diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 50dd50b026..899e6b46df 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -49,7 +49,7 @@ jobs:
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
- - uses: systemd/mkosi@93098e2406e12ea7f06f962d4808952b8a06d345
+ - uses: systemd/mkosi@d13ff85610c6fb01a2fff0a8187729ebe4a05595
- name: Install
run: sudo apt-get update && sudo apt-get install --no-install-recommends python3-pexpect python3-jinja2
diff --git a/man/homectl.xml b/man/homectl.xml
index dacbd17b1e..6fd5340370 100644
--- a/man/homectl.xml
+++ b/man/homectl.xml
@@ -686,7 +686,7 @@
CIPHER
MODE
- BITS
+ BYTES
TYPE
ALGORITHM
SECONDS
@@ -696,7 +696,12 @@
Configures various cryptographic parameters for the LUKS2 storage mechanism. See
cryptsetup8
- for details on the specific attributes.
+ for details on the specific attributes.
+
+ Note that homectl uses bytes for key size, like
+ /proc/crypto, but cryptsetup8
+ uses bits.
diff --git a/man/journald.conf.xml b/man/journald.conf.xml
index 4b0dd90cbb..0abed9cf7d 100644
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@@ -353,7 +353,7 @@
traditional syslog daemon, to the kernel log buffer (kmsg), to the system console, or sent as wall
messages to all logged-in users. These options take boolean arguments. If forwarding to syslog is
enabled but nothing reads messages from the socket, forwarding to syslog has no effect. By default,
- only forwarding to wall is enabled. These settings may be overridden at boot time with the kernel
+ only forwarding to syslog and wall is enabled. These settings may be overridden at boot time with the kernel
command line options systemd.journald.forward_to_syslog,
systemd.journald.forward_to_kmsg,
systemd.journald.forward_to_console, and
@@ -426,7 +426,7 @@
systemd-journald collects generated audit records, it just controls whether it
tells the kernel to generate them. This means if another tool turns on auditing even if
systemd-journald left it off, it will still collect the generated
- messages. Defaults to on.
+ messages. Defaults to off.
diff --git a/man/loader.conf.xml b/man/loader.conf.xml
index d5abb1c04e..509412ec9d 100644
--- a/man/loader.conf.xml
+++ b/man/loader.conf.xml
@@ -121,7 +121,7 @@
will be stored as an EFI variable in that case, overriding this option.
- If set to menu-hidden or 0 no menu
+ If set to menu-hidden or 0 (the default) no menu
is shown and the default entry will be booted immediately. The menu can be shown
by pressing and holding a key before systemd-boot is launched. Setting this to
menu-force disables the timeout while always showing the menu.
@@ -211,7 +211,7 @@
beep
- Beep n times when the n-th entry in the boot menu is shown (default disabled).
+ Takes a boolean argument. If timeout enabled beep every second, otherwise beep n times when n-th entry in boot menu is selected (default disabled).
Currently, only x86 is supported, where it uses the PC speaker.
diff --git a/man/rules/meson.build b/man/rules/meson.build
index 55376c0ecc..4e912638ed 100644
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@@ -884,6 +884,7 @@ manpages = [
'8',
['systemd-fsck', 'systemd-fsck-root.service'],
''],
+ ['systemd-fsckd.service', '8', ['systemd-fsckd.socket', 'systemd-fsckd'], ''],
['systemd-fstab-generator', '8', [], ''],
['systemd-getty-generator', '8', [], ''],
['systemd-gpt-auto-generator', '8', [], 'HAVE_BLKID'],
diff --git a/man/sd_bus_error-example.c b/man/sd_bus_error-example.c
new file mode 100644
index 0000000000..abea13ca45
--- /dev/null
+++ b/man/sd_bus_error-example.c
@@ -0,0 +1,18 @@
+/* SPDX-License-Identifier: CC0-1.0 */
+
+#include
+#include
+#include
+#include
+
+int writer_with_negative_errno_return(int fd, sd_bus_error *error) {
+ const char *message = "Hello, World!\n";
+
+ ssize_t n = write(fd, message, strlen(message));
+ if (n >= 0)
+ return n; /* On success, return the number of bytes written, possibly 0. */
+
+ /* On error, initialize the error structure, and also propagate the errno
+ * value that write(2) set for us. */
+ return sd_bus_error_set_errnof(error, errno, "Failed to write to fd %i: %m", fd);
+}
diff --git a/man/sd_bus_error.xml b/man/sd_bus_error.xml
index 5697ce7323..f4d0fea2e6 100644
--- a/man/sd_bus_error.xml
+++ b/man/sd_bus_error.xml
@@ -246,10 +246,15 @@
values in e, if e has been set with an error value before.
Otherwise, it will return immediately. If the strings in e were set using
sd_bus_error_set_const(), they will be shared. Otherwise, they will be
- copied. Returns a converted errno-like, negative error code or 0.
- Before this call, dst must be unset, i.e. either freshly initialized with
+ copied. Before this call, dst must be unset, i.e. either freshly initialized with
NULL or reset using sd_bus_error_free().
+ sd_bus_error_copy() generally returns 0 or a negative
+ errno-like value based on the input parameter e:
+ 0 if it was unset and a negative integer if it was set to some error, similarly to
+ sd_bus_error_set(). It may however also return an error generated internally, for
+ example -ENOMEM if a memory allocation fails.
+
sd_bus_error_move() is similar to sd_bus_error_copy(),
but will move any error information from e into dst,
resetting the former. This function cannot fail, as no new memory is allocated. Note that if
@@ -286,6 +291,18 @@
to NULL. The structure may be reused afterwards.
+
+ Reference ownership
+
+ sd_bus_error is not reference-counted. Users should destroy resources held
+ by it by calling sd_bus_error_free(). Usually, error structures are allocated on the
+ stack or passed in as function parameters, but they may also be allocated dynamically, in which case it
+ is the duty of the caller to free3 the memory
+ held by the structure itself after freeing its contents with
+ sd_bus_error_free().
+
+
Return Value
@@ -297,7 +314,8 @@
sd_bus_error_set_errnofv(), return 0 when the specified error
value is 0, and a negative errno-like value corresponding to the
error parameter otherwise. If an error occurs internally, one of the negative
- error values listed below will be returned.
+ error values listed below will be returned. This allows those functions to be conveniently used in a
+ return statement, see the example below.
sd_bus_error_get_errno() returns
false when e is
@@ -305,7 +323,9 @@
e->name otherwise.
sd_bus_error_copy() and sd_bus_error_move() return a
- negative error value converted from the source error, and zero if the error has not been set.
+ negative error value converted from the source error, and zero if the error has not been set. This
+ allows those functions to be conveniently used in a return statement, see the
+ example below.
sd_bus_error_is_set() returns a
non-zero value when e and the
@@ -316,32 +336,18 @@
sd_bus_error_has_names_sentinel() return a non-zero value when e is
non-NULL and the name field is equal to one of the given
names, zero otherwise.
-
-
-
- Reference ownership
- sd_bus_error is not reference
- counted. Users should destroy resources held by it by calling
- sd_bus_error_free(). Usually, error structures
- are allocated on the stack or passed in as function parameters,
- but they may also be allocated dynamically, in which case it is
- the duty of the caller to free3
- the memory held by the structure itself after freeing its contents
- with sd_bus_error_free().
Errors
- Returned errors may indicate the following problems:
+ Return value may indicate the following problems in the invocation of the function itself:
-
-EINVAL
- Error was already set in sd_bus_error structure when one
- the error-setting functions was called.
+ Error was already set in the sd_bus_error structure when
+ one the error-setting functions was called.
@@ -350,9 +356,29 @@
Memory allocation failed.
+
+ On success, sd_bus_error_set(), sd_bus_error_setf(),
+ sd_bus_error_set_const(), sd_bus_error_set_errno(),
+ sd_bus_error_set_errnof(), sd_bus_error_set_errnofv(),
+ sd_bus_error_copy(), and sd_bus_error_move() will return a
+ negative converted errno-style value, or 0 if the error
+ parameter is NULL or unset. D-Bus errors are converted to the integral
+ errno-style value, and the mapping mechanism is extensible, see the discussion
+ above. This effectively means that almost any negative errno-style value can be
+ returned.
+
+ Examples
+
+
+ Using the negative return value to propagate an error
+
+
+
+
+
diff --git a/man/shutdown.xml b/man/shutdown.xml
index b07736ee68..97f33e802a 100644
--- a/man/shutdown.xml
+++ b/man/shutdown.xml
@@ -18,7 +18,7 @@
shutdown
- Halt, power-off or reboot the machine
+ Halt, power off or reboot the machine
@@ -33,8 +33,7 @@
Description
- shutdown may be used to halt, power-off
- or reboot the machine.
+ shutdown may be used to halt, power off, or reboot the machine.
The first argument may be a time string (which is usually
now). Optionally, this may be followed by a
@@ -81,47 +80,41 @@
- Power-off the machine (the
- default).
+ Power the machine off (the default).
- Reboot the
- machine.
+ Reboot the machine.
- Equivalent to ,
- unless is specified.
+ The same as , but does not override the action to take if
+ it is "halt". E.g. shutdown --reboot -h means "poweroff", but shutdown
+ --halt -h means "halt".
- Do not halt, power-off, reboot, just write
- wall message.
+ Do not halt, power off, or reboot, but just write the wall message.
- Do not send wall
- message before
- halt, power-off, reboot.
+ Do not send wall message before halt, power off, or reboot.
- Cancel a pending shutdown. This may be used
- to cancel the effect of an invocation of
- shutdown with a time argument that is not
- +0 or
+ Cancel a pending shutdown. This may be used to cancel the effect of an invocation of
+ shutdown with a time argument that is not +0 or
now.
diff --git a/man/systemd-creds.xml b/man/systemd-creds.xml
index 2ccbb223e8..d803b5c127 100644
--- a/man/systemd-creds.xml
+++ b/man/systemd-creds.xml
@@ -25,6 +25,8 @@
systemd-creds
OPTIONS
+ COMMAND
+ ARGS
diff --git a/man/systemd-fsckd.service.xml b/man/systemd-fsckd.service.xml
new file mode 100644
index 0000000000..b7ad58d272
--- /dev/null
+++ b/man/systemd-fsckd.service.xml
@@ -0,0 +1,162 @@
+
+
+
+
+
+
+
+ systemd-fsckd.service
+ systemd
+
+
+
+ Developer
+ Didier
+ Roche
+ didrocks@ubuntu.com
+
+
+
+
+
+ systemd-fsckd.service
+ 8
+
+
+
+ systemd-fsckd.service
+ systemd-fsckd.socket
+ systemd-fsckd
+ File system check progress reporting
+
+
+
+ systemd-fsckd.service
+ systemd-fsckd.socket
+ /usr/lib/systemd/systemd-fsckd
+
+
+
+ Description
+
+ systemd-fsckd.service is a service responsible
+ for receiving file system check progress, and communicating some
+ consolidated data to console and plymouth (if running). It also handles
+ possible check cancellations.
+
+ systemd-fsckd receives messages about file
+ system check progress from fsck through an
+ UNIX domain socket. It can display the progress of the least advanced
+ fsck as well as the total number of devices being checked in parallel
+ to the console. It will also send progress messages to plymouth.
+ Both the raw data and translated messages are sent, so compiled
+ plymouth themes can use the raw data to display custom messages, and
+ scripted themes, not supporting i18n, can display the translated
+ versions.
+
+ systemd-fsckd will instruct plymouth to grab
+ Control+C keypresses. When the key is pressed, running checks will be
+ terminated. It will also cancel any newly connected fsck instances for
+ the lifetime of systemd-fsckd.
+
+
+
+ Protocol for communication with plymouth
+
+ systemd-fsckd passes the
+ following messages to the theme:
+
+ Progress update, sent as a plymouth update message:
+ fsckd:<num_devices>:<progress>:<string>
+
+
+ <num_devices>
+ the current number of devices
+ being checked (int)
+
+
+ <progress>
+ the current minimum percentage of
+ all devices being checking (float, from 0 to 100)
+
+
+ <string>
+ a translated message ready to be displayed
+ by the plymouth theme displaying the data above. It can be overridden
+ by themes supporting i18n.
+
+
+
+
+ Cancel message, sent as a traditional plymouth message:
+ fsckd-cancel-msg:<string>
+
+
+ <strings>
+ a translated string ready to be displayed
+ by the plymouth theme indicating that Control+C can be used to cancel
+ current checks. It can be overridden (matching only
+ fsckd-cancel-msg prefix)
+ by themes supporting i18n.
+
+
+
+
+
+
+ Options
+
+ The following options are understood:
+
+
+
+
+
+
+
+
+
+ Exit status
+
+ On success, 0 is returned, a non-zero failure
+ code otherwise. Note that the daemon stays idle for
+ a while to accept new fsck
+ connections before exiting.
+
+
+
+ See Also
+
+ systemd1,
+ systemd-fsck8,
+ fsck8,
+ systemd-quotacheck.service8,
+ fsck.btrfs8,
+ fsck.cramfs8,
+ fsck.ext48,
+ fsck.fat8,
+ fsck.hfsplus8,
+ fsck.minix8,
+ fsck.ntfs8,
+ fsck.xfs8
+
+
+
+
diff --git a/man/systemd.automount.xml b/man/systemd.automount.xml
index da35a7d26b..c7c8b91e14 100644
--- a/man/systemd.automount.xml
+++ b/man/systemd.automount.xml
@@ -26,10 +26,9 @@
Description
- A unit configuration file whose name ends in
- .automount encodes information about a file
- system automount point controlled and supervised by
- systemd.
+ A unit configuration file whose name ends in .automount encodes information
+ about a file system automount point controlled and supervised by systemd. Automount units may be used to
+ implement on-demand mounting as well as parallelized mounting of file systems.
This man page lists the configuration options specific to
this unit type. See
@@ -55,9 +54,6 @@
accesses /home/lennart the mount unit
home-lennart.mount will be activated.
- Automount units may be used to implement on-demand mounting
- as well as parallelized mounting of file systems.
-
Note that automount units are separate from the mount itself, so you
should not set After= or Requires=
for mount dependencies here. For example, you should not set
@@ -65,8 +61,11 @@
filesystems. Doing so may result in an ordering cycle.
Note that automount support on Linux is privileged, automount units are hence only available in the
- system service manager (and root's user service manager), but not in unprivileged user's service
- manager.
+ system service manager (and root's user service manager), but not in unprivileged users' service
+ managers.
+
+ Note that automount units should not be nested. (The establishment of the inner automount point
+ would unconditionally pin the outer mount point, defeating its purpose.)
@@ -78,12 +77,12 @@
The following dependencies are implicitly added:
- If an automount unit is beneath another mount unit in the
- file system hierarchy, both a requirement and an ordering
- dependency between both units are created automatically.
+ If an automount unit is beneath another mount unit in the file system hierarchy, a
+ requirement and ordering dependencies are created to the on the unit higher in the hierarchy.
+
- An implicit Before= dependency is created
- between an automount unit and the mount unit it activates.
+ An implicit Before= dependency is created between an automount
+ unit and the mount unit it activates.
@@ -161,6 +160,7 @@
creating these directories. Takes an access mode in octal
notation. Defaults to 0755.
