no Conflicts=shutdown.target -After=systemd-tpm2-setup.service +After=systemd-tpm2-setup.service systemd-remount-fs.service var.mount Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock-machine-id.service.in b/units/systemd-pcrlock-machine-id.service.in index 0ff22c5..c82c358 100644 --- a/units/systemd-pcrlock-machine-id.service.in +++ b/units/systemd-pcrlock-machine-id.service.in @@ -8,11 +8,12 @@ # (at your option) any later version. [Unit] -Description=Lock Machine ID to TPM2 PCR Policy +Description=Lock Machine ID to TPM PCR Policy Documentation=man:systemd-pcrlock(8) DefaultDependencies=no Conflicts=shutdown.target Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +After=systemd-remount-fs.service var.mount ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock-make-policy.service.in b/units/systemd-pcrlock-make-policy.service.in index 4127cc7..4dd18ec 100644 --- a/units/systemd-pcrlock-make-policy.service.in +++ b/units/systemd-pcrlock-make-policy.service.in @@ -8,12 +8,13 @@ # (at your option) any later version. [Unit] -Description=Make TPM2 PCR Policy +Description=Make TPM PCR Policy Documentation=man:systemd-pcrlock(8) DefaultDependencies=no Conflicts=shutdown.target After=systemd-tpm2-setup.service Before=sysinit.target shutdown.target +After=systemd-remount-fs.service var.mount ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock-secureboot-authority.service.in b/units/systemd-pcrlock-secureboot-authority.service.in index a8d55ba..9f6c1a4 100644 --- a/units/systemd-pcrlock-secureboot-authority.service.in +++ b/units/systemd-pcrlock-secureboot-authority.service.in @@ -8,12 +8,13 @@ # (at your option) any later version. [Unit] -Description=Lock UEFI SecureBoot Authority to TPM2 PCR Policy +Description=Lock UEFI SecureBoot Authority to TPM PCR Policy Documentation=man:systemd-pcrlock(8) DefaultDependencies=no Conflicts=shutdown.target After=systemd-tpm2-setup.service Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +After=systemd-remount-fs.service var.mount ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock-secureboot-policy.service.in b/units/systemd-pcrlock-secureboot-policy.service.in index 10e603c..0975aca 100644 --- a/units/systemd-pcrlock-secureboot-policy.service.in +++ b/units/systemd-pcrlock-secureboot-policy.service.in @@ -8,12 +8,13 @@ # (at your option) any later version. [Unit] -Description=Lock UEFI SecureBoot Policy to TPM2 PCR Policy +Description=Lock UEFI SecureBoot Policy to TPM PCR Policy Documentation=man:systemd-pcrlock(8) DefaultDependencies=no Conflicts=shutdown.target After=systemd-tpm2-setup.service Before=sysinit.target shutdown.target systemd-pcrlock-make-policy.service +After=systemd-remount-fs.service var.mount ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrlock.socket b/units/systemd-pcrlock.socket new file mode 100644 index 0000000..17a56f7 --- /dev/null +++ b/units/systemd-pcrlock.socket @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Make TPM PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +After=tpm2.target +Before=sockets.target +ConditionSecurity=measured-uki + +[Socket] +ListenStream=/run/systemd/io.systemd.PCRLock +FileDescriptorName=varlink +SocketMode=0600 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/units/systemd-pcrlock@.service.in b/units/systemd-pcrlock@.service.in new file mode 100644 index 0000000..3528c56 --- /dev/null +++ b/units/systemd-pcrlock@.service.in @@ -0,0 +1,21 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Make TPM PCR Policy +Documentation=man:systemd-pcrlock(8) +DefaultDependencies=no +Conflicts=shutdown.target +After=systemd-tpm2-setup.service +Before=sysinit.target shutdown.target +After=systemd-remount-fs.service var.mount + +[Service] +Environment=LISTEN_FDNAMES=varlink +ExecStart={{LIBEXECDIR}}/systemd-pcrlock --location=770 diff --git a/units/systemd-pcrmachine.service.in b/units/systemd-pcrmachine.service.in index fb7d3ce..65caf2e 100644 --- a/units/systemd-pcrmachine.service.in +++ b/units/systemd-pcrmachine.service.in @@ -8,10 +8,11 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Machine ID Measurement +Description=TPM PCR Machine ID Measurement Documentation=man:systemd-pcrmachine.service(8) DefaultDependencies=no Conflicts=shutdown.target +After=tpm2.target Before=sysinit.target shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrphase-initrd.service.in b/units/systemd-pcrphase-initrd.service.in index b337d60..6fcf94d 100644 --- a/units/systemd-pcrphase-initrd.service.in +++ b/units/systemd-pcrphase-initrd.service.in @@ -8,10 +8,11 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Barrier (initrd) +Description=TPM PCR Barrier (initrd) Documentation=man:systemd-pcrphase-initrd.service(8) DefaultDependencies=no Conflicts=shutdown.target initrd-switch-root.target +After=tpm2.target Before=sysinit.target cryptsetup-pre.target cryptsetup.target shutdown.target initrd-switch-root.target systemd-sysext.service ConditionPathExists=/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrphase-sysinit.service.in b/units/systemd-pcrphase-sysinit.service.in index 08f7397..8c0c0c8 100644 --- a/units/systemd-pcrphase-sysinit.service.in +++ b/units/systemd-pcrphase-sysinit.service.in @@ -8,11 +8,11 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Barrier (Initialization) +Description=TPM PCR Barrier (Initialization) Documentation=man:systemd-pcrphase-sysinit.service(8) DefaultDependencies=no Conflicts=shutdown.target -After=sysinit.target +After=sysinit.target tpm2.target Before=basic.target shutdown.target ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-pcrphase.service.in b/units/systemd-pcrphase.service.in index c94ad75..04ace12 100644 --- a/units/systemd-pcrphase.service.in +++ b/units/systemd-pcrphase.service.in @@ -8,9 +8,9 @@ # (at your option) any later version. [Unit] -Description=TPM2 PCR Barrier (User) +Description=TPM PCR Barrier (User) Documentation=man:systemd-pcrphase.service(8) -After=remote-fs.target remote-cryptsetup.target +After=remote-fs.target remote-cryptsetup.target tpm2.target Before=systemd-user-sessions.service ConditionPathExists=!/etc/initrd-release ConditionSecurity=measured-uki diff --git a/units/systemd-quotacheck-root.service.in b/units/systemd-quotacheck-root.service.in new file mode 100644 index 0000000..a182059 --- /dev/null +++ b/units/systemd-quotacheck-root.service.in @@ -0,0 +1,25 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Root File System Quota Check +Documentation=man:systemd-quotacheck.service(8) + +ConditionPathExists=!/etc/initrd-release + +DefaultDependencies=no +After=systemd-remount-fs.service +Before=local-fs.target shutdown.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-quotacheck / +TimeoutSec=infinity diff --git a/units/systemd-quotacheck.service.in b/units/systemd-quotacheck.service.in deleted file mode 100644 index 0f94e38..0000000 --- a/units/systemd-quotacheck.service.in +++ /dev/null @@ -1,25 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later -# -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=File System Quota Check -Documentation=man:systemd-quotacheck.service(8) - -ConditionPathExists={{QUOTACHECK}} - -DefaultDependencies=no -After=systemd-remount-fs.service -Before=remote-fs.target -Before=shutdown.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart={{LIBEXECDIR}}/systemd-quotacheck -TimeoutSec=infinity diff --git a/units/systemd-quotacheck@.service.in b/units/systemd-quotacheck@.service.in new file mode 100644 index 0000000..f2b8db7 --- /dev/null +++ b/units/systemd-quotacheck@.service.in @@ -0,0 +1,27 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=File System Quota Check +Documentation=man:systemd-quotacheck.service(8) + +ConditionPathExists={{QUOTACHECK}} +ConditionPathExists=!/etc/initrd-release + +DefaultDependencies=no +BindsTo=%i.mount +After=%i.mount +Before=shutdown.target +Conflicts=shutdown.