v252 batch up to daa77632d1d769f280b6645bec2ab01adc8cefe5#474
Merged
bluca merged 59 commits intosystemd:v252-stablefrom Mar 6, 2025
Merged
v252 batch up to daa77632d1d769f280b6645bec2ab01adc8cefe5#474bluca merged 59 commits intosystemd:v252-stablefrom
bluca merged 59 commits intosystemd:v252-stablefrom
Conversation
Prompted by: systemd/systemd#27890 (comment) (cherry picked from commit f96a32c) (cherry picked from commit 8975666) (cherry picked from commit 30fbbba)
The CIs apparently have rally old headers, where KEY_BRIGHTNESS_AUTO is missing, let's hence ship our own copies from a current kernel. (cherry picked from commit 0a73c8e) (cherry picked from commit 2e13790) (cherry picked from commit 4ae0c3f) (cherry picked from commit 61708be) (cherry picked from commit 7b2c6d5)
Unfortunately kernel reports EOF if there's an inconsistency between efivarfs var list and what's actually stored in firmware, c.f. #34304. A zero size env var is not allowed in efi and hence the variable doesn't really exist in the backing store as long as it is zero sized, and the kernel calls this "uncommitted". Hence we translate EOF back to ENOENT here, as with kernel behavior before torvalds/linux@3fab70c If the kernel changes behaviour (to flush dentries on resume), we can drop this at some point in the future. But note that the commit is 11 years old at this point so we'll need to deal with the current behaviour for a long time. Fix #34304. (cherry picked from commit 6013dee) (cherry picked from commit 87df05b) (cherry picked from commit 537b527) (cherry picked from commit 7ab4191) (cherry picked from commit 0aca8e2) (cherry picked from commit bee0fa8)
…ANTS=
Let consider the following udev rules:
===
PROGRAM="/usr/bin/systemd-escape foo-bar-baz", ENV{SYSTEMD_WANTS}+="test1@$result.service"
PROGRAM="/usr/bin/systemd-escape aaa-bbb-ccc", ENV{SYSTEMD_WANTS}+="test2@$result.service"
===
Then, a device expectedly gains a property:
===
SYSTEMD_WANTS=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
===
After the event being processed by udevd, PID1 processes the device, the
property previously was parsed with extract_first_word(EXTRACT_UNQUOTE),
then the device unit gained the following dependencies:
===
Wants=test1@foox2dbarx2dbaz.service test2@aaax2dbbbx2dccc.service
===
So both '%i' and '%I' for the template services did not match with the original
data, and it was hard to use systemd-escape in PROGRAM= udev rule token.
This makes the property parsed with extract_first_word(EXTRACT_UNQUOTE|EXTRACT_RETAIN_ESCAPE),
hence the device unit now gains the following dependencies:
===
Wants=test1@foo\x2dbar\x2dbaz.service test2@aaa\x2dbbb\x2dccc.service
===
and '%I' for the template services match with the original data.
Fixes a bug caused by ceed8f0 (v233).
Fixes #16735.
Replaces #16737 and #35768.
