coccinelle/strjoin.cocci | 16 16 + 0 - 0 !
src/backlight/backlight.c | 4 2 + 2 - 0 !
src/basic/btrfs-util.c | 2 1 + 1 - 0 !
src/basic/cgroup-util.c | 16 8 + 8 - 0 !
src/basic/conf-files.c | 2 1 + 1 - 0 !
src/basic/fileio.c | 6 3 + 3 - 0 !
src/basic/fs-util.c | 2 1 + 1 - 0 !
src/basic/mount-util.c | 2 1 + 1 - 0 !
src/basic/path-util.c | 12 5 + 7 - 0 !
src/basic/process-util.c | 6 3 + 3 - 0 !
src/basic/string-util.c | 2 1 + 1 - 0 !
src/basic/string-util.h | 3 2 + 1 - 0 !
src/basic/unit-name.c | 4 2 + 2 - 0 !
src/basic/util.c | 2 1 + 1 - 0 !
src/cgls/cgls.c | 2 1 + 1 - 0 !
src/cgtop/cgtop.c | 2 1 + 1 - 0 !
src/core/cgroup.c | 7 4 + 3 - 0 !
src/core/dbus-execute.c | 2 1 + 1 - 0 !
src/core/dbus-unit.c | 6 3 + 3 - 0 !
src/core/device.c | 2 1 + 1 - 0 !
src/core/execute.c | 10 5 + 5 - 0 !
src/core/locale-setup.c | 2 1 + 1 - 0 !
src/core/manager.c | 2 1 + 1 - 0 !
src/core/namespace.c | 2 1 + 1 - 0 !
src/core/service.c | 2 1 + 1 - 0 !
src/core/timer.c | 4 2 + 2 - 0 !
src/core/unit.c | 4 2 + 2 - 0 !
src/coredump/coredump.c | 9 7 + 2 - 0 !
src/coredump/coredumpctl.c | 4 2 + 2 - 0 !
src/cryptsetup/cryptsetup-generator.c | 12 6 + 6 - 0 !
src/debug-generator/debug-generator.c | 4 2 + 2 - 0 !
src/delta/delta.c | 8 4 + 4 - 0 !
src/escape/escape.c | 2 1 + 1 - 0 !
src/fstab-generator/fstab-generator.c | 14 7 + 7 - 0 !
src/gpt-auto-generator/gpt-auto-generator.c | 24 12 + 12 - 0 !
src/hibernate-resume/hibernate-resume-generator.c | 2 1 + 1 - 0 !
src/hostname/hostnamed.c | 2 1 + 1 - 0 !
src/hwdb/hwdb.c | 2 1 + 1 - 0 !
src/import/import-raw.c | 2 1 + 1 - 0 !
src/import/import-tar.c | 2 1 + 1 - 0 !
src/journal-remote/journal-gatewayd.c | 2 1 + 1 - 0 !
src/journal-remote/journal-upload.c | 4 2 + 2 - 0 !
src/journal/journalctl.c | 2 1 + 1 - 0 !
src/journal/journald-server.c | 6 3 + 3 - 0 !
src/journal/journald-wall.c | 2 1 + 1 - 0 !
src/journal/sd-journal.c | 6 3 + 3 - 0 !
src/libsystemd/sd-bus/bus-kernel.c | 2 1 + 1 - 0 !
src/libsystemd/sd-bus/busctl-introspect.c | 2 1 + 1 - 0 !
src/libsystemd/sd-bus/busctl.c | 4 2 + 2 - 0 !
src/libsystemd/sd-bus/sd-bus.c | 6 3 + 3 - 0 !
src/libsystemd/sd-bus/test-bus-objects.c | 2 1 + 1 - 0 !
src/libsystemd/sd-device/device-enumerator.c | 2 1 + 1 - 0 !
src/libsystemd/sd-path/sd-path.c | 8 4 + 4 - 0 !
src/locale/keymap-util.c | 6 3 + 3 - 0 !
src/login/logind-inhibit.c | 2 1 + 1 - 0 !
src/login/logind-session.c | 2 1 + 1 - 0 !
src/login/pam_systemd.c | 2 1 + 1 - 0 !
src/machine/machine.c | 2 1 + 1 - 0 !
src/mount/mount-tool.c | 4 2 + 2 - 0 !
src/nspawn/nspawn-mount.c | 4 2 + 2 - 0 !
src/nspawn/nspawn.c | 4 2 + 2 - 0 !
src/rc-local-generator/rc-local-generator.c | 4 2 + 2 - 0 !
src/resolve/resolved-dns-dnssec.c | 2 1 + 1 - 0 !
src/resolve/resolved-dns-rr.c | 14 7 + 7 - 0 !
src/resolve/test-dnssec-complex.c | 2 1 + 1 - 0 !
src/rfkill/rfkill.c | 4 2 + 2 - 0 !
src/run/run.c | 2 1 + 1 - 0 !
src/shared/base-filesystem.c | 2 1 + 1 - 0 !
src/shared/bus-util.c | 4 2 + 2 - 0 !
src/shared/cgroup-show.c | 2 1 + 1 - 0 !
src/shared/conf-parser.c | 2 1 + 1 - 0 !
src/shared/dns-domain.c | 4 2 + 2 - 0 !
src/shared/dropin.c | 10 5 + 5 - 0 !
src/shared/fstab-util.c | 2 1 + 1 - 0 !
src/shared/install-printf.c | 2 1 + 1 - 0 !
src/shared/install.c | 10 5 + 5 - 0 !
src/shared/machine-image.c | 2 1 + 1 - 0 !
src/shared/path-lookup.c | 4 2 + 2 - 0 !
src/systemctl/systemctl.c | 10 5 + 5 - 0 !
src/sysv-generator/sysv-generator.c | 10 5 + 5 - 0 !
src/test/test-copy.c | 4 2 + 2 - 0 !
src/test/test-date.c | 4 2 + 2 - 0 !
src/test/test-fileio.c | 2 1 + 1 - 0 !
src/test/test-namespace.c | 8 4 + 4 - 0 !
src/test/test-path.c | 2 1 + 1 - 0 !
src/test/test-replace-var.c | 2 1 + 1 - 0 !
src/tmpfiles/tmpfiles.c | 4 2 + 2 - 0 !
src/udev/udev-builtin-hwdb.c | 2 1 + 1 - 0 !
src/udev/udevadm-hwdb.c | 2 1 + 1 - 0 !
89 files changed, 215 insertions(+), 194 deletions(-)