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart={{LIBEXECDIR}}/systemd-quotacheck %f +TimeoutSec=infinity diff --git a/units/systemd-remount-fs.service.in b/units/systemd-remount-fs.service.in index fe3c31b..4ac8978 100644 --- a/units/systemd-remount-fs.service.in +++ b/units/systemd-remount-fs.service.in @@ -10,7 +10,7 @@ [Unit] Description=Remount Root and Kernel File Systems Documentation=man:systemd-remount-fs.service(8) -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS DefaultDependencies=no After=systemd-fsck-root.service diff --git a/units/systemd-repart.service b/units/systemd-repart.service new file mode 100644 index 0000000..1f7e2a6 --- /dev/null +++ b/units/systemd-repart.service @@ -0,0 +1,37 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Repartition Root Disk +Documentation=man:systemd-repart.service(8) + +ConditionVirtualization=!container +ConditionDirectoryNotEmpty=|/usr/lib/repart.d +ConditionDirectoryNotEmpty=|/usr/local/lib/repart.d +ConditionDirectoryNotEmpty=|/etc/repart.d +ConditionDirectoryNotEmpty=|/run/repart.d +ConditionDirectoryNotEmpty=|/sysusr/usr/lib/repart.d +ConditionDirectoryNotEmpty=|/sysusr/usr/local/lib/repart.d + +DefaultDependencies=no +Wants=modprobe@loop.service modprobe@dm_mod.service +After=initrd-usr-fs.target modprobe@loop.service modprobe@dm_mod.service systemd-tpm2-setup-early.service +Before=initrd-root-fs.target +Conflicts=shutdown.target initrd-switch-root.target +Before=shutdown.target initrd-switch-root.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=systemd-repart --dry-run=no + +# The tool returns 76 if it can't find the root block device +SuccessExitStatus=76 +# The tool returns 77 if there's no existing GPT partition table +SuccessExitStatus=77 diff --git a/units/systemd-repart.service.in b/units/systemd-repart.service.in deleted file mode 100644 index 2b57b93..0000000 --- a/units/systemd-repart.service.in +++ /dev/null @@ -1,37 +0,0 @@ -# SPDX-License-Identifier: LGPL-2.1-or-later -# -# This file is part of systemd. -# -# systemd is free software; you can redistribute it and/or modify it -# under the terms of the GNU Lesser General Public License as published by -# the Free Software Foundation; either version 2.1 of the License, or -# (at your option) any later version. - -[Unit] -Description=Repartition Root Disk -Documentation=man:systemd-repart.service(8) - -ConditionVirtualization=!container -ConditionDirectoryNotEmpty=|/usr/lib/repart.d -ConditionDirectoryNotEmpty=|/usr/local/lib/repart.d -ConditionDirectoryNotEmpty=|/etc/repart.d -ConditionDirectoryNotEmpty=|/run/repart.d -ConditionDirectoryNotEmpty=|/sysusr/usr/lib/repart.d -ConditionDirectoryNotEmpty=|/sysusr/usr/local/lib/repart.d - -DefaultDependencies=no -Wants=modprobe@loop.service modprobe@dm_mod.service -After=initrd-usr-fs.target modprobe@loop.service modprobe@dm_mod.service -Before=initrd-root-fs.target -Conflicts=shutdown.target initrd-switch-root.target -Before=shutdown.target initrd-switch-root.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart={{BINDIR}}/systemd-repart --dry-run=no - -# The tool returns 76 if it can't find the root block device -SuccessExitStatus=76 -# The tool returns 77 if there's no existing GPT partition table -SuccessExitStatus=77 diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 820aecf..4aa0788 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -11,8 +11,8 @@ Description=Network Name Resolution Documentation=man:systemd-resolved.service(8) Documentation=man:org.freedesktop.resolve1(5) -Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers -Documentation=https://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients +Documentation=https://systemd.io/WRITING_NETWORK_CONFIGURATION_MANAGERS +Documentation=https://systemd.io/WRITING_RESOLVER_CLIENTS DefaultDependencies=no After=systemd-sysctl.service systemd-sysusers.service @@ -48,7 +48,7 @@ RuntimeDirectoryPreserve=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service -Type=notify +Type=notify-reload User=systemd-resolve ImportCredential=network.dns ImportCredential=network.search_domains diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index c6b32a1..072ae64 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -22,5 +22,5 @@ Before=shutdown.target ExecStart={{LIBEXECDIR}}/systemd-rfkill NoNewPrivileges=yes StateDirectory=systemd/rfkill -TimeoutSec=30s +TimeoutSec=90s Type=notify diff --git a/units/systemd-sysext.socket b/units/systemd-sysext.socket index ad870c5..78475cf 100644 --- a/units/systemd-sysext.socket +++ b/units/systemd-sysext.socket @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=System Extension Image Management (Varlink) +Description=System Extension Image Management Documentation=man:systemd-sysext(8) DefaultDependencies=no After=local-fs.target @@ -20,6 +20,7 @@ ListenStream=/run/systemd/io.systemd.sysext FileDescriptorName=varlink SocketMode=0600 Accept=yes +MaxConnectionsPerSource=16 [Install] WantedBy=sockets.target diff --git a/units/systemd-sysext@.service b/units/systemd-sysext@.service index 544e22f..9dcbf9f 100644 --- a/units/systemd-sysext@.service +++ b/units/systemd-sysext@.service @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=System Extension Image Management (Varlink) +Description=System Extension Image Management Documentation=man:systemd-sysext(8) DefaultDependencies=no After=local-fs.target diff --git a/units/systemd-sysupdate.timer b/units/systemd-sysupdate.timer index 6ecd98d..b2c7cd4 100644 --- a/units/systemd-sysupdate.timer +++ b/units/systemd-sysupdate.timer @@ -19,7 +19,7 @@ ConditionVirtualization=!container # Trigger the update 15min after boot, and then – on average – every 6h, but # randomly distributed in a 2h…6h interval. In addition trigger things # persistently once on each Saturday, to ensure that even on systems that are -# never booted up for long we have a chance to to do the update. +# never booted up for long we have a chance to do the update. OnBootSec=15min OnUnitActiveSec=2h OnCalendar=Sat diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 00f6643..06c3306 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -14,6 +14,7 @@ Documentation=man:localtime(5) Documentation=man:org.freedesktop.timedate1(5) [Service] +Type=notify BusName=org.freedesktop.timedate1 CapabilityBoundingSet=CAP_SYS_TIME DeviceAllow=char-rtc r diff --git a/units/systemd-tpm2-setup-early.service.in b/units/systemd-tpm2-setup-early.service.in index 6996efe..9982c84 100644 --- a/units/systemd-tpm2-setup-early.service.in +++ b/units/systemd-tpm2-setup-early.service.in @@ -8,7 +8,7 @@ # (at your option) any later version. [Unit] -Description=TPM2 SRK Setup (Early) +Description=Early TPM SRK Setup Documentation=man:systemd-tpm2-setup.service(8) DefaultDependencies=no Conflicts=shutdown.target diff --git a/units/systemd-tpm2-setup.service.in b/units/systemd-tpm2-setup.service.in index 8c1851f..0af7292 100644 --- a/units/systemd-tpm2-setup.service.in +++ b/units/systemd-tpm2-setup.service.in @@ -8,11 +8,11 @@ # (at your option) any later version. [Unit] -Description=TPM2 SRK Setup +Description=TPM SRK Setup Documentation=man:systemd-tpm2-setup.service(8) DefaultDependencies=no Conflicts=shutdown.target -After=systemd-tpm2-setup-early.service systemd-remount-fs.service +After=tpm2.target systemd-tpm2-setup-early.service systemd-remount-fs.service Before=sysinit.target shutdown.target RequiresMountsFor=/var/lib/systemd/tpm2-srk-public-key.pem ConditionSecurity=measured-uki diff --git a/units/systemd-udev-load-credentials.service b/units/systemd-udev-load-credentials.service new file mode 100644 index 0000000..70f69dc --- /dev/null +++ b/units/systemd-udev-load-credentials.service @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Load udev Rules from Credentials +Documentation=man:udevadm(8) +Documentation=man:udev(7) +Documentation=man:systemd.system-credentials(7) + +DefaultDependencies=no +Before=systemd-udevd.service +Conflicts=shutdown.target initrd-switch-root.target +Before=shutdown.target initrd-switch-root.