(cherry picked from commit a467358)
(cherry picked from commit 0c1daaf)
(cherry picked from commit cfa5775)
(cherry picked from commit a783d12)
(cherry picked from commit 9b07c0e)
(cherry picked from commit bb5205a)
This was added originally as it was thought that Windows applied the same cap. Nowadays the specs do not mention it, and it is believed Windows no longer applies it either, so drop it in order to allow an arbitrary number of DTBs to be included Fixes systemd/systemd#35943 (cherry picked from commit 8c5b359) (cherry picked from commit 9518481) (cherry picked from commit 5cbe2b8) (cherry picked from commit e79cea6) (cherry picked from commit 203f344) (cherry picked from commit df72929)
We were missing one service result (oom-kill), and the ratelimit one is called differently. Correct that so that we generate proper log messages for these cases. (cherry picked from commit a7620f5) (cherry picked from commit 13ce2fd) (cherry picked from commit dbc791b) (cherry picked from commit 760afe6) (cherry picked from commit 67cc085) (cherry picked from commit a93ecf3)
Follow-up for 656bbff The commit reworked job merging logic so that reload jobs won't get merged. However, they might get dropped from transaction due to being deemed redundant, i.e. way before it even hits job_install(). Let's make sure reload jobs are always kept during transaction construction stage, too. (cherry picked from commit 7b940d8) (cherry picked from commit 1e7b1ce) (cherry picked from commit d770304) (cherry picked from commit 42082ed) (cherry picked from commit 4f96683) (cherry picked from commit 087aa1f)
Fixes the following error:
```
../src/basic/random-util.c: In function "fallback_random_bytes":
../src/basic/random-util.c:45:26: error: initializer-string for array of "char" is too long [-Werror=unterminated-string-initialization]
45 | .label = "systemd fallback random bytes v1",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
```
(cherry picked from commit e722fe7)
(cherry picked from commit 8f2f04b)
(cherry picked from commit 57d2446)
(cherry picked from commit 85eafb5)
(cherry picked from commit 64f98ed)
(cherry picked from commit b1cdcb1)
legionus/kbd#127 adds a Georgian mapping to kbd. console-setup already has one. Let's support it here, so it's used for Georgian installs on distros that use this table. Signed-off-by: Adam Williamson <awilliam@redhat.com> (cherry picked from commit f89d4c5) (cherry picked from commit 52b5a79) (cherry picked from commit c9e1a4a) (cherry picked from commit 48fd2d3) (cherry picked from commit de0e698) (cherry picked from commit dadffd6)
otherwise it will use the system input.h which will fail to build if newer than the bundled version Fixes: 0a73c8e ("linux: import input.h and friends") (cherry picked from commit bc996fd) (cherry picked from commit a485c92) (cherry picked from commit f3d5204) (cherry picked from commit 00c2000) (cherry picked from commit 6e96abd) (cherry picked from commit 8eac273)
This is printed by bus_manager_log_shutdown() in logind-dbus.c, near the start of the shutdown process. Clarify that events *will* happen, long after this message is sent. (cherry picked from commit 6c45c5a) (cherry picked from commit 6936658) (cherry picked from commit c25f8b9) (cherry picked from commit 8b516d4) (cherry picked from commit 5fa7e25) (cherry picked from commit b4d40a3)
The UKI file has to be writable to be able to do boot counting in the UEFI firmware which involves renaming the file by writing to the file metadata which requires the file to be writable in the FAT filesystem. Fixes #36170 (cherry picked from commit 0e470e1) (cherry picked from commit 7358b67) (cherry picked from commit dcffc79) (cherry picked from commit 9d0ad1a) (cherry picked from commit d6875a5) (cherry picked from commit db5c3c8)
Skip unsupport/invalid `DS` and `DNSKEY` combinations during verification. Fixes: #12545 (cherry picked from commit cac3b43) (cherry picked from commit bb22ed0) (cherry picked from commit 49f7ac9) (cherry picked from commit 758a152) (cherry picked from commit 579623c) (cherry picked from commit e5d6fe3)
errno handling for NSS is always a bit weird since NSS modules generally are not particularly careful with it. Hence let's initialize errno explicitly before we invoke getpwent() so that we know it's in a reasonable state afterwards on failure, or zero if not. We do this in most places we use NSS, including in userdb when it comes to getgrent(), just for getpwent() we don't so far. Address that. (cherry picked from commit 83e3b96) (cherry picked from commit 4fc9748) (cherry picked from commit 443dbf4) (cherry picked from commit c1d49aa) (cherry picked from commit ae92325) (cherry picked from commit f3f26ae)