 tree-wide: drop null sentinel from strjoin

This makes strjoin and strjoina more similar and avoids the useless final
argument.

spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c)

git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/'

This might have missed a few cases (spatch has a really hard time dealing
with _cleanup_ macros), but that's no big issue, they can always be fixed
later.

(cherry picked from commit 605405c6cc934466951b0c6bad5a9553620bcb08)

Makefile.am | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 build-sys: link test-seccomp against seccomp libs (#4560)

Fixes build error on recent toolchains:

  ../src/test/test-seccomp.c:35: error: undefined reference to 'seccomp_arch_native'
  collect2: error: ld returned 1 exit status

src/delta/delta.c | 31 31 + 0 - 0 !
1 file changed, 31 insertions(+)

 delta: skip symlink paths when split-usr is enabled (#4591)

If systemd is built with --enable-split-usr, but the system is indeed a
merged-usr system, then systemd-delta gets all confused and reports
that all units and configuration files have been overridden.

Skip any prefix paths that are symlinks in this case.

Fixes: #4573

src/nspawn/nspawn.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 nspawn: fix exit code for --help and --version (#4609)

Commit b006762 inverted the initial exit code which is relevant for --help and
--version without a particular reason.  For these special options, parse_argv()
returns 0 so that our main() immediately skips to the end without adjusting
"ret". Otherwise, if an actual container is being started, ret is set on error
in run(), which still provides the "non-zero exit on error" behaviour.

Fixes #4605.

src/basic/cgroup-util.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 core: don't use the unified hierarchy for the systemd cgroup yet
 (#4628)

Too many things don't get along with the unified hierarchy yet:

 * https://github.com/opencontainers/runc/issues/1175
 * https://github.com/docker/docker/issues/28109
 * https://github.com/lxc/lxc/issues/1280

So revert the default to the legacy hierarchy for now. Developers of the above
software can opt into the unified hierarchy with
"systemd.legacy_systemd_cgroup_controller=0".

man/systemd.mount.xml | 19 19 + 0 - 0 !
src/fstab-generator/fstab-generator.c | 21 18 + 3 - 0 !
2 files changed, 37 insertions(+), 3 deletions(-)

 fstab-generator: add x-systemd.mount-timeout (#4603)

This adds a new systemd fstab option x-systemd.mount-timeout. The option
adds a timeout value that specifies how long systemd waits for the mount
command to finish. It allows to mount huge btrfs volumes without issues.

This is equivalent to adding option TimeoutSec= to [Mount] section in a
mount unit file.

fixes #4055

Makefile.am | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 build-sys: do not install ctrl-alt-del.target symlink twice

It was a harmless but pointless duplication. Fixes #4655.

Note: in general we try to install as little as possible in
/etc/systemd/{system,user}. We only install .wants links there for units which
are "user configurable", i.e. which have an [Install] section. Most our units
and aliases are not user configurable, do not have an [Install] section, and
must be symlinked statically during installation. A few units do have an
[Install] section, and are enabled through symlinks in /etc/ during
installation using GENERAL_ALIASES. It *would* be possible to not create those
symlinks, and instead require 'systemctl preset' to be invoked after
installation, but GENERAL_ALIASES works well enough.

units/systemd-networkd.service.m4.in | 5 2 + 3 - 0 !
1 file changed, 2 insertions(+), 3 deletions(-)

 networkd: allow networkd to start in early boot

With the previous improvements, networkd.service's "After=dbus.service" can now
be dropped. That ordering effectively forced networkd.service to run in late
boot only (dbus.service was rejected to run in early boot in
https://bugs.freedesktop.org/show_bug.cgi?id=98254).