+
TimeoutIdleSec=
Configures an idle timeout. Once the mount has been
diff --git a/meson.build b/meson.build
index 36cbfa4893..03208c0135 100644
--- a/meson.build
+++ b/meson.build
@@ -146,6 +146,7 @@ rootlibdir = get_option('rootlibdir')
if rootlibdir == ''
rootlibdir = rootprefixdir / libdir.split('/')[-1]
endif
+rootpkglibdir = rootlibdir / 'systemd'
install_sysconfdir = get_option('install-sysconfdir') != 'false'
install_sysconfdir_samples = get_option('install-sysconfdir') == 'true'
@@ -1981,7 +1982,7 @@ if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
tpm2,
versiondep],
link_depends : cryptsetup_token_sym,
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : libcryptsetup_plugins_dir)
endif
@@ -1999,7 +2000,7 @@ if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
libfido2,
versiondep],
link_depends : cryptsetup_token_sym,
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : libcryptsetup_plugins_dir)
endif
@@ -2017,7 +2018,7 @@ if conf.get('HAVE_LIBCRYPTSETUP_PLUGINS') == 1
libp11kit,
versiondep],
link_depends : cryptsetup_token_sym,
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : libcryptsetup_plugins_dir)
endif
@@ -2152,7 +2153,7 @@ exe = executable(
libshared],
dependencies : [versiondep,
libseccomp],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
dbus_programs += exe
@@ -2170,7 +2171,7 @@ public_programs += executable(
libshared],
dependencies : [versiondep,
libseccomp],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : conf.get('ENABLE_ANALYZE'))
executable(
@@ -2184,7 +2185,7 @@ executable(
liblz4,
libselinux,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2195,7 +2196,7 @@ public_programs += executable(
link_with : [libjournal_core,
libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -2209,7 +2210,7 @@ public_programs += executable(
liblz4,
libzstd,
libdl],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -2218,7 +2219,7 @@ executable(
'src/getty-generator/getty-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2227,7 +2228,7 @@ executable(
'src/debug-generator/debug-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2236,7 +2237,7 @@ executable(
'src/run-generator/run-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2245,7 +2246,7 @@ exe = executable(
'src/fstab-generator/fstab-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2263,7 +2264,7 @@ if conf.get('ENABLE_ENVIRONMENT_D') == 1
'src/environment-d-generator/environment-d-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : userenvgeneratordir)
@@ -2278,7 +2279,7 @@ if conf.get('ENABLE_HIBERNATE') == 1
'src/hibernate-resume/hibernate-resume-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2287,7 +2288,7 @@ if conf.get('ENABLE_HIBERNATE') == 1
'src/hibernate-resume/hibernate-resume.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2299,7 +2300,7 @@ if conf.get('HAVE_BLKID') == 1
include_directories : includes,
link_with : [libshared],
dependencies : libblkid,
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2308,7 +2309,7 @@ if conf.get('HAVE_BLKID') == 1
'src/dissect/dissect.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
endif
@@ -2321,7 +2322,7 @@ if conf.get('ENABLE_RESOLVE') == 1
libbasic_gcrypt,
libsystemd_resolve_core],
dependencies : systemd_resolved_dependencies,
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2336,7 +2337,7 @@ if conf.get('ENABLE_RESOLVE') == 1
lib_openssl_or_gcrypt,
libm,
libidn],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
meson.add_install_script(meson_make_symlink,
@@ -2357,7 +2358,7 @@ if conf.get('ENABLE_LOGIND') == 1
libshared],
dependencies : [threads,
libacl],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2370,7 +2371,7 @@ if conf.get('ENABLE_LOGIND') == 1
liblz4,
libxz,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -2379,7 +2380,7 @@ if conf.get('ENABLE_LOGIND') == 1
'src/login/inhibit.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -2416,7 +2417,7 @@ if conf.get('ENABLE_LOGIND') == 1
user_runtime_dir_sources,
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2427,7 +2428,7 @@ if conf.get('HAVE_PAM') == 1
'src/user-sessions/user-sessions.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2445,7 +2446,7 @@ if conf.get('HAVE_BLKID') == 1 and conf.get('HAVE_GNU_EFI') == 1
include_directories : includes,
link_with : [boot_link_with],
dependencies : [libblkid],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -2454,7 +2455,7 @@ if conf.get('HAVE_BLKID') == 1 and conf.get('HAVE_GNU_EFI') == 1
include_directories : includes,
link_with : [boot_link_with],
dependencies : [libblkid],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2463,7 +2464,7 @@ if conf.get('HAVE_BLKID') == 1 and conf.get('HAVE_GNU_EFI') == 1
'src/boot/bless-boot-generator.c',
include_directories : includes,
link_with : [boot_link_with],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
endif
@@ -2474,7 +2475,7 @@ executable(
include_directories : includes,
link_with : [libshared],
dependencies : [libblkid],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2484,7 +2485,7 @@ public_programs += executable(
include_directories : includes,
link_with : [libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
systemctl = executable(
@@ -2498,7 +2499,7 @@ systemctl = executable(
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
public_programs += systemctl
@@ -2510,7 +2511,7 @@ if conf.get('ENABLE_PORTABLED') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads, libselinux],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2520,7 +2521,7 @@ if conf.get('ENABLE_PORTABLED') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
endif
@@ -2531,7 +2532,7 @@ if conf.get('ENABLE_SYSEXT') == 1
systemd_sysext_sources,
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
endif
@@ -2543,7 +2544,7 @@ if conf.get('ENABLE_USERDB') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2553,7 +2554,7 @@ if conf.get('ENABLE_USERDB') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2563,9 +2564,8 @@ if conf.get('ENABLE_USERDB') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
- install : true,
- install_dir : rootbindir)
+ install_rpath : rootpkglibdir,
+ install : true)
endif
if conf.get('ENABLE_HOMED') == 1
@@ -2580,7 +2580,7 @@ if conf.get('ENABLE_HOMED') == 1
libopenssl,
libfdisk,
libp11kit],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2593,7 +2593,7 @@ if conf.get('ENABLE_HOMED') == 1
libcrypt,
libopenssl,
libm],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2607,9 +2607,8 @@ if conf.get('ENABLE_HOMED') == 1
libopenssl,
libp11kit,
libdl],
- install_rpath : rootlibexecdir,
- install : true,
- install_dir : rootbindir)
+ install_rpath : rootpkglibdir,
+ install : true)
if conf.get('HAVE_PAM') == 1
version_script_arg = project_source_root / pam_systemd_home_sym
@@ -2650,7 +2649,7 @@ if conf.get('ENABLE_BACKLIGHT') == 1
'src/backlight/backlight.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2661,7 +2660,7 @@ if conf.get('ENABLE_RFKILL') == 1
'src/rfkill/rfkill.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2671,7 +2670,7 @@ executable(
'src/system-update-generator/system-update-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2683,7 +2682,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
link_with : [libshared],
dependencies : [libcryptsetup,
libp11kit],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2692,7 +2691,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
'src/cryptsetup/cryptsetup-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2702,7 +2701,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2711,7 +2710,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
'src/veritysetup/veritysetup-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2724,7 +2723,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
libdl,
libopenssl,
libp11kit],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
executable(
@@ -2733,7 +2732,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [libcryptsetup],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2742,7 +2741,7 @@ if conf.get('HAVE_LIBCRYPTSETUP') == 1
['src/integritysetup/integritysetup-generator.c', 'src/integritysetup/integrity-util.c'],
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
endif
@@ -2753,7 +2752,7 @@ if conf.get('HAVE_SYSV_COMPAT') == 1
'src/sysv-generator/sysv-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
@@ -2769,7 +2768,7 @@ if conf.get('HAVE_SYSV_COMPAT') == 1
'src/rc-local-generator/rc-local-generator.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : systemgeneratordir)
endif
@@ -2780,7 +2779,7 @@ if conf.get('ENABLE_XDG_AUTOSTART') == 1
systemd_xdg_autostart_generator_sources,
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : usergeneratordir)
@@ -2789,7 +2788,7 @@ if conf.get('ENABLE_XDG_AUTOSTART') == 1
'src/xdg-autostart-generator/xdg-autostart-condition.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2800,7 +2799,7 @@ if conf.get('ENABLE_HOSTNAMED') == 1
'src/hostname/hostnamed.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2809,7 +2808,7 @@ if conf.get('ENABLE_HOSTNAMED') == 1
'src/hostname/hostnamectl.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
endif
@@ -2828,7 +2827,7 @@ if conf.get('ENABLE_LOCALED') == 1
include_directories : includes,
link_with : [libshared],
dependencies : deps,
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2837,7 +2836,7 @@ if conf.get('ENABLE_LOCALED') == 1
localectl_sources,
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
endif
@@ -2847,7 +2846,7 @@ if conf.get('ENABLE_TIMEDATED') == 1
'src/timedate/timedated.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2857,7 +2856,7 @@ if conf.get('ENABLE_TIMEDATECTL') == 1
'timedatectl',
'src/timedate/timedatectl.c',
include_directories : includes,
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
link_with : [libshared],
dependencies : [libm],
install : true)
@@ -2871,7 +2870,7 @@ if conf.get('ENABLE_TIMESYNCD') == 1
link_with : [libtimesyncd_core],
dependencies : [threads,
libm],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2880,7 +2879,7 @@ if conf.get('ENABLE_TIMESYNCD') == 1
'src/timesync/wait-sync.c',
include_directories : includes,
link_with : [libtimesyncd_core],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -2892,7 +2891,7 @@ if conf.get('ENABLE_MACHINED') == 1
include_directories : includes,
link_with : [libmachine_core,
libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2905,7 +2904,7 @@ if conf.get('ENABLE_MACHINED') == 1
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
endif
@@ -2917,7 +2916,7 @@ if conf.get('ENABLE_IMPORTD') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2933,7 +2932,7 @@ if conf.get('ENABLE_IMPORTD') == 1
libz,
libbzip2,
libxz],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2947,7 +2946,7 @@ if conf.get('ENABLE_IMPORTD') == 1
libz,
libbzip2,
libxz],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2957,7 +2956,7 @@ if conf.get('ENABLE_IMPORTD') == 1
include_directories : includes,
link_with : [libshared,
lib_import_common],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2971,7 +2970,7 @@ if conf.get('ENABLE_IMPORTD') == 1
libz,
libbzip2,
libxz],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -2991,7 +2990,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_LIBCURL') == 1
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -3009,7 +3008,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3024,7 +3023,7 @@ if conf.get('ENABLE_REMOTE') == 1 and conf.get('HAVE_MICROHTTPD') == 1
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -3041,7 +3040,7 @@ if conf.get('ENABLE_COREDUMP') == 1
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3055,7 +3054,7 @@ if conf.get('ENABLE_COREDUMP') == 1
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
endif
@@ -3070,7 +3069,7 @@ if conf.get('ENABLE_PSTORE') == 1
libxz,
liblz4,
libzstd],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -3081,7 +3080,7 @@ if conf.get('ENABLE_OOMD') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3091,7 +3090,7 @@ if conf.get('ENABLE_OOMD') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
endif
@@ -3101,7 +3100,7 @@ if conf.get('ENABLE_BINFMT') == 1
'src/binfmt/binfmt.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3123,7 +3122,7 @@ if conf.get('ENABLE_SYSUPDATE') == 1
libblkid,
libfdisk,
libopenssl],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
public_programs += exe
@@ -3135,7 +3134,7 @@ if conf.get('ENABLE_VCONSOLE') == 1
'src/vconsole/vconsole-setup.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -3146,7 +3145,7 @@ if conf.get('ENABLE_RANDOMSEED') == 1
'src/random-seed/random-seed.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -3158,7 +3157,7 @@ if conf.get('ENABLE_FIRSTBOOT') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [libcrypt],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
endif
@@ -3168,7 +3167,7 @@ executable(
'src/remount-fs/remount-fs.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3177,7 +3176,7 @@ executable(
'src/machine-id-setup/machine-id-setup-main.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -3186,7 +3185,7 @@ executable(
'src/fsck/fsck.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3194,7 +3193,7 @@ executable('systemd-growfs',
'src/partition/growfs.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3203,7 +3202,16 @@ executable(
'src/partition/makefs.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
+ install : true,
+ install_dir : rootlibexecdir)
+
+executable(
+ 'systemd-fsckd',
+ 'src/fsckd/fsckd.c',
+ include_directories : includes,
+ link_with : [libshared],
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3212,7 +3220,7 @@ executable(
'src/sleep/sleep.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3226,7 +3234,7 @@ public_programs += executable(
'src/sysctl/sysctl.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3235,7 +3243,7 @@ executable(
'src/ac-power/ac-power.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3244,7 +3252,7 @@ public_programs += executable(
'src/detect-virt/detect-virt.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -3252,7 +3260,7 @@ public_programs += executable(
'src/delta/delta.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -3260,7 +3268,7 @@ public_programs += executable(
'src/escape/escape.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -3269,7 +3277,7 @@ public_programs += executable(
'src/notify/notify.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -3280,7 +3288,7 @@ public_programs += executable(
link_with : [libshared],
dependencies : [threads,
libopenssl],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -3289,7 +3297,7 @@ executable(