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=udevadm control --load-credentials +ImportCredential=udev.conf.* +ImportCredential=udev.rules.* + +[Install] +WantedBy=sysinit.target diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index b59fdef..f4a4482 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -13,6 +13,7 @@ Documentation=man:systemd-udevd.service(8) man:udev(7) DefaultDependencies=no After=systemd-sysusers.service systemd-hwdb-update.service Before=sysinit.target +Wants=systemd-udev-load-credentials.service ConditionPathIsReadWrite=/sys [Service] diff --git a/units/systemd-vmspawn@.service.in b/units/systemd-vmspawn@.service.in new file mode 100644 index 0000000..6080020 --- /dev/null +++ b/units/systemd-vmspawn@.service.in @@ -0,0 +1,34 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Virtual Machine %i +Documentation=man:systemd-vmspawn(1) +PartOf=machines.target +Before=machines.target +After=network.target modprobe@tun.service +RequiresMountsFor=/var/lib/machines/%i + +[Service] +ExecStart=systemd-vmspawn --quiet --network-tap --machine=%i +KillMode=mixed +Type=notify +Slice=machine.slice + +{# Enforce a strict device policy. Make sure to keep these policies in sync if you change them! #} +DevicePolicy=closed +DeviceAllow=/dev/net/tun rwm +DeviceAllow=char-pts rw + +# vmspawn itself needs access to /dev/kvm and /dev/vhost-vsock +DeviceAllow=/dev/kvm rw +DeviceAllow=/dev/vhost-vsock rw + +[Install] +WantedBy=machines.target diff --git a/units/tmp.mount b/units/tmp.mount index 734acea..8960405 100644 --- a/units/tmp.mount +++ b/units/tmp.mount @@ -11,7 +11,7 @@ Description=Temporary Directory /tmp Documentation=https://systemd.io/TEMPORARY_DIRECTORIES Documentation=man:file-hierarchy(7) -Documentation=https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems +Documentation=https://systemd.io/API_FILE_SYSTEMS ConditionPathIsSymbolicLink=!/tmp DefaultDependencies=no Conflicts=umount.target diff --git a/units/tpm2.target b/units/tpm2.target new file mode 100644 index 0000000..ba51d57 --- /dev/null +++ b/units/tpm2.target @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Trusted Platform Module +Documentation=man:systemd.special(7) + +# Make this a synchronization point on the first TPM device found +After=dev-tpmrm0.device +Wants=dev-tpmrm0.device diff --git a/units/user-runtime-dir@.service.in b/units/user-runtime-dir@.service.in index 0641dd0..5fb5cad 100644 --- a/units/user-runtime-dir@.service.in +++ b/units/user-runtime-dir@.service.in @@ -11,7 +11,6 @@ Description=User Runtime Directory /run/user/%i Documentation=man:user@.service(5) After=dbus.service -StopWhenUnneeded=yes IgnoreOnIsolate=yes [Service] diff --git a/units/user/capsule@.target b/units/user/capsule@.target new file mode 100644 index 0000000..986e3ad --- /dev/null +++ b/units/user/capsule@.target @@ -0,0 +1,15 @@ +# SPDX-License-Identifier: LGPL-2.1-or-later +# +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Main Capsule Target for %i +Documentation=man:systemd.special(7) +Requires=basic.target +After=basic.target +AllowIsolate=yes diff --git a/units/user/meson.build b/units/user/meson.build index 850ac2c..21070f7 100644 --- a/units/user/meson.build +++ b/units/user/meson.build @@ -5,6 +5,7 @@ units = [ 'background.slice', 'basic.target', 'bluetooth.target', + 'capsule@.target', 'default.target', 'exit.target', 'graphical-session-pre.target', diff --git a/units/user@.service.in b/units/user@.service.in index da5f98c..5efb12a 100644 --- a/units/user@.service.in +++ b/units/user@.service.in @@ -10,8 +10,8 @@ [Unit] Description=User Manager for UID %i Documentation=man:user@.service(5) +BindsTo=user-runtime-dir@%i.service After=user-runtime-dir@%i.service dbus.service systemd-oomd.service -Requires=user-runtime-dir@%i.service IgnoreOnIsolate=yes [Service] -- cgit v1.2.3