Fixes #4504

hwdb/parse_hwdb.py | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 parse_hwdb: fix to work with pyparsing 2.1.10

pyparsing 2.1.10 fixed the handling of LineStart to really just apply to line
starts and not ignore whitespace and comments any more. Adjust EMPTYLINE to
this.

Many thanks to Paul McGuire for pointing this out!

hwdb/parse_hwdb.py | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

 hwdb/parse_hwdb.py: open files with utf-8 mode

pyparsing uses the system locale by default, which in the case of 'C' (in lots
of build environment) will fail with a UnicodeDecodeError. Explicitly open it
with UTF-8 encoding to guard against this.

src/network/networkd-link.c | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 networkd: link_enter_configured remove assert (#4800)

When we are in link_enter_configured we assume that the
link->state should be LINK_STATE_SETTING_ROUTES but in some
situation it's LINK_STATlE_SETTING_ADDRESSES.

Just ignore the wrong state.

Also since the return value not used any where
make link_enter_configured return type void.

Fixes: #4746

man/systemd.exec.xml | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 doc: clarify nonewprivileges (#4562)

Setting no_new_privs does not stop UID changes, but rather blocks
gaining privileges through execve(). Also fixes a small typo.

src/basic/path-util.h | 12 12 + 0 - 0 !
src/core/mount.c | 72 38 + 34 - 0 !
2 files changed, 50 insertions(+), 34 deletions(-)

 core: rework logic to determine when we decide to add automatic deps
 for mounts

This adds a concept of "extrinsic" mounts. If mounts are extrinsic we consider
them managed by something else and do not add automatic ordering against
umount.target, local-fs.target, remote-fs.target.

Extrinsic mounts are considered:

- All mounts if we are running in --user mode

- API mounts such as everything below /proc, /sys, /dev, which exist from
  earliest boot to latest shutdown.

- All mounts marked as initrd mounts, if we run on the host

- The initrd's private directory /run/initrams that should survive until last
  reboot.

rules/60-persistent-storage.rules | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 rules: add persistent links for nbd devices (#4785)

https://bugs.debian.org/837999

src/core/load-fragment.c | 64 37 + 27 - 0 !
src/core/service.c | 9 2 + 7 - 0 !
src/core/socket.c | 8 1 + 7 - 0 !
3 files changed, 40 insertions(+), 41 deletions(-)

 core: move specifier expansion out of service.c/socket.c

This monopolizes unit file specifier expansion in load-fragment.c, and removes
it from socket.c + service.c. This way expansion becomes an operation done exclusively at time of loading unit files.

Previously specifiers were resolved for all settings during loading of unit
files with the exception of ExecStart= and friends which were resolved in
socket.c and service.c. With this change the latter is also moved to the
loading of unit files.

Fixes: #3061
(cherry picked from commit 5125e76243c56662d9d0d91385a01ae8cb271e71)

man/systemd.unit.xml | 7 0 + 7 - 0 !
1 file changed, 7 deletions(-)

 man: drop reference to %u being useless

This paragraph was a missed left-over from
79413b673b45adc98dfeaec882bbdda2343cb2f9. Drop it now.

(cherry picked from commit 13e40f5a4cd2cbecd3d35e0d6b277749b1d21272)

src/core/unit-printf.c | 47 29 + 18 - 0 !
1 file changed, 29 insertions(+), 18 deletions(-)

 core: resolve more specifiers in unit_name_printf()

unit_name_printf() is usually what we use when the resulting string shall
qualify as unit name, and it hence avoids resolving specifiers that almost
certainly won't result in valid unit names.

Add a couple of more specifiers that unit_full_printf() resolves also to the
list unit_name_printf() resolves, as they are likely to be useful in valid unit
names too. (Note that there might be cases where this doesn't hold, but we
should still permit this, as more often than not they are safe, and if people
want to use them that way, they should be able to.)

(cherry picked from commit b1801e6433c30cb0ab7d7c823c98c637edfe0720)

src/core/load-fragment.c | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 core: use unit_full_printf() at a couple of locations we used
 unit_name_printf() before

For settings that are not taking unit names there's no reason to use
unit_name_printf(). Use unit_full_printf() instead, as the names are validated
anyway in one form or another after expansion.

(cherry picked from commit 18913df9a2aa5ee53a1dfb6f3cf8cdddcc7f11a3)

src/core/load-fragment.c | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 core: add specifier expansion to requiresmountsfor=

This might be useful for some people, for example to pull in mounts for paths
including the machine ID or hostname.