'src/volatile-root/volatile-root.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : conf.get('ENABLE_INITRD') == 1,
install_dir : rootlibexecdir)
@@ -3298,7 +3306,7 @@ executable(
'src/cgroups-agent/cgroups-agent.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3307,7 +3315,7 @@ systemd_id128 = executable(
'src/id128/id128.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += systemd_id128
@@ -3324,7 +3332,7 @@ public_programs += executable(
'src/path/path.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -3332,7 +3340,7 @@ public_programs += executable(
'src/ask-password/ask-password.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -3341,7 +3349,7 @@ executable(
'src/reply-password/reply-password.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3350,7 +3358,7 @@ public_programs += executable(
'src/tty-ask-password-agent/tty-ask-password-agent.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
@@ -3359,7 +3367,7 @@ public_programs += executable(
'src/cgls/cgls.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -3367,7 +3375,7 @@ public_programs += executable(
'src/cgtop/cgtop.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
executable(
@@ -3375,7 +3383,7 @@ executable(
'src/initctl/initctl.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : (conf.get('HAVE_SYSV_COMPAT') == 1),
install_dir : rootlibexecdir)
@@ -3385,7 +3393,7 @@ public_programs += executable(
include_directories : includes,
link_with : [libshared],
dependencies: [libmount],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
meson.add_install_script(meson_make_symlink,
@@ -3396,7 +3404,7 @@ public_programs += executable(
'src/run/run.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -3405,7 +3413,7 @@ public_programs += executable(
include_directories : includes,
link_with : [libshared],
dependencies : [versiondep],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
public_programs += executable(
@@ -3414,7 +3422,7 @@ public_programs += executable(
include_directories : includes,
link_with : [libshared],
dependencies : [versiondep],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
if enable_sysusers
@@ -3423,7 +3431,7 @@ if enable_sysusers
'src/sysusers/sysusers.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
public_programs += exe
@@ -3465,7 +3473,7 @@ if conf.get('ENABLE_TMPFILES') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [libacl],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
public_programs += exe
@@ -3527,7 +3535,7 @@ if conf.get('ENABLE_QUOTACHECK') == 1
'src/quotacheck/quotacheck.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
endif
@@ -3538,7 +3546,7 @@ public_programs += executable(
include_directories : includes,
link_with : [libshared],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3567,7 +3575,7 @@ if conf.get('ENABLE_REPART') == 1
dependencies : [threads,
libblkid,
libfdisk],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
public_programs += exe
@@ -3585,7 +3593,7 @@ executable(
include_directories : includes,
link_with : [libshared],
dependencies : [libmount],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3594,7 +3602,7 @@ executable(
'src/update-done/update-done.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3604,7 +3612,7 @@ executable(
include_directories : includes,
link_with : [libshared],
dependencies : [libaudit],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : (conf.get('ENABLE_UTMP') == 1),
install_dir : rootlibexecdir)
@@ -3615,7 +3623,7 @@ if conf.get('HAVE_KMOD') == 1
include_directories : includes,
link_with : [libshared],
dependencies : [libkmod],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3635,7 +3643,7 @@ public_programs += executable(
libshared],
dependencies : [libblkid,
libseccomp],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true)
if conf.get('ENABLE_NETWORKD') == 1
@@ -3647,7 +3655,7 @@ if conf.get('ENABLE_NETWORKD') == 1
libsystemd_network,
networkd_link_with],
dependencies : [threads],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3656,7 +3664,7 @@ if conf.get('ENABLE_NETWORKD') == 1
systemd_networkd_wait_online_sources,
include_directories : includes,
link_with : [networkd_link_with],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3666,7 +3674,7 @@ if conf.get('ENABLE_NETWORKD') == 1
include_directories : libsystemd_network_includes,
link_with : [libsystemd_network,
networkd_link_with],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootbindir)
endif
@@ -3676,7 +3684,7 @@ exe = executable(
network_generator_sources,
include_directories : includes,
link_with : [networkd_link_with],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3693,7 +3701,7 @@ executable(
'src/sulogin-shell/sulogin-shell.c',
include_directories : includes,
link_with : [libshared],
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : true,
install_dir : rootlibexecdir)
@@ -3756,7 +3764,7 @@ foreach tuple : tests
dependencies],
c_args : defs,
build_by_default : want_tests != 'false',
- install_rpath : rootlibexecdir,
+ install_rpath : rootpkglibdir,
install : install_tests,
install_dir : testsdir / type,
link_depends : runtest_env)
diff --git a/meson_options.txt b/meson_options.txt
index 26d1170c50..80ec0c259c 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -436,17 +436,17 @@ option('efi-includedir', type : 'string', value : '/usr/include/efi',
description : 'path to the EFI header directory')
option('efi-tpm-pcr-compat', type : 'boolean', value : 'false',
description : 'Measure kernel command line also into TPM PCR 8 (in addition to 12)')
-option('sbat-distro', type : 'string', value : 'auto',
+option('sbat-distro', type : 'string', value : 'endless',
description : 'SBAT distribution ID, e.g. fedora, or auto for autodetection')
option('sbat-distro-generation', type : 'integer', value : 1,
description : 'SBAT distribution generation')
-option('sbat-distro-summary', type : 'string',
+option('sbat-distro-summary', type : 'string', value : 'Endless OS Foundation LLC',
description : 'SBAT distribution summary, e.g. Fedora')
-option('sbat-distro-pkgname', type : 'string',
+option('sbat-distro-pkgname', type : 'string', value : 'systemd-boot',
description : 'SBAT distribution package name, e.g. systemd')
option('sbat-distro-version', type : 'string',
description : 'SBAT distribution package version, e.g. 248-7.fc34')
-option('sbat-distro-url', type : 'string',
+option('sbat-distro-url', type : 'string', value : 'https://github.com/endlessm/systemd',
description : 'SBAT distribution URL, e.g. https://src.fedoraproject.org/rpms/systemd')
option('efi-color-normal', type : 'string', value : 'lightgray,black',
description : 'general boot loader color in "foreground,background" form, see constants from eficon.h')
diff --git a/po/POTFILES.in b/po/POTFILES.in
index e045852443..131e4bc503 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -12,3 +12,4 @@ src/portable/org.freedesktop.portable1.policy
src/resolve/org.freedesktop.resolve1.policy
src/timedate/org.freedesktop.timedate1.policy
src/core/dbus-unit.c
+src/fsckd/fsckd.c
diff --git a/rules.d/50-udev-default.rules.in b/rules.d/50-udev-default.rules.in
index 0394530479..2522b1de81 100644
--- a/rules.d/50-udev-default.rules.in
+++ b/rules.d/50-udev-default.rules.in
@@ -26,7 +26,7 @@ SUBSYSTEM=="tty", KERNEL=="sclp_line[0-9]*", GROUP="tty", MODE="0620"
SUBSYSTEM=="tty", KERNEL=="ttysclp[0-9]*", GROUP="tty", MODE="0620"
SUBSYSTEM=="tty", KERNEL=="3270/tty[0-9]*", GROUP="tty", MODE="0620"
SUBSYSTEM=="vc", KERNEL=="vcs*|vcsa*", GROUP="tty"
-KERNEL=="tty[A-Z]*[0-9]|ttymxc[0-9]*|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout"
+KERNEL=="tty[A-Z]*[0-9]|ttymxc[0-9]*|pppox[0-9]*|ircomm[0-9]*|noz[0-9]*|rfcomm[0-9]*", GROUP="dialout", MODE="0666"
SUBSYSTEM=="mem", KERNEL=="mem|kmem|port", GROUP="kmem", MODE="0640"
diff --git a/rules.d/60-persistent-storage.rules b/rules.d/60-persistent-storage.rules
index de08428207..0725fd89e3 100644
--- a/rules.d/60-persistent-storage.rules
+++ b/rules.d/60-persistent-storage.rules
@@ -103,7 +103,7 @@ KERNEL=="vd*[0-9]", ENV{ID_PATH}=="pci-*", SYMLINK+="disk/by-path/virtio-$env{ID
KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DATA}=="?*", ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="?*", \
IMPORT{builtin}="blkid --hint=session_offset=$env{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}"
# single-session CDs do not have ID_CDROM_MEDIA_SESSION_LAST_OFFSET
-KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_TRACK_COUNT_DATA}=="?*", ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="", \
+KERNEL=="sr*", ENV{DISK_EJECT_REQUEST}!="?*", ENV{ID_CDROM_MEDIA_SESSION_LAST_OFFSET}=="", \
IMPORT{builtin}="blkid --noraid"
# probe filesystem metadata of disks
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index 95bf177a6b..b03cc70e2e 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -357,20 +357,29 @@ int cg_kill(
Set *s,
cg_kill_log_func_t log_kill,
void *userdata) {
- int r;
+
+ int r, ret;
r = cg_kill_items(controller, path, sig, flags, s, log_kill, userdata, "cgroup.procs");
if (r < 0 || sig != SIGKILL)
return r;
+ ret = r;
+
/* Only in case of killing with SIGKILL and when using cgroupsv2, kill remaining threads manually as
a workaround for kernel bug. It was fixed in 5.2-rc5 (c03cd7738a83), backported to 4.19.66
(4340d175b898) and 4.14.138 (feb6b123b7dd). */
r = cg_unified_controller(controller);
- if (r <= 0)
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return ret;
+
+ r = cg_kill_items(controller, path, sig, flags, s, log_kill, userdata, "cgroup.threads");
+ if (r < 0)
return r;
- return cg_kill_items(controller, path, sig, flags, s, log_kill, userdata, "cgroup.threads");
+ return r > 0 || ret > 0;
}
int cg_kill_kernel_sigkill(const char *controller, const char *path) {
diff --git a/src/basic/time-util.c b/src/basic/time-util.c
index c309369406..6e3fbd1e88 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -1477,19 +1477,43 @@ int get_timezone(char **ret) {
const char *e;
char *z;
int r;
+ bool use_utc_fallback = false;
r = readlink_malloc("/etc/localtime", &t);
- if (r == -ENOENT) {
- /* If the symlink does not exist, assume "UTC", like glibc does */
- z = strdup("UTC");
+ if (r < 0) {
+ if (r == -ENOENT)
+ use_utc_fallback = true;
+ else if (r != -EINVAL)
+ return r; /* returns EINVAL if not a symlink */
+
+ r = read_one_line_file("/etc/timezone", &t);
+ if (r < 0) {
+ if (r != -ENOENT)
+ log_warning_errno(r, "Failed to read /etc/timezone: %m");
+
+ if (use_utc_fallback) {
+ /* If the /etc/localtime symlink does not exist and we failed
+ * to read /etc/timezone, assume "UTC", like glibc does */
+ z = strdup("UTC");
+ if (!z)
+ return -ENOMEM;
+
+ *ret = z;
+ return 0;
+ }
+
+ return -EINVAL;
+ }
+
+ if (!timezone_is_valid(t, LOG_DEBUG))
+ return -EINVAL;
+ z = strdup(t);
if (!z)
return -ENOMEM;
*ret = z;
return 0;
}
- if (r < 0)
- return r; /* returns EINVAL if not a symlink */
e = PATH_STARTSWITH_SET(t, "/usr/share/zoneinfo/", "../usr/share/zoneinfo/");
if (!e)
diff --git a/src/boot/bootctl.c b/src/boot/bootctl.c
index b6bd1dfd65..2d7432bb02 100644
--- a/src/boot/bootctl.c
+++ b/src/boot/bootctl.c
@@ -1969,13 +1969,16 @@ static int verb_install(int argc, char *argv[], void *userdata) {
(void) sync_everything();
- if (arg_touch_variables)
- r = install_variables(arg_esp_path,
- part, pstart, psize, uuid,
- "/EFI/systemd/systemd-boot" EFI_MACHINE_TYPE_NAME ".efi",
- install);
+ if (!arg_touch_variables)
+ return 0;
- return r;
+ r = install_variables(arg_esp_path, part, pstart, psize, uuid,
+ "/EFI/systemd/systemd-boot" EFI_MACHINE_TYPE_NAME ".efi",
+ install);
+ if (r < 0)
+ return r;
+
+ return 0;
}
static int verb_remove(int argc, char *argv[], void *userdata) {
diff --git a/src/boot/efi/boot.c b/src/boot/efi/boot.c
index fb08b99333..6b3c4bc8bc 100644
--- a/src/boot/efi/boot.c
+++ b/src/boot/efi/boot.c
@@ -1573,8 +1573,39 @@ static void config_entry_add_from_file(
TAKE_PTR(entry);
}
+static CHAR16 *resolve_link(EFI_FILE *root_dir, CHAR16 *link, CHAR16 *file) {
+ EFI_STATUS err;
+ _cleanup_freepool_ CHAR8 *contents = NULL;
+ _cleanup_freepool_ CHAR16 *linkname = NULL;
+ _cleanup_freepool_ CHAR16 *target = NULL;
+ CHAR16 *out = NULL;
+
+ linkname = AllocatePool(StrSize(link) + StrSize(L".sln"));
+ if (!linkname)
+ return NULL;
+ StrCpy(linkname, link);
+ StrCat(linkname, L".sln");
+
+ err = file_read(root_dir, linkname, 0, 0, &contents, NULL);
+ if (EFI_ERROR(err))
+ return NULL;
+
+ target = xstra_to_str(contents);
+ if (!target)
+ return NULL;
+
+ out = AllocatePool(StrSize(target) + StrSize(file));
+ if (!out)
+ return NULL;
+ StrCpy(out, target);
+ StrCat(out, file);
+
+ return out;
+}
+
static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
_cleanup_freepool_ CHAR8 *content = NULL;
+ _cleanup_freepool_ CHAR16 *link = NULL;
UINTN value;
EFI_STATUS err;
@@ -1593,7 +1624,10 @@ static void config_load_defaults(Config *config, EFI_FILE *root_dir) {
.timeout_sec_efivar = TIMEOUT_UNSET,
};
- err = file_read(root_dir, L"\\loader\\loader.conf", 0, 0, &content, NULL);
+ link = resolve_link(root_dir, L"\\loader", L"\\entries");
+ if (!link)
+ link = L"\\loader\\entries";
+ err = file_read(root_dir, link, 0, 0, &content, NULL);
if (!EFI_ERROR(err))
config_defaults_load_from_file(config, content);
@@ -1639,6 +1673,7 @@ static void config_load_entries(
_cleanup_freepool_ EFI_FILE_INFO *f = NULL;
UINTN f_size = 0;
EFI_STATUS err;
+ _cleanup_freepool_ CHAR16 *link = NULL;
assert(config);
assert(device);
@@ -1646,7 +1681,10 @@ static void config_load_entries(
/* Adds Boot Loader Type #1 entries (i.e. /loader/entries/….conf) */
- err = open_directory(root_dir, L"\\loader\\entries", &entries_dir);
+ link = resolve_link(root_dir, L"\\loader", L"\\entries");
+ if (!link)
+ link = L"\\loader\\entries";
+ err = open_directory(root_dir, link, &entries_dir);
if (EFI_ERROR(err))
return;
diff --git a/src/boot/efi/meson.build b/src/boot/efi/meson.build
index 299a01b9be..5501ef70b7 100644
--- a/src/boot/efi/meson.build
+++ b/src/boot/efi/meson.build
@@ -215,7 +215,7 @@ endif
if get_option('debug') and get_option('mode') == 'developer'
efi_cflags += ['-ggdb', '-DEFI_DEBUG']
endif
-if get_option('optimization') != '0'
+if get_option('optimization') in ['1', '2', '3', 's', 'g']
efi_cflags += ['-O' + get_option('optimization')]
endif
if get_option('b_ndebug') == 'true' or (
@@ -260,6 +260,13 @@ efi_ldflags = [
'-z', 'nocombreloc',
efi_crt0,
]
+
+possible_link_flags = [
+ '-Wl,--no-warn-execstack',
+ '-Wl,--no-warn-rwx-segments',
+]
+efi_ldflags += cc.get_supported_link_arguments(possible_link_flags)
+
if efi_arch[1] in ['aarch64', 'arm', 'riscv64']
efi_ldflags += ['-shared']
