Merge pull request #17706 from ddstreet/test-move-pam-systemd-user

test/test-functions: copy /usr/lib/pam.d into $initdir

NEWS

@@ -86,6 +86,33 @@ CHANGES WITH 247 in spe:
           this is not caused by systemd/udev changes, but result of a kernel
           behaviour change.
 
+        * UPCOMING INCOMPATIBILITY: So far most downstream distribution
+          packages have not retriggered devices once the udev package (or any
+          auxiliary package installing additional udev rules) is updated. We
+          intend to work with major distributions to change this, so that
+          "udevadm trigger -a change" is issued on such upgrades, ensuring that
+          the updated ruleset is applied to the devices already discovered, so
+          that (asynchronously) after the upgrade completed the udev database
+          is consistent with the updated rule set. This means udev rules must
+          be ready to be retriggered with a "change" action any time, and
+          result in correct and complete udev database entries. While the
+          majority of udev rule files known to us currently get this right,
+          some don't. Specifically, there are udev rules files included in
+          various packages that only set udev properties on the "add" action,
+          but do not handle the "change" action. If a device matching those
+          rules is retriggered with the "change" action (as is intended here)
+          it would suddenly lose the relevant properties. This always has been
+          a problematic, but as soon as all udev devices are triggered on
+          relevant package upgrades this will become particularly so. It is
+          strongly recommended to fix offending rules so that they can handle a
+          "change" action at any time, and acquire all necessary udev
+          properties even then. Or in other words: the header guard mentioned
+          above (ACTION=="remove",GOTO="xyz_end") is the correct approach to
+          handle this, as it makes sure rules are rerun on "change" correctly,
+          and acccumulate the correct and complete set of udev properties. udev
+          rule definitions that cannot handle "change" events being triggered
+          at arbitrary times should be considered buggy.
+
         * The MountAPIVFS= service file setting now defaults to on if
           RootImage= and RootDirectory= are used, which means that with those
           two settings /proc/, /sys/ and /dev/ are automatically properly set
@@ -619,6 +646,11 @@ CHANGES WITH 247 in spe:
           placed in app.slice. The plan is to add resource limits and
           protections for the different slices in the future.
 
+        * New GPT partition types for RISCV32/64 for the root and /usr
+          partitions, and their associated Verity partitions have been defined,
+          and are now understood by systemd-gpt-auto-generator, and the OS
+          image dissection logic.
+
         Contributions from: Adolfo Jayme Barrientos, afg, Alec Moskvin, Alyssa
         Ross, Amitanand Chikorde, Andrew Hangsleben, Anita Zhang, Ansgar
         Burchardt, Arian van Putten, Aurelien Jarno, Axel Rasmussen, bauen1,

man/systemd.link.xml

@@ -273,18 +273,21 @@
             <varlistentry>
               <term><option>none</option></term>
               <listitem>
-                <para>Keeps the MAC address assigned by the kernel.</para>
+                <para>Keeps the MAC address assigned by the kernel. Or use the MAC address specified in
+                <varname>MACAddress=</varname>.</para>
               </listitem>
             </varlistentry>
           </variablelist>
+
+          <para>An empty string assignment is equivalent to setting <literal>none</literal>.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
         <term><varname>MACAddress=</varname></term>
         <listitem>
-          <para>The MAC address to use, if no
+          <para>The interface MAC address to use. For this setting to take effect,
-          <varname>MACAddressPolicy=</varname>
+          <varname>MACAddressPolicy=</varname> must either be unset, empty, or <literal>none</literal>.
-          is specified.</para>
+          </para>
         </listitem>
       </varlistentry>
       <varlistentry>

src/home/pam_systemd_home.c

@@ -625,6 +625,15 @@ static int acquire_home(
                 do_auth = true;
         }
 
+        /* Later PAM modules may need the auth token, but only during pam_authenticate. */
+        if (please_authenticate && !strv_isempty(secret->password)) {
+                r = pam_set_item(handle, PAM_AUTHTOK, *secret->password);
+                if (r < 0) {
+                        pam_syslog(handle, LOG_ERR, "Failed to set PAM auth token: %s", pam_strerror(handle, r));
+                        return r;
+                }
+        }
+
         r = pam_set_data(handle, fd_field, FD_TO_PTR(acquired_fd), cleanup_home_fd);
         if (r < 0) {
                 pam_syslog(handle, LOG_ERR, "Failed to set PAM bus data: %s", pam_strerror(handle, r));

src/udev/net/link-config.c

@@ -181,6 +181,13 @@ int link_load_one(link_config_ctx *ctx, const char *filename) {
                 return 0;
         }
 
+        if (IN_SET(link->mac_address_policy, MAC_ADDRESS_POLICY_PERSISTENT, MAC_ADDRESS_POLICY_RANDOM) && link->mac) {
+                log_warning("%s: MACAddress= in [Link] section will be ignored when MACAddressPolicy= "
+                            "is set to \"persistent\" or \"random\".",
+                            filename);
+                link->mac = mfree(link->mac);
+        }
+
         log_debug("Parsed configuration file %s", filename);
 
         LIST_PREPEND(links, ctx->links, TAKE_PTR(link));
@@ -668,7 +675,11 @@ static const char* const mac_address_policy_table[_MAC_ADDRESS_POLICY_MAX] = {
 };
 
 DEFINE_STRING_TABLE_LOOKUP(mac_address_policy, MACAddressPolicy);
-DEFINE_CONFIG_PARSE_ENUM(config_parse_mac_address_policy, mac_address_policy, MACAddressPolicy,
+DEFINE_CONFIG_PARSE_ENUM_WITH_DEFAULT(
+        config_parse_mac_address_policy,
+        mac_address_policy,
+        MACAddressPolicy,
+        MAC_ADDRESS_POLICY_NONE,
         "Failed to parse MAC address policy");
 
 static const char* const name_policy_table[_NAMEPOLICY_MAX] = {

test/test-functions

@@ -1058,7 +1058,9 @@ install_pam() {
     else
         find /lib*/security -xtype f
     fi
-    find /etc/pam.d /etc/security -xtype f
+    for d in /etc/pam.d /etc/security /usr/lib/pam.d; do
+        [ -d "$d" ] && find $d -xtype f
+    done
     ) | while read file; do
         inst $file
     done
@@ -1067,9 +1069,6 @@ install_pam() {
     # see http://www.linux-pam.org/Linux-PAM-html/sag-pam_unix.html
     dracut_install -o unix_chkpwd
 
-    [[ "$LOOKS_LIKE_DEBIAN" ]] &&
-        cp /etc/pam.d/systemd-user $initdir/etc/pam.d/
-
     # set empty root password for easy debugging
     sed -i 's/^root:x:/root::/' $initdir/etc/passwd
 }