(cherry picked from commit 744bb5b1bea4d04363f7894e86701efdd75b8acb)

src/core/load-fragment.c | 34 20 + 14 - 0 !
1 file changed, 20 insertions(+), 14 deletions(-)

 core: add specifier expansion to readonlypaths= and friends

Expanding specifiers here definitely makes sense.

Also simplifies the loop a bit, as there's no reason to keep "prev" around...

(cherry picked from commit 7b07e99320586fa3baf3e6cbb374f06c6ddc47d8)

man/systemd.unit.xml | 15 0 + 15 - 0 !
src/core/unit-printf.c | 16 13 + 3 - 0 !
2 files changed, 13 insertions(+), 18 deletions(-)

 core: deprecate %c, %r, %r specifiers

%c and %r rely on settings made in the unit files themselves and hence resolve

src/core/unit-printf.c | 4 4 + 0 - 0 !
1 file changed, 4 insertions(+)

 core: add a note clarifying that we should be careful when adding
 new specifiers

(cherry picked from commit 03fc9c723cfc59467a7fccc305f34273f8564b25)

Makefile.am | 4 3 + 1 - 0 !
TODO | 6 0 + 6 - 0 !
man/systemd.exec.xml | 50 34 + 16 - 0 !
src/core/dbus-execute.c | 21 21 + 0 - 0 !
src/core/execute.c | 30 30 + 0 - 0 !
src/core/execute.h | 9 9 + 0 - 0 !
src/core/load-fragment-gperf.gperf.m4 | 2 2 + 0 - 0 !
src/core/load-fragment.c | 49 49 + 0 - 0 !
src/core/load-fragment.h | 1 1 + 0 - 0 !
src/shared/bus-unit-util.c | 25 25 + 0 - 0 !
src/shared/nsflags.c | 126 126 + 0 - 0 !
src/shared/nsflags.h | 49 49 + 0 - 0 !
src/shared/seccomp-util.c | 89 89 + 0 - 0 !
src/shared/seccomp-util.h | 2 2 + 0 - 0 !
src/test/test-seccomp.c | 94 94 + 0 - 0 !
15 files changed, 534 insertions(+), 23 deletions(-)

 core: add new restrictnamespaces= unit file setting

This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().

RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.

This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.

src/core/execute.c | 466 123 + 343 - 0 !
src/core/main.c | 34 3 + 31 - 0 !
src/nspawn/nspawn-seccomp.c | 113 63 + 50 - 0 !
src/shared/seccomp-util.c | 652 531 + 121 - 0 !
src/shared/seccomp-util.h | 25 19 + 6 - 0 !
src/test/test-execute.c | 1 1 + 0 - 0 !
src/test/test-seccomp.c | 272 265 + 7 - 0 !
7 files changed, 1005 insertions(+), 558 deletions(-)

 seccomp: rework seccomp code, to improve compat with some archs

This substantially reworks the seccomp code, to ensure better
compatibility with some architectures, including i386.

So far we relied on libseccomp's internal handling of the multiple
syscall ABIs supported on Linux. This is problematic however, as it does
not define clear semantics if an ABI is not able to support specific
seccomp rules we install.

This rework hence changes a couple of things:

- We no longer use seccomp_rule_add(), but only
  seccomp_rule_add_exact(), and fail the installation of a filter if the
  architecture doesn't support it.

- We no longer rely on adding multiple syscall architectures to a single filter,
  but instead install a separate filter for each syscall architecture
  supported. This way, we can install a strict filter for x86-64, while
  permitting a less strict filter for i386.

- All high-level filter additions are now moved from execute.c to
  seccomp-util.c, so that we can test them independently of the service
  execution logic.

- Tests have been added for all types of our seccomp filters.

- SystemCallFilters= and SystemCallArchitectures= are now implemented in
  independent filters and installation logic, as they semantically are
  very much independent of each other.

Fixes: #4575

src/shared/nsflags.c | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 nfsflags: drop useless include file 'seccomp-util.h'

This also fixes the build when seccomp is disabled.

(cherry picked from commit 51b9bb4f8e88d420ae557c3ecf1922dd9ac95fcc)

rules/60-persistent-storage.rules | 3 0 + 3 - 0 !
rules/99-systemd.rules.in | 5 5 + 0 - 0 !
src/gpt-auto-generator/gpt-auto-generator.c | 53 35 + 18 - 0 !
3 files changed, 40 insertions(+), 21 deletions(-)

 gpt-auto-generator: support luks encrypted root partitions

Previously, we supported GPT auto-discovery for /home and /srv, but not
for the root partition. Add that, too.