Give access to USB/Bluetooth lights such as the Logitech Litra family of devices. The Logitech devices in particular are accessible through USB and Bluetooth. (cherry picked from commit 106f64c) (cherry picked from commit 2e14f59) (cherry picked from commit 3b5543a) (cherry picked from commit ac023ef) (cherry picked from commit 0ef12c4) (cherry picked from commit 25a577d)
CLONE_PIDFD was introduced in v5.2 and in sched.h in glibc-2.31 so without this, building with older version fails with: src/basic/raw-clone.h:41:108: error: 'CLONE_PIDFD' undeclared (first use in this function); did you mean 'CLONE_FILES'? (cherry picked from commit e91c5cf) (cherry picked from commit 480e39d) (cherry picked from commit 5e0588e) (cherry picked from commit e6b576c) (cherry picked from commit 12c4551) (cherry picked from commit 33b585c)
UKIs should generally not be compressed since the kernel image and initrd in them will already be compressed so let's remove the compression suffix from the examples in the sysupdate manpage. (cherry picked from commit 5ca1865) (cherry picked from commit 9440a08) (cherry picked from commit 082fab5) (cherry picked from commit 3ca2a2d) (cherry picked from commit c165d94) (cherry picked from commit ffa2846)
systemd-dissect[612]: Assertion '(_error) != 0' failed at src/shared/dissect-image.c:3436, function dissected_image_load_verity_sig_partition(). Aborting. (cherry picked from commit 135640c) (cherry picked from commit e58924e) (cherry picked from commit ac6039f) (cherry picked from commit 72f68ec) (cherry picked from commit 853af25) (cherry picked from commit 089ee83)
The script runs the binaries which try to find the internal libs via /proc/self/exe due
to glibc's RPATH resolution and fail:
/var/cache/src/systemd/tools/dbus_exporter.py interfaces
/var/cache/src/systemd/build/systemd
/var/cache/src/systemd/build/systemd-homed
/var/cache/src/systemd/build/systemd-hostnamed
/var/cache/src/systemd/build/systemd-importd
/var/cache/src/systemd/build/systemd-localed
/var/cache/src/systemd/build/systemd-logind
/var/cache/src/systemd/build/systemd-machined
/var/cache/src/systemd/build/systemd-networkd
/var/cache/src/systemd/build/systemd-oomd
/var/cache/src/systemd/build/systemd-portabled
/var/cache/src/systemd/build/systemd-resolved
/var/cache/src/systemd/build/systemd-sysupdated
/var/cache/src/systemd/build/systemd-timedated
execve("/var/cache/src/systemd/build/systemd", ["/var/cache/src/systemd/build/sys"..., "--bus-introspect", "list"], 0x7ffc7ab68600 /* 20 vars */) = 0
brk(NULL) = 0x56265bf70000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f56ced7f000
readlinkat(AT_FDCWD, "/proc/self/exe", 0x7ffedeaa7a90, 4096) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20293, ...}) = 0
mmap(NULL, 20293, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f56ced7a000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/", {st_mode=S_IFDIR|0755, st_size=19312, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/", {st_mode=S_IFDIR|0755, st_size=19312, ...}, 0) = 0
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/", {st_mode=S_IFDIR|0755, st_size=642, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/", {st_mode=S_IFDIR|0755, st_size=642, ...}, 0) = 0
writev(2, [{iov_base="/var/cache/src/systemd/build/sys"..., iov_len=36},
{iov_base=": ", iov_len=2},
{iov_base="error while loading shared libra"..., iov_len=36},
{iov_base=": ", iov_len=2},
{iov_base="libsystemd-core-258.so", iov_len=22},
{iov_base=": ", iov_len=2},
{iov_base="cannot open shared object file", iov_len=30},
{iov_base=": ", iov_len=2},
{iov_base="No such file or directory", iov_len=25},
{iov_base="\n", iov_len=1}],
10/var/cache/src/systemd/build/systemd: error while loading shared libraries: libsystemd-core-258.so: cannot open shared object file: No such file or directory
) = 158
(cherry picked from commit c6a932f)
(cherry picked from commit 8b84cad)
(cherry picked from commit 06f05ba)
(cherry picked from commit 626e117)
(cherry picked from commit 96ae2e0)
(cherry picked from commit 790120b)
…ects While this is obvious if you spend a few minutes thinking about how D-Bus signals work (in this case, they are broadcast from a system service, so cannot apply to a specific user/session/seat), it’s a bit easy to overlook this while putting code together which uses the login1 D-Bus API, so it’s helpful to point this hazard out specifically in the docs. The signals can only be emitted on the canonical objects. The convenience objects are useful for method calls, as the calling context can be used to dereference ‘self’ and ‘auto’, but this can’t work for signals. Signed-off-by: Philip Withnall <pwithnall@gnome.org> (cherry picked from commit 82b32b9) (cherry picked from commit afc6244) (cherry picked from commit aa560db) (cherry picked from commit e3e2147) (cherry picked from commit 0b3dcc9) (cherry picked from commit 331a00c)