# Aarch64, ARM32 and 64bit RISC-V don't have an EFI capable objcopy.
diff --git a/src/boot/efi/stub.c b/src/boot/efi/stub.c
index 40f615b2b3..3f103396e3 100644
--- a/src/boot/efi/stub.c
+++ b/src/boot/efi/stub.c
@@ -17,6 +17,31 @@
/* magic string to find in the binary image */
_used_ _section_(".sdmagic") static const char magic[] = "#### LoaderInfo: systemd-stub " GIT_VERSION " ####";
+/* Allowed kernel cmdline options */
+static CHAR16 *allowed_opts[] = {
+ L"ostree",
+ L"rw",
+ L"quiet",
+ L"splash",
+ L"plymouth.ignore-serial-consoles",
+ L"loglevel",
+ NULL
+};
+
+static BOOLEAN validate_option(CHAR16 *pos, UINTN len)
+{
+ UINTN optlen = 0, i;
+
+ while (optlen < len && pos[optlen] != ' ' && pos[optlen] != '=')
+ optlen++;
+
+ for (i = 0; i < ELEMENTSOF(allowed_opts); i++)
+ if (StrnCmp(pos, allowed_opts[i], optlen) == 0)
+ return TRUE;
+
+ return FALSE;
+}
+
static EFI_STATUS combine_initrd(
EFI_PHYSICAL_ADDRESS initrd_base, UINTN initrd_size,
const void *credential_initrd, UINTN credential_initrd_size,
@@ -210,20 +235,42 @@ EFI_STATUS efi_main(EFI_HANDLE image, EFI_SYSTEM_TABLE *sys_table) {
cmdline_len = szs[SECTION_CMDLINE];
}
- /* if we are not in secure boot mode, or none was provided, accept a custom command line and replace the built-in one */
- if ((!secure_boot_enabled() || cmdline_len == 0) && loaded_image->LoadOptionsSize > 0 &&
- *(CHAR16 *) loaded_image->LoadOptions > 0x1F) {
- cmdline_len = (loaded_image->LoadOptionsSize / sizeof(CHAR16)) * sizeof(CHAR8);
- cmdline = cmdline_owned = xallocate_pool(cmdline_len);
-
- for (UINTN i = 0; i < cmdline_len; i++)
- cmdline[i] = ((CHAR16 *) loaded_image->LoadOptions)[i];
-
- /* Let's measure the passed kernel command line into the TPM. Note that this possibly
- * duplicates what we already did in the boot menu, if that was already used. However, since
- * we want the boot menu to support an EFI binary, and want to this stub to be usable from
- * any boot menu, let's measure things anyway. */
- (void) tpm_log_load_options(loaded_image->LoadOptions);
+ /* PAYG: combine options from both the image and the loader configuration */
+ if (loaded_image->LoadOptionsSize > 0 && *(CHAR16 *)loaded_image->LoadOptions > 0x1F) {
+ CHAR8 *line;
+ CHAR16 *options;
+ UINTN max_len, options_len, options_left, i;
+ BOOLEAN secure = secure_boot_enabled();
+
+ options_len = (loaded_image->LoadOptionsSize / sizeof(CHAR16)) * sizeof(CHAR8);
+ options_left = options_len;
+ max_len = options_len + szs[0] + 1;
+ line = AllocatePool(max_len);
+
+ /* Lose the terminating null byte */
+ cmdline_len--;
+ for (i = 0; i < cmdline_len; i++)
+ line[i] = cmdline[i];
+
+ options = (CHAR16 *)loaded_image->LoadOptions;
+ for (i = 0; i < options_len; i++) {
+ BOOLEAN safe;
+
+ /* If we're not secure booting, all options are ok */
+ safe = !secure || validate_option(&options[i], options_left);
+ if (safe)
+ line[cmdline_len++] = ' ';
+
+ while (i < options_len && options[i] != ' ') {
+ if (safe)
+ line[cmdline_len++] = options[i];
+ i++;
+ options_left--;
+ }
+ }
+ /* Make sure we're terminated */
+ line[cmdline_len++] = '\0';
+ cmdline = line;
}
export_variables(loaded_image);
diff --git a/src/core/bpf-firewall.c b/src/core/bpf-firewall.c
index 258d09dd45..ce3b76c512 100644
--- a/src/core/bpf-firewall.c
+++ b/src/core/bpf-firewall.c
@@ -543,7 +543,7 @@ int bpf_firewall_compile(Unit *u) {
return supported;
if (supported == BPF_FIREWALL_UNSUPPORTED)
return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "BPF firewalling not supported on this manager, proceeding without.");
+ "bpf-firewall: BPF firewalling not supported, proceeding without.");
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI && u->type == UNIT_SLICE)
/* If BPF_F_ALLOW_MULTI is not supported we don't support any BPF magic on inner nodes (i.e. on slice
* units), since that would mean leaf nodes couldn't do any BPF anymore at all. Under the assumption
@@ -551,7 +551,7 @@ int bpf_firewall_compile(Unit *u) {
* consistent with old systemd behaviour from before v238, where BPF wasn't supported in inner nodes at
* all, either. */
return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
+ "bpf-firewall: BPF_F_ALLOW_MULTI is not supported, not doing BPF firewall on slice units.");
/* If BPF_F_ALLOW_MULTI flag is supported program name is also supported (both were added to v4.15
* kernel). */
@@ -582,24 +582,24 @@ int bpf_firewall_compile(Unit *u) {
r = bpf_firewall_prepare_access_maps(u, ACCESS_ALLOWED, &u->ipv4_allow_map_fd, &u->ipv6_allow_map_fd, &ip_allow_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Preparation of eBPF allow maps failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Preparation of BPF allow maps failed: %m");
r = bpf_firewall_prepare_access_maps(u, ACCESS_DENIED, &u->ipv4_deny_map_fd, &u->ipv6_deny_map_fd, &ip_deny_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Preparation of eBPF deny maps failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Preparation of BPF deny maps failed: %m");
}
r = bpf_firewall_prepare_accounting_maps(u, cc->ip_accounting, &u->ip_accounting_ingress_map_fd, &u->ip_accounting_egress_map_fd);
if (r < 0)
- return log_unit_error_errno(u, r, "Preparation of eBPF accounting maps failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Preparation of BPF accounting maps failed: %m");
r = bpf_firewall_compile_bpf(u, ingress_name, true, &u->ip_bpf_ingress, ip_allow_any, ip_deny_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Compilation for ingress BPF program failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Compilation of ingress BPF program failed: %m");
r = bpf_firewall_compile_bpf(u, egress_name, false, &u->ip_bpf_egress, ip_allow_any, ip_deny_any);
if (r < 0)
- return log_unit_error_errno(u, r, "Compilation for egress BPF program failed: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Compilation of egress BPF program failed: %m");
return 0;
}
@@ -613,15 +613,15 @@ static int load_bpf_progs_from_fs_to_set(Unit *u, char **filter_paths, Set **set
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &prog);
if (r < 0)
- return log_unit_error_errno(u, r, "Can't allocate CGROUP SKB BPF program: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Allocation of SKB BPF program failed: %m");
r = bpf_program_load_from_bpf_fs(prog, *bpf_fs_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Loading of ingress BPF program %s failed: %m", *bpf_fs_path);
+ return log_unit_error_errno(u, r, "bpf-firewall: Loading of ingress BPF program %s failed: %m", *bpf_fs_path);
r = set_ensure_consume(set, &bpf_program_hash_ops, TAKE_PTR(prog));
if (r < 0)
- return log_unit_error_errno(u, r, "Can't add program to BPF program set: %m");
+ return log_oom();
}
return 0;
@@ -645,7 +645,8 @@ int bpf_firewall_load_custom(Unit *u) {
return supported;
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI)
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF_F_ALLOW_MULTI not supported on this manager, cannot attach custom BPF programs.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF_F_ALLOW_MULTI not supported, cannot attach custom BPF programs.");
r = load_bpf_progs_from_fs_to_set(u, cc->ip_filters_ingress, &u->ip_bpf_custom_ingress);
if (r < 0)
@@ -671,7 +672,7 @@ static int attach_custom_bpf_progs(Unit *u, const char *path, int attach_type, S
SET_FOREACH_MOVE(prog, *set_installed, *set) {
r = bpf_program_cgroup_attach(prog, attach_type, path, BPF_F_ALLOW_MULTI);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching custom egress BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r, "bpf-firewall: Attaching custom egress BPF program to cgroup %s failed: %m", path);
}
return 0;
}
@@ -697,16 +698,19 @@ int bpf_firewall_install(Unit *u) {
if (supported < 0)
return supported;
if (supported == BPF_FIREWALL_UNSUPPORTED)
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF firewalling not supported on this manager, proceeding without.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF firewalling not supported, proceeding without.");
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI && u->type == UNIT_SLICE)
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF_F_ALLOW_MULTI is not supported on this manager, not doing BPF firewall on slice units.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF_F_ALLOW_MULTI not supported, not doing BPF firewall on slice units.");
if (supported != BPF_FIREWALL_SUPPORTED_WITH_MULTI &&
(!set_isempty(u->ip_bpf_custom_ingress) || !set_isempty(u->ip_bpf_custom_egress)))
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "BPF_F_ALLOW_MULTI not supported on this manager, cannot attach custom BPF programs.");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-firewall: BPF_F_ALLOW_MULTI not supported, cannot attach custom BPF programs.");
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to determine cgroup path: %m");
+ return log_unit_error_errno(u, r, "bpf-firewall: Failed to determine cgroup path: %m");
flags = supported == BPF_FIREWALL_SUPPORTED_WITH_MULTI ? BPF_F_ALLOW_MULTI : 0;
@@ -728,7 +732,8 @@ int bpf_firewall_install(Unit *u) {
if (u->ip_bpf_egress) {
r = bpf_program_cgroup_attach(u->ip_bpf_egress, BPF_CGROUP_INET_EGRESS, path, flags);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching egress BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r,
+ "bpf-firewall: Attaching egress BPF program to cgroup %s failed: %m", path);
/* Remember that this BPF program is installed now. */
u->ip_bpf_egress_installed = TAKE_PTR(u->ip_bpf_egress);
@@ -737,7 +742,8 @@ int bpf_firewall_install(Unit *u) {
if (u->ip_bpf_ingress) {
r = bpf_program_cgroup_attach(u->ip_bpf_ingress, BPF_CGROUP_INET_INGRESS, path, flags);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching ingress BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r,
+ "bpf-firewall: Attaching ingress BPF program to cgroup %s failed: %m", path);
u->ip_bpf_ingress_installed = TAKE_PTR(u->ip_bpf_ingress);
}
@@ -824,11 +830,11 @@ int bpf_firewall_supported(void) {
r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
if (r < 0)
- return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
+ return log_error_errno(r, "bpf-firewall: Can't determine whether the unified hierarchy is used: %m");
if (r == 0) {
bpf_firewall_unsupported_reason =
log_debug_errno(SYNTHETIC_ERRNO(EUCLEAN),
- "Not running with unified cgroups, BPF firewalling is not supported.");
+ "bpf-firewall: Not running with unified cgroup hierarchy, BPF firewalling is not supported.");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
@@ -836,21 +842,21 @@ int bpf_firewall_supported(void) {
r = bpf_program_new(BPF_PROG_TYPE_CGROUP_SKB, NULL, &program);
if (r < 0) {
bpf_firewall_unsupported_reason =
- log_debug_errno(r, "Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+ log_debug_errno(r, "bpf-firewall: Can't allocate CGROUP SKB BPF program, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
r = bpf_program_add_instructions(program, trivial, ELEMENTSOF(trivial));
if (r < 0) {
bpf_firewall_unsupported_reason =
- log_debug_errno(r, "Can't add trivial instructions to CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+ log_debug_errno(r, "bpf-firewall: Can't add trivial instructions to CGROUP SKB BPF program, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
r = bpf_program_load_kernel(program, NULL, 0);
if (r < 0) {
bpf_firewall_unsupported_reason =
- log_debug_errno(r, "Can't load kernel CGROUP SKB BPF program, BPF firewalling is not supported: %m");
+ log_debug_errno(r, "bpf-firewall: Can't load kernel CGROUP SKB BPF program, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
@@ -874,7 +880,7 @@ int bpf_firewall_supported(void) {
if (bpf(BPF_PROG_DETACH, &attr, sizeof(attr)) < 0) {
if (errno != EBADF) {
bpf_firewall_unsupported_reason =
- log_debug_errno(errno, "Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m");
+ log_debug_errno(errno, "bpf-firewall: Didn't get EBADF from BPF_PROG_DETACH, BPF firewalling is not supported: %m");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
@@ -882,7 +888,7 @@ int bpf_firewall_supported(void) {
} else {
bpf_firewall_unsupported_reason =
log_debug_errno(SYNTHETIC_ERRNO(EBADE),
- "Wut? Kernel accepted our invalid BPF_PROG_DETACH call? "
+ "bpf-firewall: Wut? Kernel accepted our invalid BPF_PROG_DETACH call? "
"Something is weird, assuming BPF firewalling is broken and hence not supported.");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
@@ -902,20 +908,20 @@ int bpf_firewall_supported(void) {
if (bpf(BPF_PROG_ATTACH, &attr, sizeof(attr)) < 0) {
if (errno == EBADF) {
- log_debug_errno(errno, "Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!");
+ log_debug_errno(errno, "bpf-firewall: Got EBADF when using BPF_F_ALLOW_MULTI, which indicates it is supported. Yay!");
return supported = BPF_FIREWALL_SUPPORTED_WITH_MULTI;
}
if (errno == EINVAL)
- log_debug_errno(errno, "Got EINVAL error when using BPF_F_ALLOW_MULTI, which indicates it's not supported.");
+ log_debug_errno(errno, "bpf-firewall: Got EINVAL error when using BPF_F_ALLOW_MULTI, which indicates it's not supported.");
else
- log_debug_errno(errno, "Got unexpected error when using BPF_F_ALLOW_MULTI, assuming it's not supported: %m");
+ log_debug_errno(errno, "bpf-firewall: Got unexpected error when using BPF_F_ALLOW_MULTI, assuming it's not supported: %m");
return supported = BPF_FIREWALL_SUPPORTED;
} else {
bpf_firewall_unsupported_reason =
log_debug_errno(SYNTHETIC_ERRNO(EBADE),
- "Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? "
+ "bpf-firewall: Wut? Kernel accepted our invalid BPF_PROG_ATTACH+BPF_F_ALLOW_MULTI call? "
"Something is weird, assuming BPF firewalling is broken and hence not supported.");
return supported = BPF_FIREWALL_UNSUPPORTED;
}
diff --git a/src/core/bpf-foreign.c b/src/core/bpf-foreign.c
index 7f50f57389..83c3bac87f 100644
--- a/src/core/bpf-foreign.c
+++ b/src/core/bpf-foreign.c
@@ -63,7 +63,7 @@ static int attach_programs(Unit *u, const char *path, Hashmap* foreign_by_key, u
HASHMAP_FOREACH_KEY(prog, key, foreign_by_key) {
r = bpf_program_cgroup_attach(prog, key->attach_type, path, attach_flags);
if (r < 0)
- return log_unit_error_errno(u, r, "Attaching foreign BPF program to cgroup %s failed: %m", path);
+ return log_unit_error_errno(u, r, "bpf-foreign: Attaching foreign BPF program to cgroup %s failed: %m", path);
}
return 0;
@@ -89,31 +89,31 @@ static int bpf_foreign_prepare(
r = path_is_fs_type(bpffs_path, BPF_FS_MAGIC);
if (r < 0)
return log_unit_error_errno(u, r,
- "Failed to determine filesystem type of %s: %m", bpffs_path);
+ "bpf-foreign: Failed to determine filesystem type of %s: %m", bpffs_path);
if (r == 0)
return log_unit_error_errno(u, SYNTHETIC_ERRNO(EINVAL),
- "Path in BPF filesystem is expected.");
+ "bpf-foreign: Path in BPF filesystem is expected.");
r = bpf_program_new_from_bpffs_path(bpffs_path, &prog);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to create foreign BPFProgram: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to create foreign BPF program: %m");