Fixes: #859
(cherry picked from commit 01af8c019a33eb3882f17e3b65e30c4a924fed2a)

src/core/device.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 device: avoid calling unit_free(null) in device setup logic (#4748)

Since a581e45ae8f9bb5c, there's a few function calls to
unit_new_for_name which will unit_free on failure. Prior to this commit,
a failure would result in calling unit_free with a NULL unit, and hit an
assertion failure, seen at least via device_setup_unit:

Assertion 'u' failed at src/core/unit.c:519, function unit_free().  Aborting.

Fixes #4747
https://bugs.archlinux.org/task/51950
(cherry picked from commit d112eae7da77899be245ab52aa1747d4675549f1)

src/core/device.c | 2 1 + 1 - 0 !
src/core/mount.c | 2 1 + 1 - 0 !
src/core/swap.c | 2 1 + 1 - 0 !
src/core/unit.c | 3 2 + 1 - 0 !
4 files changed, 5 insertions(+), 4 deletions(-)

 core: make unit_free() accept null pointers

We generally try to make our destructors robust regarding NULL pointers, much
in the same way as glibc's free(). Do this also for unit_free().

Follow-up for #4748.

(cherry picked from commit c9d5c9c0e19eea79ca0f09fe58e5c0b76b8001e2)

src/journal/journald-server.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 journal: make sure to initially populate the space info cache (#4807)

Make sure to populate the cache in cache_space_refresh() at least once
otherwise it's possible that the system boots fast enough (and the journal
flush service is finished) before the invalidate cache timeout (30 us) has
expired.

Fixes: #4790
(cherry picked from commit 3099caf2b5bb9498b1d0227c40926435ca81f26f)

src/journal/journald-server.c | 21 11 + 10 - 0 !
src/journal/journald-server.h | 2 1 + 1 - 0 !
src/journal/journald.c | 2 1 + 1 - 0 !
3 files changed, 13 insertions(+), 12 deletions(-)

 journald: don't flush to /var/log/journal before we get asked to

This changes journald to not write to /var/log/journal until it received
SIGUSR1 for the first time, thus having been requested to flush the runtime
journal to disk.

This makes the journal work nicer with systems which have the root file system
writable early, but still need to rearrange /var before journald should start
writing and creating files to it, for example because ACLs need to be applied
first, or because /var is to be mounted from another file system, NFS or tmpfs
(as is the case for systemd.volatile=state).

Before this change we required setupts with /var split out to mount the root
disk read-only early on, and ship an /etc/fstab that remounted it writable only
after having placed /var at the right place. But even that was racy for various
preparations as journald might end up accessing the file system before it was
entirely set up, as soon as it was writable.

With this change we make scheduling when to start writing to /var/log/journal
explicit. This means persistent mode now requires
systemd-journal-flush.service in the mix to work, as otherwise journald would
never write to the directory.

See: #1397
(cherry picked from commit f78273c8dacf678cc8fd7387f678e6344a99405c)

src/shared/seccomp-util.c | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 seccomp: don't ever try to add an abi before removing the default
 native ABI (#5230)

https://github.com/systemd/systemd/issues/5215#issuecomment-277156262

libseccomp does not allow you to add architectures to a filter that
doesn't match the byte ordering of the architectures already added to
the filter (it would be a mess, not to mention largely pointless) and
since systemd attempts to add an ABI before removing the default native
ABI, you will always fail on Power (either due to ppc or ppc64le). The
fix is to remove the native ABI before adding a new ABI so you don't run
into problems with byte ordering.

You would likely see the same failure on a MIPS system.

Thanks @pcmoore!

(cherry-picked from commit 1b52793d5d597e62c8e35009baca165f1408687e)

src/shared/seccomp-util.c | 3 3 + 0 - 0 !
src/shared/seccomp-util.h | 8 8 + 0 - 0 !
src/test/test-seccomp.c | 16 16 + 0 - 0 !
3 files changed, 27 insertions(+)

 seccomp: restrictaddressfamilies= is not supported on
 i386/s390/s390x, make it a NOP

See: #5215

(cherry-picked from commit ad8f1479b46c72d103b7f4f7b8ff4f59f7455285)

man/systemd.exec.xml | 55 22 + 33 - 0 !
1 file changed, 22 insertions(+), 33 deletions(-)

 man: document that restrictaddressfamilies= doesn't work on
 s390/s390x/...

We already say that it doesn't work on i386, but there are more archs
like that apparently.

(cherry-picked from commit 142bd808a1a1a4a7dc4e75b7a9d1bda6c1530dfd)

man/systemd.exec.xml | 27 14 + 13 - 0 !
src/shared/seccomp-util.c | 92 74 + 18 - 0 !
src/shared/seccomp-util.h | 7 7 + 0 - 0 !
src/test/test-seccomp.c | 12 11 + 1 - 0 !
4 files changed, 106 insertions(+), 32 deletions(-)

 seccomp: memorydenywriteexecute= should affect both mmap() and
 mmap2() (#5254)

On i386 we block the old mmap() call entirely, since we cannot properly
filter it. Thankfully it hasn't been used by glibc since quite some
time.