When hardlink recreation is requested, it creates temporary files that will be deleted once the context is destroyed. The deletion (potentially) updates the directory's timestamps, so it's crucial that the deletion happens before the directory timestamps are restored when `COPY_RESTORE_DIRECTORY_TIMESTAMPS` is requested. (cherry picked from commit b662914) (cherry picked from commit 9e2ba7e) (cherry picked from commit 9ade693) (cherry picked from commit 0ef8791) (cherry picked from commit 75a7236) (cherry picked from commit 3523091)
There is a typo passing flags to `install_file()`, if `IMPORT_READ_ONLY` is set, `IMPORT_SYNC` is never checked. (cherry picked from commit 5d2d0c0) (cherry picked from commit 6d3621d) (cherry picked from commit b7109d7) (cherry picked from commit 4963abe) (cherry picked from commit b09f371) (cherry picked from commit 46795c6)
All dbus programs have to be up-to-date for update-dbus-docs to produce the expected output, so add the missing dependency. (cherry picked from commit 461bd92) (cherry picked from commit cd727da) (cherry picked from commit c5e562c) (cherry picked from commit bf899b7) (cherry picked from commit e6885d3) (cherry picked from commit 0022181)
fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when calling ask_password_auto(), suggesting that a key by this name can be read from the kernel keyring. But the keyring is never opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set. Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted setup of encrypted volumes with FIDO2. If the PIN turns out to be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying and possible lockout. (cherry picked from commit 505c2f2) (cherry picked from commit f2054b8) (cherry picked from commit 012cde1) (cherry picked from commit 993f1e9) (cherry picked from commit 3a9fd52) (cherry picked from commit 363ad24)
When using UEFI with bhyve it behaves similarly to qemu, and provides a product_uuid. Use it if found, just like with qemu. (cherry picked from commit 113c159) (cherry picked from commit 4cdaff2) (cherry picked from commit ebdb1df) (cherry picked from commit 4c70218) (cherry picked from commit 3f2bf5d) (cherry picked from commit a361053)
…ocked In various scenarios we invoke containers with access to the kernel keyring blocked. Let's make sure we can handle this properly: when the invocation ID is stored in in the kernel keyring and we try to read it and get EPERM we should handle it gracefully, like EOPNOTSUPP. (cherry picked from commit f2e38b0) (cherry picked from commit a2abc3b) (cherry picked from commit 9cd3101) (cherry picked from commit e52806d) (cherry picked from commit 4d5da5c) (cherry picked from commit 8874ff7)
The values assigned to 'r' were never used, and overwritten by the next call of read_line_full(). Fixes CID#1548043 and CID#1548064. (cherry picked from commit 00575cf) (cherry picked from commit 244790a) (cherry picked from commit f92b518) (cherry picked from commit 8858f69) (cherry picked from commit 4494ce2) (cherry picked from commit b687cc0)
Import thew new key from https://data.iana.org/root-anchors/root-anchors.xml. The old one remains valid, as per provided data. Fixes: #36260 (cherry picked from commit 8113361) (cherry picked from commit 961e351) (cherry picked from commit 6cb60bb) (cherry picked from commit 6a97871) (cherry picked from commit 7773582) (cherry picked from commit 88eec37)
If we use TCP fastopen to connect to a DNS server via TCP, and it responds really quickly between our connection attempt and our immediate check back, then we have not identified the peer yet, and will not be able to use the peer metadata to fill in our packet info. Let's fix that, and simply not read from the socket until identification is complete. Fixes: #34956 (cherry picked from commit facc943) (cherry picked from commit 11da527) (cherry picked from commit 9bf15a2) (cherry picked from commit e22b61d) (cherry picked from commit 8398ac6) (cherry picked from commit e6e2c36)
/usr/bin/pacman-key: line 31: /usr/share/makepkg/util/message.sh: No such file or directory /usr/bin/pacman-key: line 32: /usr/share/makepkg/util/parseopts.sh: No such file or directory /usr/bin/pacman-key: line 620: parseopts: command not found (cherry picked from commit 66ffce7) (cherry picked from commit 70dfddd) (cherry picked from commit dc5ae25)
Now, ubuntu-24.04 has mold-2.30.0+dfsg-1build1 . See https://packages.ubuntu.com/noble/mold . (cherry picked from commit c0b78d2) (cherry picked from commit 0f9ded5)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.