r = bpf_program_get_id_by_fd(prog->kernel_fd, &prog_id);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get BPF program id by fd: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to get BPF program id from fd: %m");
r = bpf_foreign_key_new(prog_id, attach_type, &key);
if (r < 0)
return log_unit_error_errno(u, r,
- "Failed to create foreign BPF program key from path '%s': %m", bpffs_path);
+ "bpf-foreign: Failed to create foreign BPF program key from path '%s': %m", bpffs_path);
r = hashmap_ensure_put(&u->bpf_foreign_by_key, &bpf_foreign_by_key_hash_ops, key, prog);
if (r == -EEXIST) {
- log_unit_warning_errno(u, r, "Foreign BPF program already exists, ignoring: %m");
+ log_unit_warning_errno(u, r, "bpf-foreign: Foreign BPF program already exists, ignoring: %m");
return 0;
}
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to put foreign BPFProgram into map: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to put foreign BPF program into map: %m");
TAKE_PTR(key);
TAKE_PTR(prog);
@@ -134,17 +134,17 @@ int bpf_foreign_install(Unit *u) {
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get cgroup path: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to get cgroup path: %m");
LIST_FOREACH(programs, p, cc->bpf_foreign_programs) {
r = bpf_foreign_prepare(u, p->attach_type, p->bpffs_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to prepare foreign BPF hashmap: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to prepare foreign BPF hashmap: %m");
}
r = attach_programs(u, cgroup_path, u->bpf_foreign_by_key, BPF_F_ALLOW_MULTI);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to install foreign BPF programs: %m");
+ return log_unit_error_errno(u, r, "bpf-foreign: Failed to install foreign BPF programs: %m");
return 0;
}
diff --git a/src/core/bpf-lsm.c b/src/core/bpf-lsm.c
index d3e92b98a6..f3b9339558 100644
--- a/src/core/bpf-lsm.c
+++ b/src/core/bpf-lsm.c
@@ -26,6 +26,7 @@
/* libbpf, clang and llc compile time dependencies are satisfied */
#include "bpf-dlopen.h"
#include "bpf-link.h"
+#include "bpf-util.h"
#include "bpf/restrict_fs/restrict-fs-skel.h"
#define CGROUP_HASH_SIZE_MAX 2048
@@ -61,29 +62,29 @@ static int prepare_restrict_fs_bpf(struct restrict_fs_bpf **ret_obj) {
obj = restrict_fs_bpf__open();
if (!obj)
- return log_error_errno(errno, "Failed to open BPF object: %m");
+ return log_error_errno(errno, "bpf-lsm: Failed to open BPF object: %m");
/* TODO Maybe choose a number based on runtime information? */
r = sym_bpf_map__resize(obj->maps.cgroup_hash, CGROUP_HASH_SIZE_MAX);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "Failed to resize BPF map '%s': %m",
+ return log_error_errno(r, "bpf-lsm: Failed to resize BPF map '%s': %m",
sym_bpf_map__name(obj->maps.cgroup_hash));
/* Dummy map to satisfy the verifier */
inner_map_fd = sym_bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(uint32_t), sizeof(uint32_t), 128, 0);
if (inner_map_fd < 0)
- return log_error_errno(errno, "Failed to create BPF map: %m");
+ return log_error_errno(errno, "bpf-lsm: Failed to create BPF map: %m");
r = sym_bpf_map__set_inner_map_fd(obj->maps.cgroup_hash, inner_map_fd);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "Failed to set inner map fd: %m");
+ return log_error_errno(r, "bpf-lsm: Failed to set inner map fd: %m");
r = restrict_fs_bpf__load(obj);
assert(r <= 0);
if (r < 0)
- return log_error_errno(r, "Failed to load BPF object");
+ return log_error_errno(r, "bpf-lsm: Failed to load BPF object: %m");
*ret_obj = TAKE_PTR(obj);
@@ -103,7 +104,7 @@ static int mac_bpf_use(void) {
r = read_one_line_file("/sys/kernel/security/lsm", &lsm_list);
if (r < 0) {
if (r != -ENOENT)
- log_notice_errno(r, "Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
+ log_notice_errno(r, "bpf-lsm: Failed to read /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
return 0;
}
@@ -116,7 +117,7 @@ static int mac_bpf_use(void) {
if (r == -ENOMEM)
return log_oom();
if (r < 0) {
- log_notice_errno(r, "Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
+ log_notice_errno(r, "bpf-lsm: Failed to parse /sys/kernel/security/lsm, assuming bpf is unavailable: %m");
return 0;
}
@@ -135,33 +136,18 @@ bool lsm_bpf_supported(bool initialize) {
if (!initialize)
return false;
- r = dlopen_bpf();
- if (r < 0) {
- log_info_errno(r, "Failed to open libbpf, LSM BPF is not supported: %m");
- return (supported = false);
- }
-
- r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
- if (r < 0) {
- log_warning_errno(r, "Can't determine whether the unified hierarchy is used: %m");
+ if (!cgroup_bpf_supported())
return (supported = false);
- }
-
- if (r == 0) {
- log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Not running with unified cgroup hierarchy, LSM BPF is not supported");
- return (supported = false);
- }
r = mac_bpf_use();
if (r < 0) {
- log_warning_errno(r, "Can't determine whether the BPF LSM module is used: %m");
+ log_warning_errno(r, "bpf-lsm: Can't determine whether the BPF LSM module is used: %m");
return (supported = false);
}
if (r == 0) {
log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "BPF LSM hook not enabled in the kernel, LSM BPF not supported");
+ "bpf-lsm: BPF LSM hook not enabled in the kernel, BPF LSM not supported");
return (supported = false);
}
@@ -171,7 +157,7 @@ bool lsm_bpf_supported(bool initialize) {
if (!bpf_can_link_lsm_program(obj->progs.restrict_filesystems)) {
log_warning_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Failed to link BPF program. Assuming BPF is not available");
+ "bpf-lsm: Failed to link program; assuming BPF LSM is not available");
return (supported = false);
}
@@ -192,10 +178,10 @@ int lsm_bpf_setup(Manager *m) {
link = sym_bpf_program__attach_lsm(obj->progs.restrict_filesystems);
r = sym_libbpf_get_error(link);
if (r != 0)
- return log_error_errno(r, "Failed to link '%s' LSM BPF program: %m",
+ return log_error_errno(r, "bpf-lsm: Failed to link '%s' LSM BPF program: %m",
sym_bpf_program__name(obj->progs.restrict_filesystems));
- log_info("LSM BPF program attached");
+ log_info("bpf-lsm: LSM BPF program attached");
obj->links.restrict_filesystems = TAKE_PTR(link);
m->restrict_fs = TAKE_PTR(obj);
@@ -214,7 +200,7 @@ int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allo
if (!u->manager->restrict_fs)
return log_unit_error_errno(u, SYNTHETIC_ERRNO(EINVAL),
- "Restrict filesystems BPF object is not set, BPF LSM setup has failed?");
+ "bpf-lsm: BPF LSM object is not installed, has setup failed?");
int inner_map_fd = sym_bpf_create_map(
BPF_MAP_TYPE_HASH,
@@ -223,39 +209,39 @@ int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, bool allo
128, /* Should be enough for all filesystem types */
0);
if (inner_map_fd < 0)
- return log_unit_error_errno(u, errno, "Failed to create inner LSM map: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Failed to create inner BPF map: %m");
int outer_map_fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash);
if (outer_map_fd < 0)
- return log_unit_error_errno(u, errno, "Failed to get BPF map fd: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Failed to get BPF map fd: %m");
if (sym_bpf_map_update_elem(outer_map_fd, &u->cgroup_id, &inner_map_fd, BPF_ANY) != 0)
- return log_unit_error_errno(u, errno, "Error populating LSM BPF map: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Error populating BPF map: %m");
uint32_t allow = allow_list;
/* Use key 0 to store whether this is an allow list or a deny list */
if (sym_bpf_map_update_elem(inner_map_fd, &zero, &allow, BPF_ANY) != 0)
- return log_unit_error_errno(u, errno, "Error initializing BPF map: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Error initializing map: %m");
SET_FOREACH(fs, filesystems) {
r = fs_type_from_string(fs, &magic);
if (r < 0) {
- log_unit_warning(u, "Invalid filesystem name '%s', ignoring.", fs);
+ log_unit_warning(u, "bpf-lsm: Invalid filesystem name '%s', ignoring.", fs);
continue;
}
- log_unit_debug(u, "Restricting filesystem access to '%s'", fs);
+ log_unit_debug(u, "bpf-lsm: Restricting filesystem access to '%s'", fs);
for (int i = 0; i < FILESYSTEM_MAGIC_MAX; i++) {
if (magic[i] == 0)
break;
if (sym_bpf_map_update_elem(inner_map_fd, &magic[i], &dummy_value, BPF_ANY) != 0) {
- r = log_unit_error_errno(u, errno, "Failed to update BPF map: %m");
+ r = log_unit_error_errno(u, errno, "bpf-lsm: Failed to update BPF map: %m");
if (sym_bpf_map_delete_elem(outer_map_fd, &u->cgroup_id) != 0)
- log_unit_debug_errno(u, errno, "Failed to delete cgroup entry from LSM BPF map: %m");
+ log_unit_debug_errno(u, errno, "bpf-lsm: Failed to delete cgroup entry from BPF map: %m");
return r;
}
@@ -278,10 +264,10 @@ int lsm_bpf_cleanup(const Unit *u) {
int fd = sym_bpf_map__fd(u->manager->restrict_fs->maps.cgroup_hash);
if (fd < 0)
- return log_unit_error_errno(u, errno, "Failed to get BPF map fd: %m");
+ return log_unit_error_errno(u, errno, "bpf-lsm: Failed to get BPF map fd: %m");
if (sym_bpf_map_delete_elem(fd, &u->cgroup_id) != 0)
- return log_unit_debug_errno(u, errno, "Failed to delete cgroup entry from LSM BPF map: %m");
+ return log_unit_debug_errno(u, errno, "bpf-lsm: Failed to delete cgroup entry from LSM BPF map: %m");
return 0;
}
@@ -305,11 +291,11 @@ bool lsm_bpf_supported(bool initialize) {
}
int lsm_bpf_setup(Manager *m) {
- return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Failed to set up LSM BPF: %m");
+ return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to set up LSM BPF: %m");
}
int lsm_bpf_unit_restrict_filesystems(Unit *u, const Set *filesystems, const bool allow_list) {
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "Failed to restrict filesystems using LSM BPF: %m");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "bpf-lsm: Failed to restrict filesystems using LSM BPF: %m");
}
int lsm_bpf_cleanup(const Unit *u) {
@@ -344,7 +330,7 @@ int lsm_bpf_parse_filesystem(
set = filesystem_set_find(name);
if (!set) {
log_syntax(unit, flags & FILESYSTEM_PARSE_LOG ? LOG_WARNING : LOG_DEBUG, filename, line, 0,
- "Unknown filesystem group, ignoring: %s", name);
+ "bpf-lsm: Unknown filesystem group, ignoring: %s", name);
return 0;
}
diff --git a/src/core/bpf-socket-bind.c b/src/core/bpf-socket-bind.c
index 09f83dc667..3aa1bfa1f1 100644
--- a/src/core/bpf-socket-bind.c
+++ b/src/core/bpf-socket-bind.c
@@ -11,8 +11,9 @@
/* libbpf, clang, llvm and bpftool compile time dependencies are satisfied */
#include "bpf-dlopen.h"
#include "bpf-link.h"
-#include "bpf/socket_bind/socket-bind-skel.h"
+#include "bpf-util.h"
#include "bpf/socket_bind/socket-bind-api.bpf.h"
+#include "bpf/socket_bind/socket-bind-skel.h"
static struct socket_bind_bpf *socket_bind_bpf_free(struct socket_bind_bpf *obj) {
/* socket_bind_bpf__destroy handles object == NULL case */
@@ -68,27 +69,27 @@ static int prepare_socket_bind_bpf(
if (allow_count > SOCKET_BIND_MAX_RULES)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, SYNTHETIC_ERRNO(EINVAL),
- "Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
+ "bpf-socket-bind: Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
if (deny_count > SOCKET_BIND_MAX_RULES)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, SYNTHETIC_ERRNO(EINVAL),
- "Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
+ "bpf-socket-bind: Maximum number of socket bind rules=%u is exceeded", SOCKET_BIND_MAX_RULES);
obj = socket_bind_bpf__open();
if (!obj)
- return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "Failed to open BPF object: %m");
+ return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "bpf-socket-bind: Failed to open BPF object: %m");
if (sym_bpf_map__resize(obj->maps.sd_bind_allow, MAX(allow_count, 1u)) != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno,
- "Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_allow));
+ "bpf-socket-bind: Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_allow));
if (sym_bpf_map__resize(obj->maps.sd_bind_deny, MAX(deny_count, 1u)) != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno,
- "Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_deny));
+ "bpf-socket-bind: Failed to resize BPF map '%s': %m", sym_bpf_map__name(obj->maps.sd_bind_deny));
if (socket_bind_bpf__load(obj) != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno,
- "Failed to load BPF object: %m");
+ "bpf-socket-bind: Failed to load BPF object: %m");
allow_map_fd = sym_bpf_map__fd(obj->maps.sd_bind_allow);
assert(allow_map_fd >= 0);
@@ -96,7 +97,7 @@ static int prepare_socket_bind_bpf(
r = update_rules_map(allow_map_fd, allow);
if (r < 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r,
- "Failed to put socket bind allow rules into BPF map '%s'",
+ "bpf-socket-bind: Failed to put socket bind allow rules into BPF map '%s'",
sym_bpf_map__name(obj->maps.sd_bind_allow));
deny_map_fd = sym_bpf_map__fd(obj->maps.sd_bind_deny);
@@ -105,7 +106,7 @@ static int prepare_socket_bind_bpf(
r = update_rules_map(deny_map_fd, deny);
if (r < 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r,
- "Failed to put socket bind deny rules into BPF map '%s'",
+ "bpf-socket-bind: Failed to put socket bind deny rules into BPF map '%s'",
sym_bpf_map__name(obj->maps.sd_bind_deny));
*ret_obj = TAKE_PTR(obj);
@@ -116,25 +117,17 @@ int bpf_socket_bind_supported(void) {
_cleanup_(socket_bind_bpf_freep) struct socket_bind_bpf *obj = NULL;
int r;
- r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
- if (r < 0)
- return log_debug_errno(r, "Can't determine whether the unified hierarchy is used: %m");
- if (r == 0) {
- log_debug("Not running with unified cgroup hierarchy, BPF is not supported");
- return false;
- }
-
- if (dlopen_bpf() < 0)
+ if (!cgroup_bpf_supported())
return false;
if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SOCK_ADDR, /*ifindex=*/0)) {
- log_debug("BPF program type cgroup_sock_addr is not supported");
+ log_debug("bpf-socket-bind: BPF program type cgroup_sock_addr is not supported");
return false;
}
r = prepare_socket_bind_bpf(/*unit=*/NULL, /*allow_rules=*/NULL, /*deny_rules=*/NULL, &obj);
if (r < 0) {
- log_debug_errno(r, "BPF based socket_bind is not supported: %m");
+ log_debug_errno(r, "bpf-socket-bind: socket bind filtering is not supported: %m");
return false;
}
@@ -154,7 +147,7 @@ int bpf_socket_bind_add_initial_link_fd(Unit *u, int fd) {
r = fdset_put(u->initial_socket_bind_link_fds, fd);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to put socket-bind BPF link fd %d to initial fdset", fd);
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to put BPF fd %d to initial fdset", fd);
return 0;
}
@@ -175,29 +168,29 @@ static int socket_bind_install_impl(Unit *u) {
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get cgroup path: %m");
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to get cgroup path: %m");
if (!cc->socket_bind_allow && !cc->socket_bind_deny)
return 0;
r = prepare_socket_bind_bpf(u, cc->socket_bind_allow, cc->socket_bind_deny, &obj);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to load BPF object: %m");
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to load BPF object: %m");