Fixes: #5240

(cherry-picked from commit 8a50cf6957f12dbb1f90411659da9b959a1983ff)

man/systemd.exec.xml | 5 4 + 1 - 0 !
src/basic/raw-clone.h | 4 2 + 2 - 0 !
src/shared/seccomp-util.c | 45 39 + 6 - 0 !
src/shared/seccomp-util.h | 7 7 + 0 - 0 !
src/test/test-seccomp.c | 3 3 + 0 - 0 !
5 files changed, 55 insertions(+), 9 deletions(-)

 seccomp: on s390 the clone() parameters are reversed

Add a bit of code that tries to get the right parameter order in place
for some of the better known architectures, and skips
restrict_namespaces for other archs.

This also bypasses the test on archs where we don't know the right
order.

In this case I didn't bother with testing the case where no filter is
applied, since that is hopefully just an issue for now, as there's
nothing stopping us from supporting more archs, we just need to know
which order is right.

Fixes: #5241
(cherry picked from commit ae9d60ce4eb116eefb7c4102074ae1cc13fd3216)

src/shared/seccomp-util.c | 30 27 + 3 - 0 !
1 file changed, 27 insertions(+), 3 deletions(-)

 seccomp: disable restrictaddressfamilies= for the abi we shall block,
 not the one we are compiled for (#5272)

src/shared/seccomp-util.c | 67 54 + 13 - 0 !
1 file changed, 54 insertions(+), 13 deletions(-)

 seccomp: order seccomp abi list,
 so that our native ABI comes last (#5306)

this way, we can still call seccomp ourselves, even if seccomp() is
blocked by the filter we are installing.

Fixes: #5300

src/libudev/libudev-util.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 libudev-util: change util_replace_whitespace to return number of
 chars in dest

Instead of returning 0, which is unhelpful, return the number of chars
copied into the dest string.  This allows callers that care about that
to easily use it, instead of having to calculate the strlen.

No current users of the function check the return value, so this does not
break any existing code; it is used in the following patch.

src/udev/udev-event.c | 39 35 + 4 - 0 !
src/udev/udev-rules.c | 40 20 + 20 - 0 !
src/udev/udev.h | 4 3 + 1 - 0 !
src/udev/udevadm-test.c | 2 1 + 1 - 0 !
4 files changed, 59 insertions(+), 26 deletions(-)

 udev-event: add replace_whitespace param to udev_event_apply_format

If replace_whitespace is true, each substitution value has all its
whitespace removed/replaced by util_replace_whitespace (except the
SUBST_RESULT substitution - $result{} or %c{} - which handles spaces
itself as field separators).  All existing callers are updated to
pass false, so no functional change is made by this patch.

This is needed so the SYMLINK assignment can replace any spaces
introduced through variable substitution, becuase the SYMLINK value is
a space-separated list of symlinks to create.  Any variables that
contain spaces will thus unexpectedly change the symlink value from
a single symlink to multiple incorrectly-named symlinks.

This is used in the next patch, which enables the whitespace
replacement for SYMLINK variable substitution.

src/udev/udev-rules.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 udev-rules: perform whitespace replacement for symlink subst values

If the string_escape option is either unset or 'replace' (i.e. if it is
not 'none'), then enable whitespace replacement in SYMLINK variable
substitution values, as added in the last patch.

This will keep any whitespace that is directly contained in a SYMLINK
value, but will replace any whitespace that is added to the SYMLINK
value as a result of variable substitution (except $result/%c).

This fixes bug 4833.

src/core/manager.c | 16 10 + 6 - 0 !
1 file changed, 10 insertions(+), 6 deletions(-)

 core: use a memfd for serialization

If we can, use a memfd for serializing state during a daemon reload or
reexec. Fall back to a file in /run/systemd or /tmp only if memfds are
not available.

See: #5016
(cherry picked from commit d53333d4b106423d4c281ad15aefe00e17a57893)

src/core/dbus-manager.c | 63 63 + 0 - 0 !
src/core/dbus-manager.h | 2 2 + 0 - 0 !
src/core/manager.c | 8 6 + 2 - 0 !
src/libsystemd/sd-bus/bus-common-errors.c | 1 1 + 0 - 0 !
src/libsystemd/sd-bus/bus-common-errors.h | 1 1 + 0 - 0 !
5 files changed, 73 insertions(+), 2 deletions(-)

 manager: refuse reloading/reexecing when /run is overly full

Let's add an extra safety check: before entering a reload/reexec, let's
verify that there's enough room in /run for it.

Fixes: #5016
(cherry picked from commit ae57dad3f92d116c66c4ca0223b7e07b44041436)

src/core/dbus-manager.c | 10 3 + 7 - 0 !
1 file changed, 3 insertions(+), 7 deletions(-)

 dbus: permit seeing process list of units whose unit files are
 missing
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Previously, we'd refuse the GetUnitProcesses() bus call if the unit file
couldn't be loaded. Which is wrong, as admins should be able to inspect
services whose unit files was deleted. Change this logic, so that we
permit introspecting the processes of any unit that is loaded,
regardless if it has a unit file or not.

(Note that we won't load unit files in GetUnitProcess(), but only
operate on already loaded ones. That's because only loaded units can
have processes  as that's how our GC logic works  and hence loading
the unit just for the process tree is pointless, as it would be empty).

See: #4995

src/shared/install.c | 17 17 + 0 - 0 !
1 file changed, 17 insertions(+)

 install: never hit assert() when we can't figure out where to write
 configuration symlinks

Under specific circumstances it might happen that we can't figure out
where to place our symlinks, for example because we are supposed to
create them in the runtime directory but $XDG_RUNTIME_DIR is not set. In
this case, return -ENXIO instead of hitting an assert().

(Yeah, the error isn't very descriptive, but for now this should at
least be good enough to remove the assert() being hit.)

src/shared/path-lookup.c | 20 11 + 9 - 0 !
1 file changed, 11 insertions(+), 9 deletions(-)

 path-lookup: try harder acquiring them $home of a user

Let's use get_home_dir() for figuring out the home directory, so that
there's a good chance we succeed figuring out unit locations even if
$HOME isn't set.

Fixes: #5260

src/shared/path-lookup.c | 32 24 + 8 - 0 !
1 file changed, 24 insertions(+), 8 deletions(-)

 path-lookup: if $home can be determined but $xdg_runtime_dir can't,
 is it

So far, if either $HOME or $XDG_RUNTIME_DIR is not set we wouldn't use
either, and fail acquire_config_dirs() and acquire_control_dirs() in
their entireties. With this change, let's make use of the variables we
can acquire, and don't bother with the other.

Specifically this means: in both acquire_config_dirs() and
acquire_control_dirs() handle ENXIO from user_config_dir() and
user_runtime_dir() directly, instead of propagating it up and handling
it in the caller.

src/resolve/resolved-dns-query.c | 1 1 + 0 - 0 !
src/resolve/resolved-dns-query.h | 2 1 + 1 - 0 !
src/resolve/resolved-dns-stub.c | 126 79 + 47 - 0 !
3 files changed, 81 insertions(+), 48 deletions(-)

 resolved: follow cnames for dns stub replies

Clients expect us to follow CNAMEs for them, hence do so. On the first
iteration start putting together a packet, and then keep adding data we
acquire through CNAMEs to it, until we finally send it off.

Fixes: #3826

src/login/logind-seat.c | 2 0 + 2 - 0 !
src/login/logind-session.c | 9 3 + 6 - 0 !
2 files changed, 3 insertions(+), 8 deletions(-)

 logind: don't try to emit a change signal for the 'sessions'
 property (#5211)

The 'Sessions' property for both org.freedesktop.login1.User and
org.freedesktop.login1.Seat is marked as EmitsChangedSignal(false).
Trying to emit a change signal that includes the 'Sessions' property
leads to the signal not being sent at all.

Fixes #5210.

src/resolve/resolved-dns-dnssec.c | 8 6 + 2 - 0 !
1 file changed, 6 insertions(+), 2 deletions(-)

 resolved: fix nsec proofs for missing tlds

For the wildcard NSEC check we need to generate an "asterisk" domain, by
prepend the common ancestor with "*.". So far we did that with a simple
strappenda() which is fine for most domains, but doesn't work if the
common ancestor is the root domain as we usually write that as "." in
normalized form, and "*." joined with "." is "*.." and not "*." as it
should be.

Hence, use the clean way out, let's just use dns_name_concat() which
only exists precisely for this reason, to properly concatenate labels.

There's a good chance this actually fixes #5029, as this NSEC proof is
triggered by lookups in the TLD "example", which doesn't exist in the
Internet.

src/core/automount.c | 78 50 + 28 - 0 !
1 file changed, 50 insertions(+), 28 deletions(-)

 automount: if an automount unit is masked,
 don't react to activation anymore (#5445)

Otherwise we'll hit an assert sooner or later.

This requires us to initialize ->where even if we come back in "masked"
mode, as otherwise we don't know how to operate on the automount and
detach it.

Fixes: #5441
(cherry picked from commit e350ca3f1ecb6672b74cd25d09ef23c7b309aa5a)

src/resolve/resolved-dns-trust-anchor.c | 72 51 + 21 - 0 !
1 file changed, 51 insertions(+), 21 deletions(-)

 resolved: add the new ksk to the built-in resolved trust anchor
 (#5486)

Fixes: #5482

shell-completion/zsh/_journalctl | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 zsh-completion: _journalctl fixes (#5165)

allow _journalctl to work when the rcquotes option is set, broken in ba89f80620d619867b4838973785d529c5a959f6.
allow the completion of --file multiple times, which ba89f80620d619867b4838973785d529c5a959f6 claims is true.