cgroup_fd = open(cgroup_path, O_RDONLY | O_CLOEXEC, 0);
if (cgroup_fd < 0)
- return log_unit_error_errno(u, errno, "Failed to open cgroup=%s for reading: %m", cgroup_path);
+ return log_unit_error_errno(u, errno, "bpf-socket-bind: Failed to open cgroup %s for reading: %m", cgroup_path);
ipv4 = sym_bpf_program__attach_cgroup(obj->progs.sd_bind4, cgroup_fd);
r = sym_libbpf_get_error(ipv4);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to link '%s' cgroup-bpf program: %m",
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to link '%s' cgroup-bpf program: %m",
sym_bpf_program__name(obj->progs.sd_bind4));
ipv6 = sym_bpf_program__attach_cgroup(obj->progs.sd_bind6, cgroup_fd);
r = sym_libbpf_get_error(ipv6);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to link '%s' cgroup-bpf program: %m",
+ return log_unit_error_errno(u, r, "bpf-socket-bind: Failed to link '%s' cgroup-bpf program: %m",
sym_bpf_program__name(obj->progs.sd_bind6));
u->ipv4_socket_bind_link = TAKE_PTR(ipv4);
@@ -241,7 +234,8 @@ int bpf_socket_bind_add_initial_link_fd(Unit *u, int fd) {
}
int bpf_socket_bind_install(Unit *u) {
- return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP), "Failed to install socket bind: BPF framework is not supported");
+ return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "bpf-socket-bind: Failed to install; BPF framework is not supported");
}
int bpf_serialize_socket_bind(Unit *u, FILE *f, FDSet *fds) {
diff --git a/src/core/bpf-util.c b/src/core/bpf-util.c
new file mode 100644
index 0000000000..9130aa373f
--- /dev/null
+++ b/src/core/bpf-util.c
@@ -0,0 +1,34 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "bpf-dlopen.h"
+#include "bpf-util.h"
+#include "cgroup-util.h"
+#include "log.h"
+
+bool cgroup_bpf_supported(void) {
+ static int supported = -1;
+ int r;
+
+ if (supported >= 0)
+ return supported;
+
+ r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
+ if (r < 0) {
+ log_warning_errno(r, "Can't determine whether the unified hierarchy is used: %m");
+ return (supported = false);
+ }
+
+ if (r == 0) {
+ log_info_errno(SYNTHETIC_ERRNO(EOPNOTSUPP),
+ "Not running with unified cgroup hierarchy, disabling cgroup BPF features.");
+ return (supported = false);
+ }
+
+ r = dlopen_bpf();
+ if (r < 0) {
+ log_info_errno(r, "Failed to open libbpf, cgroup BPF features disabled: %m");
+ return (supported = false);
+ }
+
+ return (supported = true);
+}
diff --git a/src/core/bpf-util.h b/src/core/bpf-util.h
new file mode 100644
index 0000000000..a6c55cd7e5
--- /dev/null
+++ b/src/core/bpf-util.h
@@ -0,0 +1,5 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include
+
+bool cgroup_bpf_supported(void);
diff --git a/src/core/device.c b/src/core/device.c
index 4c261ec554..fcde8a420e 100644
--- a/src/core/device.c
+++ b/src/core/device.c
@@ -201,12 +201,11 @@ static int device_coldplug(Unit *u) {
* Of course, deserialized parameters may be outdated, but the unit state can be adjusted later by
* device_catchup() or uevents. */
- if (!m->honor_device_enumeration && !MANAGER_IS_USER(m)) {
+ if (!m->honor_device_enumeration && !MANAGER_IS_USER(m) &&
+ !FLAGS_SET(d->enumerated_found, DEVICE_FOUND_UDEV)) {
found &= ~DEVICE_FOUND_UDEV; /* ignore DEVICE_FOUND_UDEV bit */
if (state == DEVICE_PLUGGED)
state = DEVICE_TENTATIVE; /* downgrade state */
- if (found == DEVICE_NOT_FOUND)
- state = DEVICE_DEAD; /* If nobody sees the device, downgrade more */
}
if (d->found == found && d->state == state)
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 3ff6eae8fc..09ba381762 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -522,6 +522,7 @@ static int patch_var_run(
const char *e;
char *z;
+ int log_level;
e = path_startswith(*path, "/var/run/");
if (!e)
@@ -531,7 +532,8 @@ static int patch_var_run(
if (!z)
return log_oom();
- log_syntax(unit, LOG_NOTICE, filename, line, 0,
+ log_level = path_startswith(filename, "/etc") ? LOG_NOTICE : LOG_DEBUG;
+ log_syntax(unit, log_level, filename, line, 0,
"%s= references a path below legacy directory /var/run/, updating %s → %s; "
"please update the unit file accordingly.", lvalue, *path, z);
diff --git a/src/core/locale-setup.c b/src/core/locale-setup.c
index 716febbefa..9818602470 100644
--- a/src/core/locale-setup.c
+++ b/src/core/locale-setup.c
@@ -57,6 +57,27 @@ int locale_setup(char ***environment) {
log_warning_errno(r, "Failed to read /etc/locale.conf: %m");
}
+ if (r <= 0) {
+ r = parse_env_file(NULL, "/etc/default/locale",
+ "LANG", &variables[VARIABLE_LANG],
+ "LANGUAGE", &variables[VARIABLE_LANGUAGE],
+ "LC_CTYPE", &variables[VARIABLE_LC_CTYPE],
+ "LC_NUMERIC", &variables[VARIABLE_LC_NUMERIC],
+ "LC_TIME", &variables[VARIABLE_LC_TIME],
+ "LC_COLLATE", &variables[VARIABLE_LC_COLLATE],
+ "LC_MONETARY", &variables[VARIABLE_LC_MONETARY],
+ "LC_MESSAGES", &variables[VARIABLE_LC_MESSAGES],
+ "LC_PAPER", &variables[VARIABLE_LC_PAPER],
+ "LC_NAME", &variables[VARIABLE_LC_NAME],
+ "LC_ADDRESS", &variables[VARIABLE_LC_ADDRESS],
+ "LC_TELEPHONE", &variables[VARIABLE_LC_TELEPHONE],
+ "LC_MEASUREMENT", &variables[VARIABLE_LC_MEASUREMENT],
+ "LC_IDENTIFICATION", &variables[VARIABLE_LC_IDENTIFICATION]);
+
+ if (r < 0 && r != -ENOENT)
+ log_warning_errno(r, "Failed to read /etc/default/locale: %m");
+ }
+
for (LocaleVariable i = 0; i < _VARIABLE_LC_MAX; i++) {
char *s;
diff --git a/src/core/main.c b/src/core/main.c
index 409b84a006..7989bbe815 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1619,24 +1619,6 @@ static void cmdline_take_random_seed(void) {
"This functionality should not be used outside of testing environments.");
}
-static void initialize_coredump(bool skip_setup) {
-#if ENABLE_COREDUMP
- if (getpid_cached() != 1)
- return;
-
- /* Don't limit the core dump size, so that coredump handlers such as systemd-coredump (which honour
- * the limit) will process core dumps for system services by default. */
- if (setrlimit(RLIMIT_CORE, &RLIMIT_MAKE_CONST(RLIM_INFINITY)) < 0)
- log_warning_errno(errno, "Failed to set RLIMIT_CORE: %m");
-
- /* But at the same time, turn off the core_pattern logic by default, so that no coredumps are stored
- * until the systemd-coredump tool is enabled via sysctl. However it can be changed via the kernel
- * command line later so core dumps can still be generated during early startup and in initramfs. */
- if (!skip_setup)
- disable_coredumps();
-#endif
-}
-
static void initialize_core_pattern(bool skip_setup) {
int r;
@@ -2765,8 +2747,6 @@ int main(int argc, char *argv[]) {
kernel_timestamp = DUAL_TIMESTAMP_NULL;
}
- initialize_coredump(skip_setup);
-
r = fixup_environment();
if (r < 0) {
log_emergency_errno(r, "Failed to fix up PID 1 environment: %m");
diff --git a/src/core/meson.build b/src/core/meson.build
index 1e8b6dc310..162090a139 100644
--- a/src/core/meson.build
+++ b/src/core/meson.build
@@ -135,6 +135,13 @@ libcore_sources = '''
unit.h
'''.split()
+if conf.get('BPF_FRAMEWORK') == 1
+ libcore_sources += files(
+ 'bpf-util.c',
+ 'bpf-util.h',
+ )
+endif
+
subdir('bpf')
subdir('bpf/socket_bind')
@@ -195,7 +202,7 @@ libcore = shared_library(
libblkid,
libacl],
install : true,
- install_dir : rootlibexecdir)
+ install_dir : rootpkglibdir)
core_includes = [includes, include_directories('.')]
diff --git a/src/core/restrict-ifaces.c b/src/core/restrict-ifaces.c
index efa5c8d85a..a0ecaff814 100644
--- a/src/core/restrict-ifaces.c
+++ b/src/core/restrict-ifaces.c
@@ -9,7 +9,7 @@
#include "bpf-dlopen.h"
#include "bpf-link.h"
-
+#include "bpf-util.h"
#include "bpf/restrict_ifaces/restrict-ifaces-skel.h"
static struct restrict_ifaces_bpf *restrict_ifaces_bpf_free(struct restrict_ifaces_bpf *obj) {
@@ -34,19 +34,19 @@ static int prepare_restrict_ifaces_bpf(
obj = restrict_ifaces_bpf__open();
if (!obj)
- return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "Failed to open BPF object: %m");
+ return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, errno, "restrict-interfaces: Failed to open BPF object: %m");
r = sym_bpf_map__resize(obj->maps.sd_restrictif, MAX(set_size(restrict_network_interfaces), 1u));
if (r != 0)
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, r,
- "Failed to resize BPF map '%s': %m",
+ "restrict-interfaces: Failed to resize BPF map '%s': %m",
sym_bpf_map__name(obj->maps.sd_restrictif));
obj->rodata->is_allow_list = is_allow_list;
r = restrict_ifaces_bpf__load(obj);
if (r != 0)
- return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, r, "Failed to load BPF object: %m");
+ return log_unit_full_errno(u, u ? LOG_ERR : LOG_DEBUG, r, "restrict-interfaces: Failed to load BPF object: %m");
map_fd = sym_bpf_map__fd(obj->maps.sd_restrictif);
@@ -56,13 +56,15 @@ static int prepare_restrict_ifaces_bpf(
ifindex = rtnl_resolve_interface(&rtnl, iface);
if (ifindex < 0) {
- log_unit_warning_errno(u, ifindex, "Couldn't find index of network interface '%s', ignoring: %m", iface);
+ log_unit_warning_errno(u, ifindex,
+ "restrict-interfaces: Couldn't find index of network interface '%s', ignoring: %m",
+ iface);
continue;
}
if (sym_bpf_map_update_elem(map_fd, &ifindex, &dummy, BPF_ANY))
return log_unit_full_errno(u, u ? LOG_ERR : LOG_WARNING, errno,
- "Failed to update BPF map '%s' fd: %m",
+ "restrict-interfaces: Failed to update BPF map '%s' fd: %m",
sym_bpf_map__name(obj->maps.sd_restrictif));
}
@@ -78,29 +80,21 @@ int restrict_network_interfaces_supported(void) {
if (supported >= 0)
return supported;
- r = cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER);
- if (r < 0)
- return log_error_errno(r, "Can't determine whether the unified hierarchy is used: %m");
- if (r == 0) {
- log_debug("Not running with unified cgroup hierarchy, BPF is not supported");
- return supported = 0;
- }
-
- if (dlopen_bpf() < 0)
- return false;
+ if (!cgroup_bpf_supported())
+ return (supported = false);
if (!sym_bpf_probe_prog_type(BPF_PROG_TYPE_CGROUP_SKB, /*ifindex=*/0)) {
- log_debug("BPF program type cgroup_skb is not supported");
- return supported = 0;
+ log_debug("restrict-interfaces: BPF program type cgroup_skb is not supported");
+ return (supported = false);
}
r = prepare_restrict_ifaces_bpf(NULL, true, NULL, &obj);
if (r < 0) {
- log_debug_errno(r, "Failed to load BPF object: %m");
- return supported = 0;
+ log_debug_errno(r, "restrict-interfaces: Failed to load BPF object: %m");
+ return (supported = false);
}
- return supported = bpf_can_link_program(obj->progs.sd_restrictif_i);
+ return (supported = bpf_can_link_program(obj->progs.sd_restrictif_i));
}
static int restrict_network_interfaces_install_impl(Unit *u) {
@@ -117,7 +111,7 @@ static int restrict_network_interfaces_install_impl(Unit *u) {
r = cg_get_path(SYSTEMD_CGROUP_CONTROLLER, u->cgroup_path, NULL, &cgroup_path);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to get cgroup path: %m");
+ return log_unit_error_errno(u, r, "restrict-interfaces: Failed to get cgroup path: %m");
if (!cc->restrict_network_interfaces)
return 0;
@@ -136,12 +130,12 @@ static int restrict_network_interfaces_install_impl(Unit *u) {
ingress_link = sym_bpf_program__attach_cgroup(obj->progs.sd_restrictif_i, cgroup_fd);
r = sym_libbpf_get_error(ingress_link);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to create ingress cgroup link: %m");
+ return log_unit_error_errno(u, r, "restrict-interfaces: Failed to create ingress cgroup link: %m");
egress_link = sym_bpf_program__attach_cgroup(obj->progs.sd_restrictif_e, cgroup_fd);
r = sym_libbpf_get_error(egress_link);
if (r != 0)
- return log_unit_error_errno(u, r, "Failed to create egress cgroup link: %m");
+ return log_unit_error_errno(u, r, "restrict-interfaces: Failed to create egress cgroup link: %m");
u->restrict_ifaces_ingress_bpf_link = TAKE_PTR(ingress_link);
u->restrict_ifaces_egress_bpf_link = TAKE_PTR(egress_link);
@@ -180,7 +174,8 @@ int restrict_network_interfaces_add_initial_link_fd(Unit *u, int fd) {
r = fdset_put(u->initial_restric_ifaces_link_fds, fd);
if (r < 0)
- return log_unit_error_errno(u, r, "Failed to put restrict-ifaces-bpf-fd %d to restored fdset: %m", fd);
+ return log_unit_error_errno(u, r,
+ "restrict-interfaces: Failed to put restrict-ifaces-bpf-fd %d to restored fdset: %m", fd);
return 0;
}
@@ -192,7 +187,7 @@ int restrict_network_interfaces_supported(void) {
int restrict_network_interfaces_install(Unit *u) {
return log_unit_debug_errno(u, SYNTHETIC_ERRNO(EOPNOTSUPP),
- "Failed to install RestrictInterfaces: BPF programs built from source code are not supported: %m");
+ "restrict-interfaces: Failed to install; BPF programs built from source code are not supported: %m");
}
int serialize_restrict_network_interfaces(Unit *u, FILE *f, FDSet *fds) {
diff --git a/src/core/systemd.pc.in b/src/core/systemd.pc.in
index fc0f8c34fa..65996bbed8 100644
--- a/src/core/systemd.pc.in
+++ b/src/core/systemd.pc.in
@@ -65,16 +65,16 @@ systemdshutdowndir=${systemd_shutdown_dir}
tmpfiles_dir=${prefix}/lib/tmpfiles.d
tmpfilesdir=${tmpfiles_dir}
-sysusers_dir=${rootprefix}/lib/sysusers.d
+sysusers_dir=${prefix}/lib/sysusers.d
sysusersdir=${sysusers_dir}
-sysctl_dir=${rootprefix}/lib/sysctl.d
+sysctl_dir=${prefix}/lib/sysctl.d
sysctldir=${sysctl_dir}
-binfmt_dir=${rootprefix}/lib/binfmt.d
+binfmt_dir=${prefix}/lib/binfmt.d
binfmtdir=${binfmt_dir}
-modules_load_dir=${rootprefix}/lib/modules-load.d
+modules_load_dir=${prefix}/lib/modules-load.d
modulesloaddir=${modules_load_dir}
catalog_dir=${prefix}/lib/systemd/catalog
diff --git a/src/core/unit.c b/src/core/unit.c
index b0756bc6f4..90ec261558 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4606,16 +4606,7 @@ int unit_kill_context(
} else if (r > 0) {
- /* FIXME: For now, on the legacy hierarchy, we will not wait for the cgroup members to die if
- * we are running in a container or if this is a delegation unit, simply because cgroup
- * notification is unreliable in these cases. It doesn't work at all in containers, and outside
- * of containers it can be confused easily by left-over directories in the cgroup — which
- * however should not exist in non-delegated units. On the unified hierarchy that's different,
- * there we get proper events. Hence rely on them. */
-
- if (cg_unified_controller(SYSTEMD_CGROUP_CONTROLLER) > 0 ||
- (detect_container() == 0 && !unit_cgroup_delegate(u)))
- wait_for_exit = true;
+ wait_for_exit = true;
if (send_sighup) {
set_free(pid_set);
diff --git a/src/fsck/fsck.c b/src/fsck/fsck.c
index 745d01ff50..7bf0e1196a 100644
--- a/src/fsck/fsck.c
+++ b/src/fsck/fsck.c
@@ -419,7 +419,7 @@ static int run(int argc, char *argv[]) {
if (exit_status & FSCK_ERROR_CORRECTED)
(void) touch("/run/systemd/quotacheck");
- return !!(exit_status & (FSCK_SYSTEM_SHOULD_REBOOT | FSCK_ERRORS_LEFT_UNCORRECTED));
+ return EXIT_SUCCESS;
}
DEFINE_MAIN_FUNCTION_WITH_POSITIVE_FAILURE(run);
diff --git a/src/fsckd/fsckd.c b/src/fsckd/fsckd.c
new file mode 100644
index 0000000000..8a85b692e7
--- /dev/null
+++ b/src/fsckd/fsckd.c
@@ -0,0 +1,697 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Canonical
+
+ Author:
+ Didier Roche
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see .