Fixes #4842

rules/60-persistent-storage.rules | 4 4 + 0 - 0 !
src/udev/udev-builtin-path_id.c | 5 1 + 4 - 0 !
2 files changed, 5 insertions(+), 4 deletions(-)

 udev: use parent bus id for virtio disk builtin path-id (#5500)

The builtin path id for virtio block devices has been changed
to use the bus id without a prefix "virtio-pci" to be
compatible with all virtio transport types.

In order to not break existing setups, the by-path symlinks for
virtio block devices on the PCI bus are reintroduced by udev rules.
The virtio-pci symlinks are considered to be deprecated and
should be replaced by the native PCI symlinks.

Example output for a virtio disk in PCI slot 7:
 $ ls  /dev/disk/by-path
 pci-0000:00:07.0
 pci-0000:00:07.0-part1
 virtio-pci-0000:00:07.0
 virtio-pci-0000:00:07.0-part1

See also
[1] https://lists.freedesktop.org/archives/systemd-devel/2017-February/038326.html
[2] https://lists.freedesktop.org/archives/systemd-devel/2017-March/038397.html

This reverts f073b1b but keeps the same symlinks for compatibility.

src/udev/udev-builtin-net_id.c | 58 39 + 19 - 0 !
1 file changed, 39 insertions(+), 19 deletions(-)

 udev: fix id_net_name_path for virtio-ccw interfaces (#5357)

The CCW id_net_name_path detection didn't account for virtio
interfaces on the CCW bus. As a result the default interface
names for virtio-ccw interfaces would use the old eth<x>
format instead of enc<busid>.

Since virtio-pci interface naming follows the naming rules
of the parent bus, the names_ccw() logic was changed to apply
the CCW interface naming rules to virtio interfaces as well,
e.g. enc2000 for an interface with a CCW bus id 0.0.2000.
As virtio interfaces are apt to get the otherwise unusual
CCW bus id 0.0.0000, the last '0' is now preserved in this
case.

The virtio subsystem skipping loop has been moved from
names_pci() into a function skip_virtio() that can be reused
for all bus types with virtio network devices.

Since virtio-ccw interfaces use single CCW addresses the ccwgroup
requirement was relaxed and the C definitions were changed
accordingly.

Makefile.am | 1 1 + 0 - 0 !
README | 2 1 + 1 - 0 !
src/core/umount.c | 2 1 + 1 - 0 !
src/shared/linux-3.13/dm-ioctl.h | 355 355 + 0 - 0 !
4 files changed, 358 insertions(+), 2 deletions(-)

 avoid strict dm interface version dependencies (#5519)

Compiling against the dm-ioctl.h header as provided by the Linux kernel
will embed the DM interface version number. Running an older kernel can
result in an error like this on shutdown:

Could not detach DM dm-11: ioctl mismatch, kernel(4.34.4), user(4.35.4)

Work around this by shipping a local copy of dm-ioctl.h. We need at
least the version from 3.13 for DM_DEFERRED_REMOVE [1], so bump the
requirements in README accordingly.

[1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2c140a246dc0bc085b98eddde978060fcec1080c

Fixes: #5492
(cherry picked from commit dcce98a4bdc302a5efeb3a5c35b6cbf6d16a3efc)

src/network/networkd-network.h | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 networkd: fix size of mtubytes so that it does not overwrites arp
 (#4707)

config_parse_iec_size overwrites the next varible that is ARP.
Now the mtu is unsigned . Make it size_t .

Fixes #4644
(cherry picked from commit b8b40317d0355bc70bb23a6240a36f3630c4952b)

src/resolve/resolved-dns-stub.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 resolved: downgrade "processing query..." message to debug (#5233)

It doesn't really add much value in normal operation and just spams the log.
(cherry picked from commit 52e634271fe96ec23a22705ffb87df59a09d1618)

units/emergency.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 units: do not throw a warning in emergency mode if plymouth is not
 installed (#5528)

Ideally, plymouth should only be referenced via dependencies,
not ExecStartPre's. This at least avoids the confusing error message
on minimal installations that do not carry plymouth.
(cherry picked from commit 7e3ba389191dbc241e05f4d134460bbb832ed60c)

units/rescue.service.in | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 units: apply plymouth warning fix to in rescue mode as well (#5615)

Follow up for #5528.
(cherry picked from commit 03bf096ba283bfcba0725375f152a823e998cdbc)

rules/60-cdrom_id.rules | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 rules: allow sparc vdisk devices when identifying cd drives (#5599)

(cherry picked from commit 7c1ebe99b68ef232bc50e99f2350ebf5f4e846e7)