+***/
+
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "sd-daemon.h"
+#include "build.h"
+#include "def.h"
+#include "sd-event.h"
+#include "log.h"
+#include "list.h"
+#include "macro.h"
+#include "socket-netlink.h"
+#include "socket-util.h"
+#include "fd-util.h"
+#include "string-util.h"
+#include "io-util.h"
+#include "util.h"
+#include "alloc-util.h"
+#include "locale-util.h"
+
+#define FSCKD_SOCKET_PATH "/run/systemd/fsck.progress"
+#define IDLE_TIME_SECONDS 30
+#define PLYMOUTH_REQUEST_KEY "K\2\2\3"
+#define CLIENTS_MAX 128
+
+struct Manager;
+
+typedef struct Client {
+ struct Manager *manager;
+ char *device_name;
+ /* device id refers to "fd " until it gets a name as "device_name" */
+ char *device_id;
+
+ pid_t fsck_pid;
+ FILE *fsck_f;
+
+ size_t cur;
+ size_t max;
+ int pass;
+
+ double percent;
+
+ bool cancelled;
+ bool bad_input;
+
+ sd_event_source *event_source;
+
+ LIST_FIELDS(struct Client, clients);
+} Client;
+
+typedef struct Manager {
+ sd_event *event;
+
+ LIST_HEAD(Client, clients);
+ unsigned n_clients;
+
+ size_t clear;
+
+ int connection_fd;
+ sd_event_source *connection_event_source;
+
+ bool show_status_console;
+
+ double percent;
+ int numdevices;
+
+ int plymouth_fd;
+ sd_event_source *plymouth_event_source;
+ bool plymouth_cancel_sent;
+
+ bool cancel_requested;
+} Manager;
+
+static Client* client_free(Client *c);
+static Manager* manager_free(Manager *m);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(Client*, client_free);
+DEFINE_TRIVIAL_CLEANUP_FUNC(Manager*, manager_free);
+
+static bool plymouth_running(void) {
+ return access("/run/plymouth/pid", F_OK) >= 0;
+}
+
+static int manager_write_console(Manager *m, const char *message) {
+ _cleanup_fclose_ FILE *console = NULL;
+ int l;
+ size_t j;
+
+ assert(m);
+
+ if (!m->show_status_console)
+ return 0;
+
+ /* Nothing to display, and nothing to clear: return now. */
+ if (message == NULL && m->clear == 0) {
+ return 0;
+ }
+
+ /* Reduce the SAK window by opening and closing console on every request */
+ console = fopen("/dev/console", "we");
+ if (!console)
+ return -errno;
+
+ if (message) {
+ fprintf(console, "\r%s\r%n", message, &l);
+ if (m->clear < (size_t)l)
+ m->clear = (size_t)l;
+ } else {
+ fputc('\r', console);
+ for (j = 0; j < m->clear; j++)
+ fputc(' ', console);
+ fputc('\r', console);
+ }
+ fflush(console);
+
+ return 0;
+}
+
+static double compute_percent(int pass, size_t cur, size_t max) {
+ /* Values stolen from e2fsck */
+
+ static const double pass_table[] = {
+ 0, 70, 90, 92, 95, 100
+ };
+
+ if (pass <= 0)
+ return 0.0;
+
+ if ((unsigned) pass >= ELEMENTSOF(pass_table) || max == 0)
+ return 100.0;
+
+ return pass_table[pass-1] +
+ (pass_table[pass] - pass_table[pass-1]) *
+ (double) cur / max;
+}
+
+static int client_request_cancel(Client *c) {
+ assert(c);
+
+ if (c->cancelled)
+ return 0;
+
+ log_info("Request to cancel fsck for %s from fsckd", c->device_id);
+ if (kill(c->fsck_pid, SIGTERM) < 0) {
+ /* ignore the error and consider that cancel was sent if fsck just exited */
+ if (errno != ESRCH)
+ return log_error_errno(errno, "Cannot send cancel to fsck for %s: %m", c->device_id);
+ }
+
+ c->cancelled = true;
+ return 1;
+}
+
+static Client* client_free(Client *c) {
+ assert(c);
+
+ if (c->manager) {
+ LIST_REMOVE(clients, c->manager->clients, c);
+ c->manager->n_clients--;
+ }
+
+ sd_event_source_unref(c->event_source);
+ fclose(c->fsck_f);
+ if (c->device_name)
+ free(c->device_name);
+ if (c->device_id)
+ free(c->device_id);
+ return mfree(c);
+}
+
+static void manager_disconnect_plymouth(Manager *m) {
+ assert(m);
+
+ m->plymouth_event_source = sd_event_source_unref(m->plymouth_event_source);
+ m->plymouth_fd = safe_close(m->plymouth_fd);
+ m->plymouth_cancel_sent = false;
+}
+
+static int manager_plymouth_feedback_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
+ Manager *m = userdata;
+ char buffer[6];
+ ssize_t l;
+
+ assert(m);
+
+ l = read(m->plymouth_fd, buffer, sizeof(buffer));
+ if (l < 0) {
+ log_warning_errno(errno, "Got error while reading from plymouth: %m");
+ manager_disconnect_plymouth(m);
+ return -errno;
+ }
+ if (l == 0) {
+ manager_disconnect_plymouth(m);
+ return 0;
+ }
+
+ if (l > 1 && buffer[0] == '\15')
+ log_error("Message update to plymouth wasn't delivered successfully");
+
+ /* the only answer support type we requested is a key interruption */
+ if (l > 2 && buffer[0] == '\2' && buffer[5] == '\3') {
+ m->cancel_requested = true;
+
+ /* cancel all connected clients */
+ LIST_FOREACH(clients, current, m->clients)
+ client_request_cancel(current);
+ }
+
+ return 0;
+}
+
+static int manager_connect_plymouth(Manager *m) {
+ union sockaddr_union sa = PLYMOUTH_SOCKET;
+ int r;
+
+ if (!plymouth_running())
+ return 0;
+
+ /* try to connect or reconnect if sending a message */
+ if (m->plymouth_fd >= 0)
+ return 1;
+
+ m->plymouth_fd = socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0);
+ if (m->plymouth_fd < 0)
+ return log_warning_errno(errno, "Connection to plymouth socket failed: %m");
+
+ if (connect(m->plymouth_fd, &sa.sa, offsetof(struct sockaddr_un, sun_path) + 1 + strlen(sa.un.sun_path+1)) < 0) {
+ r = log_warning_errno(errno, "Couldn't connect to plymouth: %m");
+ goto fail;
+ }
+
+ r = sd_event_add_io(m->event, &m->plymouth_event_source, m->plymouth_fd, EPOLLIN, manager_plymouth_feedback_handler, m);
+ if (r < 0) {
+ log_warning_errno(r, "Can't listen to plymouth socket: %m");
+ goto fail;
+ }
+
+ return 1;
+
+fail:
+ manager_disconnect_plymouth(m);
+ return r;
+}
+
+static int plymouth_send_message(int plymouth_fd, const char *message, bool update) {
+ _cleanup_free_ char *packet = NULL;
+ int n;
+ char mode = 'M';
+
+ if (update)
+ mode = 'U';
+
+ if (asprintf(&packet, "%c\002%c%s%n", mode, (int) (strlen(message) + 1), message, &n) < 0)
+ return log_oom();
+
+ return loop_write(plymouth_fd, packet, n + 1, true);
+}
+
+static int manager_send_plymouth_message(Manager *m, const char *message) {
+ const char *plymouth_cancel_message = NULL, *l10n_cancel_message = NULL;
+ int r;
+
+ r = manager_connect_plymouth(m);
+ if (r < 0)
+ return r;
+ /* 0 means that plymouth isn't running, do not send any message yet */
+ else if (r == 0)
+ return 0;
+
+ if (!m->plymouth_cancel_sent) {
+
+ /* Indicate to plymouth that we listen to Ctrl+C */
+ r = loop_write(m->plymouth_fd, PLYMOUTH_REQUEST_KEY, sizeof(PLYMOUTH_REQUEST_KEY), true);
+ if (r < 0)
+ return log_warning_errno(r, "Can't send to plymouth cancel key: %m");
+
+ m->plymouth_cancel_sent = true;
+
+ l10n_cancel_message = _("Press Ctrl+C to cancel all filesystem checks in progress");
+ plymouth_cancel_message = strjoina("fsckd-cancel-msg:", l10n_cancel_message);
+
+ r = plymouth_send_message(m->plymouth_fd, plymouth_cancel_message, false);
+ if (r < 0)
+ log_warning_errno(r, "Can't send filesystem cancel message to plymouth: %m");
+
+ } else if (m->numdevices == 0) {
+
+ m->plymouth_cancel_sent = false;
+
+ r = plymouth_send_message(m->plymouth_fd, "", false);
+ if (r < 0)
+ log_warning_errno(r, "Can't clear plymouth filesystem cancel message: %m");
+ }
+
+ r = plymouth_send_message(m->plymouth_fd, message, true);
+ if (r < 0)
+ return log_warning_errno(r, "Couldn't send \"%s\" to plymouth: %m", message);
+
+ return 0;
+}
+
+static int manager_update_global_progress(Manager *m) {
+ _cleanup_free_ char *console_message = NULL;
+ _cleanup_free_ char *fsck_message = NULL;
+ int current_numdevices = 0, r;
+ double current_percent = 100;
+
+ /* get the overall percentage */
+ LIST_FOREACH(clients, current, m->clients) {
+ current_numdevices++;
+
+ /* right now, we only keep the minimum % of all fsckd processes. We could in the future trying to be
+ linear, but max changes and corresponds to the pass. We have all the informations into fsckd
+ already if we can treat that in a smarter way. */
+ current_percent = MIN(current_percent, current->percent);
+ }
+
+ /* update if there is anything user-visible to update */
+ if (fabs(current_percent - m->percent) > 0.001 || current_numdevices != m->numdevices) {
+ m->numdevices = current_numdevices;
+ m->percent = current_percent;
+
+ if (asprintf(&console_message,
+ ngettext("Checking in progress on %d disk (%3.1f%% complete)",
+ "Checking in progress on %d disks (%3.1f%% complete)", m->numdevices),
+ m->numdevices, m->percent) < 0)
+ return -ENOMEM;
+
+ if (asprintf(&fsck_message, "fsckd:%d:%3.1f:%s", m->numdevices, m->percent, console_message) < 0)
+ return -ENOMEM;
+
+ r = manager_write_console(m, console_message);
+ if (r < 0)
+ return r;
+
+ /* try to connect to plymouth and send message */
+ r = manager_send_plymouth_message(m, fsck_message);
+ if (r < 0)
+ return r;
+ }
+ return 0;
+}
+
+static int client_progress_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
+ Client *client = userdata;
+ char line[LINE_MAX];
+ Manager *m;
+
+ assert(client);
+ m = client->manager;
+
+ /* check first if we need to cancel this client */
+ if (m->cancel_requested)
+ client_request_cancel(client);
+
+ while (fgets(line, sizeof(line), client->fsck_f) != NULL) {
+ int pass;
+ size_t cur, max;
+ _cleanup_free_ char *device = NULL, *old_device_id = NULL;
+
+ if (sscanf(line, "%i %zu %zu %ms", &pass, &cur, &max, &device) == 4) {
+ if (!client->device_name) {
+ client->device_name = strdup(device);
+ if (!client->device_name) {
+ log_oom();
+ continue;
+ }
+ old_device_id = client->device_id;
+ client->device_id = strdup(device);
+ if (!client->device_id) {
+ log_oom();
+ client->device_id = old_device_id;
+ old_device_id = NULL;
+ continue;
+ }
+ }
+ client->pass = pass;
+ client->cur = cur;
+ client->max = max;
+ client->bad_input = false;
+ client->percent = compute_percent(client->pass, client->cur, client->max);
+ log_debug("Getting progress for %s (%zu, %zu, %d) : %3.1f%%", client->device_id,
+ client->cur, client->max, client->pass, client->percent);
+ } else {
+ if (errno == ENOMEM) {
+ log_oom();
+ continue;
+ }
+
+ /* if previous input was already garbage, kick it off from progress report */
+ if (client->bad_input) {
+ log_warning("Closing connection on incorrect input of fsck connection for %s", client->device_id);
+ client_free(client);
+ manager_update_global_progress(m);
+ return 0;
+ }
+ client->bad_input = true;
+ }
+
+ }
+
+ if (feof(client->fsck_f)) {
+ log_debug("Fsck client %s disconnected", client->device_id);
+ client_free(client);
+ }
+
+ manager_update_global_progress(m);
+ return 0;
+}
+
+static int manager_new_connection_handler(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
+ _cleanup_(client_freep) Client *c = NULL;
+ _cleanup_close_ int new_fsck_fd = -1;
+ _cleanup_fclose_ FILE *new_fsck_f = NULL;
+ struct ucred ucred = {};
+ Manager *m = userdata;
+ int r;
+
+ assert(m);
+
+ /* Initialize and list new clients */
+ new_fsck_fd = accept4(m->connection_fd, NULL, NULL, SOCK_CLOEXEC|SOCK_NONBLOCK);
+ if (new_fsck_fd < 0) {
+ log_error_errno(errno, "Couldn't accept a new connection: %m");
+ return 0;
+ }
+
+ if (m->n_clients >= CLIENTS_MAX) {
+ log_error("Too many clients, refusing connection.");
+ return 0;
+ }
+
+
+ new_fsck_f = fdopen(new_fsck_fd, "r");
+ if (!new_fsck_f) {
+ log_error_errno(errno, "Couldn't fdopen new connection for fd %d: %m", new_fsck_fd);
+ return 0;
+ }
+ new_fsck_fd = -1;
+
+ r = getpeercred(fileno(new_fsck_f), &ucred);
+ if (r < 0) {
+ log_error_errno(r, "Couldn't get credentials for fsck: %m");
+ return 0;
+ }
+
+ c = new0(Client, 1);
+ if (!c) {
+ log_oom();
+ return 0;
+ }
+
+ c->fsck_pid = ucred.pid;
+ c->fsck_f = new_fsck_f;
+ new_fsck_f = NULL;
+
+ if (asprintf(&(c->device_id), "fd %d", fileno(c->fsck_f)) < 0) {
+ log_oom();
+ return 0;
+ }
+
+ r = sd_event_add_io(m->event, &c->event_source, fileno(c->fsck_f), EPOLLIN, client_progress_handler, c);
+ if (r < 0) {
+ log_oom();
+ return 0;
+ }
+
+ LIST_PREPEND(clients, m->clients, c);
+ m->n_clients++;
+ c->manager = m;
+
+ log_debug("New fsck client connected: %s", c->device_id);
+
+ /* only request the client to cancel now in case the request is dropped by the client (chance to recancel) */
+ if (m->cancel_requested)
+ client_request_cancel(c);
+
+ c = NULL;
+ return 0;
+}
+
+static Manager* manager_free(Manager *m) {
+ if (!m)
+ return NULL;
+
+ /* clear last line */
+ manager_write_console(m, NULL);
+
+ sd_event_source_unref(m->connection_event_source);
+ safe_close(m->connection_fd);
+
+ while (m->clients)
+ client_free(m->clients);
+
+ manager_disconnect_plymouth(m);
+
+ sd_event_unref(m->event);
+
+ return mfree(m);
+}
+
+static int manager_new(Manager **ret, int fd) {
+ _cleanup_(manager_freep) Manager *m = NULL;
+ int r;
+
+ assert(ret);
+
+ m = new0(Manager, 1);
+ if (!m)
+ return -ENOMEM;
+
+ m->plymouth_fd = -1;
+ m->connection_fd = fd;
+ m->percent = 100;
+
+ r = sd_event_default(&m->event);
+ if (r < 0)
+ return r;
+
+ if (access("/run/systemd/show-status", F_OK) >= 0)
+ m->show_status_console = true;
+
+ r = sd_event_add_io(m->event, &m->connection_event_source, fd, EPOLLIN, manager_new_connection_handler, m);
+ if (r < 0)
+ return r;
+
+ *ret = m;
+ m = NULL;
+
+ return 0;
+}
+
+static int run_event_loop_with_timeout(Manager *m, usec_t timeout) {
+ int r, code;
+ sd_event *e = m->event;
+
+ assert(e);
+
+ for (;;) {
+ r = sd_event_get_state(e);
+ if (r < 0)
+ return r;
+ if (r == SD_EVENT_FINISHED)
+ break;
+
+ r = sd_event_run(e, timeout);
+ if (r < 0)
+ return r;
+
+ /* Exit if we reached the idle timeout and no more clients are
+ connected. If there is still an fsck process running but
+ simply slow to send us progress updates, exiting would mean
+ that this fsck process receives SIGPIPE resulting in an
+ aborted file system check. */
+ if (r == 0 && m->n_clients == 0) {
+ sd_event_exit(e, 0);
+ break;
+ }
+ }
+
+ r = sd_event_get_exit_code(e, &code);
+ if (r < 0)
+ return r;
+
+ return code;
+}
+
+static void help(void) {
+ printf("%s [OPTIONS...]\n\n"
+ "Capture fsck progress and forward one stream to plymouth\n\n"
+ " -h --help Show this help\n"
+ " --version Show package version\n",
+ program_invocation_short_name);
+}
+
+static int parse_argv(int argc, char *argv[]) {
+
+ enum {
+ ARG_VERSION = 0x100,
+ ARG_ROOT,
+ };
+
+ static const struct option options[] = {
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ {}
+ };
+
+ int c;
+
+ assert(argc >= 0);
+ assert(argv);
+
+ while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
+ switch (c) {
+
+ case 'h':
+ help();
+ return 0;
+
+ case ARG_VERSION:
+ version();
+ return 0;
+
+ case '?':
+ return -EINVAL;
+
+ default:
+ assert_not_reached();
+ }
+
+ if (optind < argc) {
+ log_error("Extraneous arguments");
+ return -EINVAL;
+ }
+
+ return 1;
+}
+
+int main(int argc, char *argv[]) {
+ _cleanup_(manager_freep) Manager *m = NULL;
+ int fd = -1;
+ int r, n;
+
+ log_set_target(LOG_TARGET_AUTO);
+ log_parse_environment();
+ log_open();
+ init_gettext();
+
+ r = parse_argv(argc, argv);
+ if (r <= 0)
+ goto finish;
+
+ n = sd_listen_fds(0);
+ if (n > 1) {
+ log_error("Too many file descriptors received.");
+ r = -EINVAL;
+ goto finish;
+ } else if (n == 1)
+ fd = SD_LISTEN_FDS_START + 0;
+ else {
+ fd = make_socket_fd(LOG_DEBUG, FSCKD_SOCKET_PATH, SOCK_STREAM, SOCK_CLOEXEC);
+ if (fd < 0) {
+ r = log_error_errno(fd, "Couldn't create listening socket fd on %s: %m", FSCKD_SOCKET_PATH);
+ goto finish;
+ }
+ }
+
+ r = manager_new(&m, fd);
+ if (r < 0) {
+ log_error_errno(r, "Failed to allocate manager: %m");
+ goto finish;
+ }
+
+ r = run_event_loop_with_timeout(m, IDLE_TIME_SECONDS * USEC_PER_SEC);
+ if (r < 0) {
+ log_error_errno(r, "Failed to run event loop: %m");
+ goto finish;
+ }
+
+ sd_event_get_exit_code(m->event, &r);
+
+finish:
+ return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
+}
diff --git a/src/fstab-generator/fstab-generator.c b/src/fstab-generator/fstab-generator.c
index 75523d0c07..f010561611 100644
--- a/src/fstab-generator/fstab-generator.c
+++ b/src/fstab-generator/fstab-generator.c
@@ -358,6 +358,7 @@ static int add_mount(
_cleanup_strv_free_ char **wanted_by = NULL, **required_by = NULL;
_cleanup_fclose_ FILE *f = NULL;
int r;
+ struct stat sb;
assert(what);
assert(where);
@@ -440,9 +441,13 @@ static int add_mount(
fprintf(f, "Before=%s\n", post);
if (passno != 0) {
- r = generator_write_fsck_deps(f, dest, what, where, fstype);
- if (r < 0)
- return r;
+ if (streq(where, "/usr") && stat("/run/initramfs/fsck-usr", &sb) == 0)
+ ; /* skip /usr fsck if it has already been checked in the initramfs */
+ else {
+ r = generator_write_fsck_deps(f, dest, what, where, fstype);
+ if (r < 0)
+ return r;
+ }
}
r = generator_write_blockdev_dependency(f, what);
@@ -802,6 +807,10 @@ static int add_sysroot_mount(void) {
default_rw = false; /* read-only, unless overridden */
}
+ /* Enforce /sysroot mount as rw, so that we can generate machine-
+ * during first boot. */
+ arg_root_rw = true;
+
if (!arg_root_options)
opts = arg_root_rw > 0 || (arg_root_rw < 0 && default_rw) ? "rw" : "ro";
else if (arg_root_rw >= 0 ||
diff --git a/src/fundamental/bootspec-fundamental.c b/src/fundamental/bootspec-fundamental.c
index 89e29f5982..c0138926a5 100644
--- a/src/fundamental/bootspec-fundamental.c
+++ b/src/fundamental/bootspec-fundamental.c
@@ -46,7 +46,7 @@ sd_bool bootspec_pick_name_version_sort_key(
good_version = os_image_version ?: (os_version ?: (os_version_id ? : os_build_id));
good_sort_key = os_image_id ?: os_id;
- if (!good_name || !good_version)
+ if (!good_name)
return sd_false;
if (ret_name)
diff --git a/src/fundamental/sha256.c b/src/fundamental/sha256.c
index 0577a24920..58b1a80d33 100644
--- a/src/fundamental/sha256.c
+++ b/src/fundamental/sha256.c
@@ -47,6 +47,20 @@
# define SWAP64(n) (n)
#endif
+/* The condition below is from glibc's string/string-inline.c.
+ * See definition of _STRING_INLINE_unaligned. */
+#if !defined(__mc68020__) && !defined(__s390__) && !defined(__i386__)
+
+/* To check alignment gcc has an appropriate operator. Other compilers don't. */
+# if __GNUC__ >= 2
+# define UNALIGNED_P(p) (((size_t) p) % __alignof__(uint32_t) != 0)
+# else
+# define UNALIGNED_P(p) (((size_t) p) % sizeof(uint32_t) != 0)
+# endif
+#else
+# define UNALIGNED_P(p) sd_false
+#endif
+
/* This array contains the bytes used to pad the buffer to the next
64-byte boundary. (FIPS 180-2:5.1.1) */
static const uint8_t fillbuf[64] = {
@@ -94,10 +108,7 @@ void sha256_init_ctx(struct sha256_ctx *ctx) {
}
/* Process the remaining bytes in the internal buffer and the usual
- prolog according to the standard and write the result to RESBUF.
-
- IMPORTANT: On some systems it is required that RESBUF is correctly
- aligned for a 32 bits value. */
+ prolog according to the standard and write the result to RESBUF. */
void *sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) {
/* Take yet unprocessed bytes into account. */
uint32_t bytes = ctx->buflen;
@@ -122,7 +133,10 @@ void *sha256_finish_ctx(struct sha256_ctx *ctx, void *resbuf) {
/* Put result from CTX in first 32 bytes following RESBUF. */
for (size_t i = 0; i < 8; ++i)
- ((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]);
+ if (UNALIGNED_P(resbuf))
+ memcpy((uint8_t*) resbuf + i * sizeof(uint32_t), (uint32_t[]) { SWAP(ctx->H[i]) }, sizeof(uint32_t));
+ else
+ ((uint32_t *) resbuf)[i] = SWAP(ctx->H[i]);
return resbuf;
}
@@ -156,17 +170,6 @@ void sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx
/* Process available complete blocks. */
if (len >= 64) {
-
-/* The condition below is from glibc's string/string-inline.c.
- * See definition of _STRING_INLINE_unaligned. */
-#if !defined(__mc68020__) && !defined(__s390__) && !defined(__i386__)
-
-/* To check alignment gcc has an appropriate operator. Other compilers don't. */
-# if __GNUC__ >= 2
-# define UNALIGNED_P(p) (((size_t) p) % __alignof__(uint32_t) != 0)
-# else
-# define UNALIGNED_P(p) (((size_t) p) % sizeof(uint32_t) != 0)
-# endif
if (UNALIGNED_P(buffer))
while (len > 64) {
memcpy(ctx->buffer, buffer, 64);
@@ -174,9 +177,7 @@ void sha256_process_bytes(const void *buffer, size_t len, struct sha256_ctx *ctx
buffer = (const char *) buffer + 64;
len -= 64;
}
- else
-#endif
- {
+ else {
sha256_process_block(buffer, len & ~63, ctx);
buffer = (const char *) buffer + (len & ~63);
len &= 63;
diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c
index 589a2cc582..2c1b899808 100644
--- a/src/gpt-auto-generator/gpt-auto-generator.c
+++ b/src/gpt-auto-generator/gpt-auto-generator.c
@@ -474,7 +474,7 @@ static const char *esp_or_xbootldr_options(const DissectedPartition *p) {
* use kernel defaults. */
if (!p->fstype || streq(p->fstype, "vfat"))
- return "umask=0077";
+ return "umask=0022";
return NULL;
}
@@ -561,17 +561,16 @@ static int add_esp(DissectedPartition *p, bool has_xbootldr) {
if (is_efi_boot()) {
sd_id128_t loader_uuid;
- /* If this is an EFI boot, be extra careful, and only mount the ESP if it was the ESP used for booting. */
+ /* If this is an EFI boot and the bootloader has set LoaderDevicePartUUID, only mount the ESP
+ * if it was the ESP used for booting. */
r = efi_loader_get_device_part_uuid(&loader_uuid);
- if (r == -ENOENT) {
- log_debug("EFI loader partition unknown.");
- return 0;
- }
- if (r < 0)
+ if (r < 0 && r != -ENOENT)
return log_error_errno(r, "Failed to read ESP partition UUID: %m");
- if (!sd_id128_equal(p->uuid, loader_uuid)) {
+ if (r == -ENOENT)
+ log_debug("EFI loader partition unknown, assuming %s was the booted ESP.", p->node);
+ else if (!sd_id128_equal(p->uuid, loader_uuid)) {
log_debug("Partition for %s does not appear to be the partition we are booted from.", p->node);
return 0;
}
diff --git a/src/journal-remote/microhttpd-util.c b/src/journal-remote/microhttpd-util.c
index 48e4b1414c..271e304273 100644
--- a/src/journal-remote/microhttpd-util.c
+++ b/src/journal-remote/microhttpd-util.c
@@ -298,7 +298,7 @@ int check_permissions(struct MHD_Connection *connection, int *code, char **hostn
}
#else
-int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
+_noreturn_ int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
assert_not_reached();
}
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index dc9433701d..5d373f4821 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -2293,7 +2293,7 @@ int server_init(Server *s, const char *namespace) {
.compress.threshold_bytes = UINT64_MAX,
.seal = true,
- .set_audit = true,
+ .set_audit = false,
.watchdog_usec = USEC_INFINITY,
@@ -2303,6 +2303,7 @@ int server_init(Server *s, const char *namespace) {
.ratelimit_interval = DEFAULT_RATE_LIMIT_INTERVAL,
.ratelimit_burst = DEFAULT_RATE_LIMIT_BURST,
+ .forward_to_syslog = true,
.forward_to_wall = true,
.max_file_usec = DEFAULT_MAX_FILE_USEC,
diff --git a/src/journal/journald.conf b/src/journal/journald.conf
index 5a60a9d39c..269dc1b616 100644
--- a/src/journal/journald.conf
+++ b/src/journal/journald.conf
@@ -22,17 +22,17 @@
#SyncIntervalSec=5m
#RateLimitIntervalSec=30s
#RateLimitBurst=10000
-#SystemMaxUse=
+SystemMaxUse=50M
#SystemKeepFree=
-#SystemMaxFileSize=
+SystemMaxFileSize=1M
#SystemMaxFiles=100
-#RuntimeMaxUse=
+RuntimeMaxUse=4M
#RuntimeKeepFree=
#RuntimeMaxFileSize=
#RuntimeMaxFiles=100
#MaxRetentionSec=
#MaxFileSec=1month
-#ForwardToSyslog=no
+#ForwardToSyslog=yes
#ForwardToKMsg=no
#ForwardToConsole=no
#ForwardToWall=yes
@@ -44,4 +44,4 @@
#MaxLevelWall=emerg
#LineMax=48K
#ReadKMsg=yes
-#Audit=yes
+#Audit=no
diff --git a/src/kernel-install/kernel-install.in b/src/kernel-install/kernel-install.in
index f43c6b8b42..3da233ef6e 100755
--- a/src/kernel-install/kernel-install.in
+++ b/src/kernel-install/kernel-install.in
@@ -80,7 +80,10 @@ fi
if [ "${0##*/}" = "installkernel" ]; then
COMMAND=add
- # make install doesn't pass any initrds
+ # kernel's install.sh invokes us as
+ # /sbin/installkernel